Syntax for ECS ACL Entry

Ryan McGuire rmcguire at libretechconsulting.com
Thu Sep 2 19:08:36 UTC 2021 

In this case I use dnsdist (by PowerDNS) for load balancing and failover 
-- requests are balanced between my internal bind9 servers, and if they 
are all down queries go to public DNS directly to avoid a total outage. 
The challenge here is that the source IP for all requests is now coming 
from dnsdist.

They have an article here: 
https://dnsdist.org/advanced/passing-source-address.html that mentions 
the functionality supported in dnsdist, but there is no overlap with 
bind9 -- well, there was apparently up to 9.14, but it's since been 
removed. Bind is still able to parse (and present) the ECS to you, that 
works great, but the plumbing into the acl is what is needed to serve up 
a separate view by source client.

Being realistic, this is not a large deployment, if it's an edge case 
then it is surely not worth anyone's time to add support back in.

Thank you again for the replies.

-Ryan

On 9/2/21 2:42 PM, Evan Hunt wrote:
> On Thu, Sep 02, 2021 at 02:26:59PM -0400, Ryan McGuire wrote:
>> Thank you, in my searching I failed to come across that.
>>
>> Do you know if it's been replaced by something more "practical to
>> deploy"? I found some discussion regarding support for "The PROXY
>> Protocol" (https://www.haproxy.org/download/2.2/doc/proxy-protocol.txt)
>> but I don't believe it's planned. This seems like such a common
>> scenario, I'm surprised the support that was there was removed but not
>> replaced by anything. I suppose it is open-source software and I'm free
>> to port it into 9.16, but this isn't a big enough problem for me
>> personally to justify the time spent.
> We do have support for recursive ECS processing in the special-sauce
> version of BIND we charge money for, but there hasn't been enough demand
> for support on the authoritiatve side to make it worth the development
> effort so far. But I would encourage you to put in a feature request
> with details about your use case, and we'll consider it in the future.
>
> Unfortunately, the older auth support was terribly space-inefficient,
> and also didn't comply with the RFC, so it kind of had to go.
>
> I'm not sure which of the open-source auth servers currently have ECS
> support. PowerDNS maybe? And a quick google search just suggested one
> called gdnsd, which I hadn't heard of before.
>

More information about the bind-users mailing list