Bind 9.11 question (ACL ecs )

Tue Oct 25 17:19:11 UTC 2016

On Tue, Oct 25, 2016 at 2:04 AM, <HsuLiPing at itri.org.tw> wrote:

> From 9.1 ARM chapter 7 that mention
>
> The EDNS Client Subnet (ECS) option is used by a recursive resolver to
> inform an authoritative
> name server of the network address block from which the original query was
> received, enabling
> authoritative servers to give different answers to the same resolver for
> different resolver clients.
>
>
>
> *An ACL containing an element of the form ecs prefix will match if a
> request arrives in containing*
> *an ECS option encoding an address within that prefix. If the request has
> no ECS option,*
> *then "ecs" elements are simply ignored*. Addresses in ACLs that are not
> prefixed with "ecs" are
> matched only against the source address.
>
>
>
> Now i was migrate DNS bint fro 9.10 to 9.11 and use ECS prefix on my
> allow-query entry but when i use dig
>
> test (not include +subnet) it not response but when i remvoe that ecs
> keyword every thing was OK.
>
>
>
> I was use bind 9.11 setup three dns server one for mydomain.idv and two
> are sub.mydomain.idv.
>
> my sub.mydomain.idv has multi view but has same zone.
>
> when i use dig query sub.mydomain.idv entry it always return last match
> view, it will not reponse by client subnet
>
> following was my partial named.conf content
>
>
>
> ====================sub.mydomain.idv (Primary server -ip:a.b.c.d)
> =====================
>
> acl "slave-ips" { a.b.c.d; };
>
> server  a.b.c.d {
>         provide-ixfr yes;
>         request-nsid yes;
>         send-cookie yes;
>         edns-udp-size 4096;
>         max-udp-size 4096;
>         transfer-format many-answers;
>         };
>
> server  a1.b1.c1.d1 {  // mydomain.idv primary server
>         request-nsid yes;
>         send-cookie yes;
>         edns-udp-size 4096;
>         max-udp-size 4096;
>         };
>
> include "d:\isc bind 9\etc\ecs-acl-list.txt";
> include "d:\isc bind 9\etc\no-ecs-acl-list.txt";
> include "d:\isc bind 9\etc\KeyFiles.txt";
> include "d:\isc bind 9\etc\logging.conf";
>
> options {
>   directory       "d:\isc bind 9\var\named";
>         allow-update {none;};
>         notify explicit;
>         allow-transfer { none; };
>         allow-query { none; };
> };
>
> // End Options
>
> view "area01" {
>     match-clients { area01; ecs-area01; !{!ecs-area01; any; } ; key
> Area01.mydomain.idv.;};
>     zone "sub.mydomain.idv" in {
>          type master;
>          allow-query { area01; ecs-area01; };
>   file "sub/area01.mydomain.idv.txt";
>          also-notify { a.b.c1.d key Area01.mydomain.idv.; };
>          allow-transfer { key Area01.mydomain.idv.; };
>      };
> }; // End View
>
> view "area02" {
>     match-clients { area02; ecs-area02; !{!ecs-area02; any; } ; key
> Area02.mydomain.idv.; };
>     zone "sub.mydomain.idv" in {
>          type master;
>          allow-query { area02; ecs-area02; };
>   file "sub/area02.mydomain.idv.txt";
>          also-notify { a.b.c1.d key Area02.mydomain.idv.; };
>          allow-transfer { key Area02.mydomain.idv.; };
>      };
> }; // End View
>
> view "area03" {
>     match-clients {  area03; ecs-area03; !{!ecs-area03; any; } ; key
> Area03.mydomain.idv.; };
>     zone "sub.mydomain.idv" in {
>          type master;
>          allow-query {  area03; ecs-area03; };
>   file "sub/area03.mydomain.idv.txt";
>   also-notify { a.b.c1.d key Area03.mydomain.idv.;};
>   allow-transfer { key Area03.mydomain.idv.; };
>      };
