Syntax for ECS ACL Entry
Ryan McGuire
rmcguire at libretechconsulting.com
Thu Sep 2 14:06:45 UTC 2021
I'm setting ECS in dnsdist in hopes of using it in an ACL to choose a
view. The views are working well, and the ECS is read by bind9 (see log
below), but I can't seem to find a syntax for adding an ecs entry into
an acl. Here is what I've tried:
acl "filtered" {
192.168.0.90;
192.168.0.91;
192.168.0.92;
192.168.0.93;
* ecs 192.168.99.0/24;*
};
view filtered-view {
match-clients { filtered; };
{...}
When I try to start bind with this config, I get the following error:
/etc/bind/named.conf.local:6: missing ';' before '192.168.99.0'
Everything works as it should if I remove the ecs entry from the acl.
I can see the ECS is being set by dnsdist when I enable query logging:
client @0x7f21840117e8 192.168.0.1#43466 (elastic.mcguire.local): view
filtered-view: query: elastic.mcguire.local IN A +E(0) (192.168.0.5)
*[ECS 192.168.99.0/24/0]*
From the docs*:*
"An ACL containing an element of the form ecs prefix will match if a
request arrives in containing an ECS option encoding an address within
that prefix. If the request has no ECS option, then "ecs" elements are
simply ignored. Addresses in ACLs that are not prefixed with "ecs" are
matched only against the source address."*
*
I am running bind9 version 9.16.15.
Regards,
Ryan McGuire
p. 260.202.0500 <tel:260.202.0500> m. 978.501.3620 <tel:978.501.3620> f.
260.202.0420 <tel:978.501.3620>
w. www.libretechconsulting.com <https://libretechconsulting.com>
Libre Tech Consulting <https://libretechconsulting.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210902/29f08f0d/attachment.htm>
More information about the bind-users
mailing list