Re: Syntax for ECS ACL Entry

Thu, 02 Sep 2021 09:25:43 -0700

I did compile 9.16.20 from source since the latest in Debian repos is 9.16.15 but the result is the same. The doc snippet in my original email was from 9.11 docs -- could this feature not have been brought forward into 9.16 at all? The only related documented removed feature is geoip-use-ecs. 

-Ryan

On 9/2/21 10:06 AM, Ryan McGuire wrote:
I'm setting ECS in dnsdist in hopes of using it in an ACL to choose a view. The views are working well, and the ECS is read by bind9 (see log below), but I can't seem to find a syntax for adding an ecs entry into an acl. Here is what I've tried: 

acl "filtered" {
  192.168.0.90;
  192.168.0.91;
  192.168.0.92;
  192.168.0.93;
*  ecs 192.168.99.0/24;*
};

view filtered-view {
  match-clients { filtered; };
  {...}

When I try to start bind with this config, I get the following error:
/etc/bind/named.conf.local:6: missing ';' before '192.168.99.0'

Everything works as it should if I remove the ecs entry from the acl.

I can see the ECS is being set by dnsdist when I enable query logging:
client @0x7f21840117e8 192.168.0.1#43466 (elastic.mcguire.local): view filtered-view: query: elastic.mcguire.local IN A +E(0) (192.168.0.5) *[ECS 192.168.99.0/24/0]* 

From the docs*:*
"An ACL containing an element of the form ecs prefix will match if a request arrives in containing an ECS option encoding an address within that prefix. If the request has no ECS option, then "ecs" elements are simply ignored. Addresses in ACLs that are not prefixed with "ecs" are matched only against the source address."* 
*

I am running bind9 version 9.16.15.

Regards,

Ryan McGuire
p. 260.202.0500 <tel:260.202.0500> m. 978.501.3620 <tel:978.501.3620> f. 260.202.0420 <tel:978.501.3620> 
w. www.libretechconsulting.com <https://libretechconsulting.com>

        Libre Tech Consulting <https://libretechconsulting.com>


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to