Bind 9.11 question (ACL ecs )
HsuLiPing at itri.org.tw
HsuLiPing at itri.org.tw
Tue Oct 25 06:04:14 UTC 2016
From 9.1 ARM chapter 7 that mention
The EDNS Client Subnet (ECS) option is used by a recursive resolver to inform an authoritative
name server of the network address block from which the original query was received, enabling
authoritative servers to give different answers to the same resolver for different resolver clients.
An ACL containing an element of the form ecs prefix will match if a request arrives in containing
an ECS option encoding an address within that prefix. If the request has no ECS option,
then "ecs" elements are simply ignored. Addresses in ACLs that are not prefixed with "ecs" are
matched only against the source address.
Now i was migrate DNS bint fro 9.10 to 9.11 and use ECS prefix on my allow-query entry but when i use dig
test (not include +subnet) it not response but when i remvoe that ecs keyword every thing was OK.
I was use bind 9.11 setup three dns server one for mydomain.idv and two are sub.mydomain.idv.
my sub.mydomain.idv has multi view but has same zone.
when i use dig query sub.mydomain.idv entry it always return last match view, it will not reponse by client subnet
following was my partial named.conf content
====================sub.mydomain.idv (Primary server -ip:a.b.c.d) =====================
acl "slave-ips" { a.b.c.d; };
server a.b.c.d {
provide-ixfr yes;
request-nsid yes;
send-cookie yes;
edns-udp-size 4096;
max-udp-size 4096;
transfer-format many-answers;
};
server a1.b1.c1.d1 { // mydomain.idv primary server
request-nsid yes;
send-cookie yes;
edns-udp-size 4096;
max-udp-size 4096;
};
include "d:\isc bind 9\etc\ecs-acl-list.txt";
include "d:\isc bind 9\etc\no-ecs-acl-list.txt";
include "d:\isc bind 9\etc\KeyFiles.txt";
include "d:\isc bind 9\etc\logging.conf";
options {
directory "d:\isc bind 9\var\named";
allow-update {none;};
notify explicit;
allow-transfer { none; };
allow-query { none; };
};
// End Options
view "area01" {
match-clients { area01; ecs-area01; !{!ecs-area01; any; } ; key Area01.mydomain.idv.;};
zone "sub.mydomain.idv" in {
type master;
allow-query { area01; ecs-area01; };
file "sub/area01.mydomain.idv.txt";
also-notify { a.b.c1.d key Area01.mydomain.idv.; };
allow-transfer { key Area01.mydomain.idv.; };
};
}; // End View
view "area02" {
match-clients { area02; ecs-area02; !{!ecs-area02; any; } ; key Area02.mydomain.idv.; };
zone "sub.mydomain.idv" in {
type master;
allow-query { area02; ecs-area02; };
file "sub/area02.mydomain.idv.txt";
also-notify { a.b.c1.d key Area02.mydomain.idv.; };
allow-transfer { key Area02.mydomain.idv.; };
};
}; // End View
view "area03" {
match-clients { area03; ecs-area03; !{!ecs-area03; any; } ; key Area03.mydomain.idv.; };
zone "sub.mydomain.idv" in {
type master;
allow-query { area03; ecs-area03; };
file "sub/area03.mydomain.idv.txt";
also-notify { a.b.c1.d key Area03.mydomain.idv.;};
allow-transfer { key Area03.mydomain.idv.; };
};
}; // End View
view "deafult" { // Default
match-clients {any; };
zone "sub.mydomain.idv" in {
type master;
allow-query { any; };
file "sub/default.mydomain.idv.txt";
also-notify { a.b.c1.d key Default.mydomain.idv.;};
allow-transfer { key Default.mydomain.idv.; };
};
}; // End View
====================sub.mydomain.idv (Slave server -ip:a.b.c1.d) =====================
server a.b.c.d {
provide-ixfr yes;
request-nsid yes;
send-cookie yes;
edns-udp-size 4096;
max-udp-size 4096;
transfer-format many-answers;
};
server a1.b1.c1.d1 { // mydomain.idv primary server
request-nsid yes;
send-cookie yes;
edns-udp-size 4096;
max-udp-size 4096;
};
include "d:\isc bind 9\etc\ecs-acl-list.txt";
include "d:\isc bind 9\etc\no-ecs-acl-list.txt";
include "d:\isc bind 9\etc\KeyFiles.txt";
include "d:\isc bind 9\etc\logging.conf";
options {
directory "d:\isc bind 9\var\named";
allow-update {none;};
notify explicit;
allow-transfer { none; };
allow-query { none; };
};
// End Options
view "area01" {
match-clients { area01; ecs-area01; !{!ecs-area01; any; } ; key Area01.mydomain.idv.;};
zone "sub.mydomain.idv" in {
type slave;
allow-query { area01; ecs-area01; };
file "sub/area01.mydomain.idv.ca";
masters { a.b.c.d key Area01.mydomain.idv.; };
};
}; // End View
view "area02" {
match-clients { area02; ecs-area02; !{!ecs-area02; any; } ; key Area02.mydomain.idv.;};
zone "sub.mydomain.idv" in {
type slave;
allow-query { area02; ecs-area02; };
file "sub/area02.mydomain.idv.ca";
masters { a.b.c.d key Area02.mydomain.idv.; };
}; // End View
view "area03" {
match-clients { area03; ecs-area03; !{!ecs-area03; any; } ; key Area03.mydomain.idv.;};
zone "sub.mydomain.idv" in {
type slave;
allow-query { area03; ecs-area03; };
file "sub/area03.mydomain.idv.ca";
masters { a.b.c.d key Area03.mydomain.idv.; };
}; // End View
view "deafult" { // Default
match-clients { any; };
zone "sub.mydomain.idv" in {
type slave;
allow-query { any; };
file "sub/default.mydomain.idv.ca";
masters { a.b.c.d key default.mydomain.idv.; };
};
}; // End View
My dns server was install windows 2012 r2.
My client pc at area02 subnet so when i use dig test (if not area02 - ACL entry) then it willget default view
enrty record. But from above red word it means it query packet not include ecs it will ignore ecs function.
when i use dig query sub.mydomain.idv entry through mydomain.idv then it alway return default view entry not view area02 entry.
Did anyone can help me where was wrong...........
use ecs prefix
--
本信件可能包含工研院機密資訊,非指定之收件者,請勿使用或揭露本信件內容,並請銷毀此信件。 This email may contain confidential information. Please do not use or disclose it in any way and delete it if you are not the intended recipient.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20161025/afc936e3/attachment.html>
More information about the bind-users
mailing list