Syntax for ECS ACL Entry

Ondřej Surý ondrej at isc.org
Thu Sep 2 20:01:00 UTC 2021 

FTR The PROXY protocol is on the todo list, but the demand hasn’t been great so it’s more in the “patches accepted” area then something that’s just around the corner…

--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.

> On 2. 9. 2021, at 20:27, Ryan McGuire <rmcguire at libretechconsulting.com> wrote:
> 
> Thank you, in my searching I failed to come across that.
> 
> Do you know if it's been replaced by something more "practical to deploy"? I found some discussion regarding support for "The PROXY Protocol" (https://www.haproxy.org/download/2.2/doc/proxy-protocol.txt) but I don't believe it's planned. This seems like such a common scenario, I'm surprised the support that was there was removed but not replaced by anything. I suppose it is open-source software and I'm free to port it into 9.16, but this isn't a big enough problem for me personally to justify the time spent.
> 
> -Ryan
> 
> On 9/2/21 2:16 PM, Evan Hunt wrote:
>>> I did compile 9.16.20 from source since the latest in Debian repos is
>>> 9.16.15 but the result is the same. The doc snippet in my original email
>>> was from 9.11 docs -- could this feature not have been brought forward
>>> into 9.16 at all? The only related documented removed feature is
>>> geoip-use-ecs.
>> It was actually removed in 9.14:
>> 
>> 4952.   [func]          Authoritative server support in named for the
>>                         EDNS CLIENT-SUBNET option (which was experimental
>>                         and not practical to deploy) has been removed.
>> 
>>                         The ECS option is still supported in dig and mdig
>>                         via the +subnet option, and can be parsed and logged
>>                         when received by named, but it is no longer used
>>                         for ACL processing. The "geoip-use-ecs" option
>>                         is now obsolete; a warning will be logged if it is
>>                         used in named.conf. "ecs" tags in an ACL definition
>>                         are also obsolete and will cause the configuration
>>                         to fail to load.  [GL #32]
>> 
>> Sorry about the inadequate documentation. There's a mechanism for flagging
>> obsolete options in named.conf and logging a useful message about them, but
>> it's not so straightforward when the option is still valid but the
>> parameters have changed.
>> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list