Bind 9.11 question (ACL ecs )
Bob Harold
rharolde at umich.edu
Tue Oct 25 17:19:11 UTC 2016
On Tue, Oct 25, 2016 at 2:04 AM, <HsuLiPing at itri.org.tw> wrote:
> From 9.1 ARM chapter 7 that mention
>
> The EDNS Client Subnet (ECS) option is used by a recursive resolver to
> inform an authoritative
> name server of the network address block from which the original query was
> received, enabling
> authoritative servers to give different answers to the same resolver for
> different resolver clients.
>
>
>
> *An ACL containing an element of the form ecs prefix will match if a
> request arrives in containing*
> *an ECS option encoding an address within that prefix. If the request has
> no ECS option,*
> *then "ecs" elements are simply ignored*. Addresses in ACLs that are not
> prefixed with "ecs" are
> matched only against the source address.
>
>
>
> Now i was migrate DNS bint fro 9.10 to 9.11 and use ECS prefix on my
> allow-query entry but when i use dig
>
> test (not include +subnet) it not response but when i remvoe that ecs
> keyword every thing was OK.
>
>
>
> I was use bind 9.11 setup three dns server one for mydomain.idv and two
> are sub.mydomain.idv.
>
> my sub.mydomain.idv has multi view but has same zone.
>
> when i use dig query sub.mydomain.idv entry it always return last match
> view, it will not reponse by client subnet
>
> following was my partial named.conf content
>
>
>
> ====================sub.mydomain.idv (Primary server -ip:a.b.c.d)
> =====================
>
> acl "slave-ips" { a.b.c.d; };
>
> server a.b.c.d {
> provide-ixfr yes;
> request-nsid yes;
> send-cookie yes;
> edns-udp-size 4096;
> max-udp-size 4096;
> transfer-format many-answers;
> };
>
> server a1.b1.c1.d1 { // mydomain.idv primary server
> request-nsid yes;
> send-cookie yes;
> edns-udp-size 4096;
> max-udp-size 4096;
> };
>
> include "d:\isc bind 9\etc\ecs-acl-list.txt";
> include "d:\isc bind 9\etc\no-ecs-acl-list.txt";
> include "d:\isc bind 9\etc\KeyFiles.txt";
> include "d:\isc bind 9\etc\logging.conf";
>
> options {
> directory "d:\isc bind 9\var\named";
> allow-update {none;};
> notify explicit;
> allow-transfer { none; };
> allow-query { none; };
> };
>
> // End Options
>
> view "area01" {
> match-clients { area01; ecs-area01; !{!ecs-area01; any; } ; key
> Area01.mydomain.idv.;};
> zone "sub.mydomain.idv" in {
> type master;
> allow-query { area01; ecs-area01; };
> file "sub/area01.mydomain.idv.txt";
> also-notify { a.b.c1.d key Area01.mydomain.idv.; };
> allow-transfer { key Area01.mydomain.idv.; };
> };
> }; // End View
>
> view "area02" {
> match-clients { area02; ecs-area02; !{!ecs-area02; any; } ; key
> Area02.mydomain.idv.; };
> zone "sub.mydomain.idv" in {
> type master;
> allow-query { area02; ecs-area02; };
> file "sub/area02.mydomain.idv.txt";
> also-notify { a.b.c1.d key Area02.mydomain.idv.; };
> allow-transfer { key Area02.mydomain.idv.; };
> };
> }; // End View
>
> view "area03" {
> match-clients { area03; ecs-area03; !{!ecs-area03; any; } ; key
> Area03.mydomain.idv.; };
> zone "sub.mydomain.idv" in {
> type master;
> allow-query { area03; ecs-area03; };
> file "sub/area03.mydomain.idv.txt";
> also-notify { a.b.c1.d key Area03.mydomain.idv.;};
> allow-transfer { key Area03.mydomain.idv.; };
> };
> }; // End View
>
> view "deafult" { // Default
> match-clients {any; };
> zone "sub.mydomain.idv" in {
> type master;
> allow-query { any; };
> file "sub/default.mydomain.idv.txt";
> also-notify { a.b.c1.d key Default.mydomain.idv.;};
> allow-transfer { key Default.mydomain.idv.; };
> };
> }; // End View
>
> ====================sub.mydomain.idv (Slave server -ip:a.b.c1.d)
> =====================
>
> server a.b.c.d {
> provide-ixfr yes;
> request-nsid yes;
> send-cookie yes;
> edns-udp-size 4096;
> max-udp-size 4096;
> transfer-format many-answers;
> };
>
> server a1.b1.c1.d1 { // mydomain.idv primary server
> request-nsid yes;
> send-cookie yes;
> edns-udp-size 4096;
> max-udp-size 4096;
> };
>
> include "d:\isc bind 9\etc\ecs-acl-list.txt";
> include "d:\isc bind 9\etc\no-ecs-acl-list.txt";
> include "d:\isc bind 9\etc\KeyFiles.txt";
> include "d:\isc bind 9\etc\logging.conf";
>
> options {
> directory "d:\isc bind 9\var\named";
> allow-update {none;};
> notify explicit;
> allow-transfer { none; };
> allow-query { none; };
> };
>
> // End Options
>
> view "area01" {
> match-clients { area01; ecs-area01; !{!ecs-area01; any; } ; key
> Area01.mydomain.idv.;};
> zone "sub.mydomain.idv" in {
> type slave;
> allow-query { area01; ecs-area01; };
> file "sub/area01.mydomain.idv.ca";
> masters { a.b.c.d key Area01.mydomain.idv.; };
> };
> }; // End View
>
> view "area02" {
> match-clients { area02; ecs-area02; !{!ecs-area02; any; } ; key
> Area02.mydomain.idv.;};
> zone "sub.mydomain.idv" in {
> type slave;
> allow-query { area02; ecs-area02; };
> file "sub/area02.mydomain.idv.ca";
> masters { a.b.c.d key Area02.mydomain.idv.; };
> }; // End View
>
> view "area03" {
> match-clients { area03; ecs-area03; !{!ecs-area03; any; } ; key
> Area03.mydomain.idv.;};
> zone "sub.mydomain.idv" in {
> type slave;
> allow-query { area03; ecs-area03; };
> file "sub/area03.mydomain.idv.ca";
> masters { a.b.c.d key Area03.mydomain.idv.; };
> }; // End View
>
> view "deafult" { // Default
> match-clients { any; };
> zone "sub.mydomain.idv" in {
> type slave;
> allow-query { any; };
> file "sub/default.mydomain.idv.ca";
> masters { a.b.c.d key default.mydomain.idv.; };
> };
> }; // End View
>
>
>
> My dns server was install windows 2012 r2.
>
> My client pc at area02 subnet so when i use dig test (if not area02 - ACL
> entry) then it willget default view
>
> enrty record. But from above red word it means it query packet not include
> ecs it will ignore ecs function.
>
>
>
> when i use dig query sub.mydomain.idv entry through mydomain.idv then it
> alway return default view entry not view area02 entry.
>
>
>
> Did anyone can help me where was wrong...........
>
> use ecs prefix
>
I cannot answer your question, but I have some questions, if you would be
so kind as to answer.
I did not know that you could use sub-groups {...} inside and acl list -
thanks for that!
I don't understand "!{!ecs-area03; any; }" - is that really the same as
just "ecs-area03" ?
Could you try "ecs-area03" without "!{!ecs-area03; any; }" ?
--
Bob Harold
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20161025/fe48a588/attachment.html>
More information about the bind-users
mailing list