> }; // End View
>
> view "deafult" {  // Default
>     match-clients {any; };
>     zone "sub.mydomain.idv" in {
>          type master;
>          allow-query { any; };
>   file "sub/default.mydomain.idv.txt";
>          also-notify { a.b.c1.d key Default.mydomain.idv.;};
>          allow-transfer { key Default.mydomain.idv.; };
>      };
> }; // End View
>
> ====================sub.mydomain.idv (Slave server -ip:a.b.c1.d)
> =====================
>
> server  a.b.c.d {
>         provide-ixfr yes;
>         request-nsid yes;
>         send-cookie yes;
>         edns-udp-size 4096;
>         max-udp-size 4096;
>         transfer-format many-answers;
>         };
>
> server  a1.b1.c1.d1 {  // mydomain.idv primary server
>         request-nsid yes;
>         send-cookie yes;
>         edns-udp-size 4096;
>         max-udp-size 4096;
>         };
>
> include "d:\isc bind 9\etc\ecs-acl-list.txt";
> include "d:\isc bind 9\etc\no-ecs-acl-list.txt";
> include "d:\isc bind 9\etc\KeyFiles.txt";
> include "d:\isc bind 9\etc\logging.conf";
>
> options {
>   directory       "d:\isc bind 9\var\named";
>         allow-update {none;};
>         notify explicit;
>         allow-transfer { none; };
>         allow-query { none; };
> };
>
> // End Options
>
> view "area01" {
>     match-clients { area01; ecs-area01; !{!ecs-area01; any; } ; key
> Area01.mydomain.idv.;};
>     zone "sub.mydomain.idv" in {
>          type slave;
>          allow-query { area01; ecs-area01; };
>   file "sub/area01.mydomain.idv.ca";
>          masters { a.b.c.d key Area01.mydomain.idv.; };
>      };
> }; // End View
>
> view "area02" {
>     match-clients { area02; ecs-area02; !{!ecs-area02; any; } ; key
> Area02.mydomain.idv.;};
>     zone "sub.mydomain.idv" in {
>          type slave;
>          allow-query { area02; ecs-area02; };
>   file "sub/area02.mydomain.idv.ca";
>          masters { a.b.c.d key Area02.mydomain.idv.; };
> }; // End View
>
> view "area03" {
>     match-clients { area03; ecs-area03; !{!ecs-area03; any; } ; key
> Area03.mydomain.idv.;};
>     zone "sub.mydomain.idv" in {
>          type slave;
>          allow-query { area03; ecs-area03; };
>   file "sub/area03.mydomain.idv.ca";
>          masters { a.b.c.d key Area03.mydomain.idv.; };
> }; // End View
>
> view "deafult" {  // Default
>     match-clients { any; };
>     zone "sub.mydomain.idv" in {
>          type slave;
>          allow-query { any; };
>   file "sub/default.mydomain.idv.ca";
>          masters { a.b.c.d key default.mydomain.idv.; };
>      };
> }; // End View
>
>
>
> My dns server was install windows 2012 r2.
>
> My client pc at area02 subnet so when i use dig test (if not area02 - ACL
> entry) then it willget default view
>
> enrty record. But from above red word it means it query packet not include
> ecs it will ignore ecs function.
>
>
>
> when i use dig query sub.mydomain.idv entry through mydomain.idv then it
> alway return default view entry not view area02 entry.
>
>
>
> Did anyone can help me where was wrong...........
>
> use ecs prefix
>
I cannot answer your question, but I have some questions, if you would be
so kind as to answer.

I did not know that you could use sub-groups {...} inside and acl list -
thanks for that!

I don't understand  "!{!ecs-area03; any; }" - is that really the same as
just "ecs-area03" ?

Could you try "ecs-area03" without "!{!ecs-area03; any; }" ?

-- 
Bob Harold
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20161025/fe48a588/attachment.html>