Syntax for ECS ACL Entry

Ryan McGuire rmcguire at libretechconsulting.com
Thu Sep 2 18:26:59 UTC 2021


Thank you, in my searching I failed to come across that.

Do you know if it's been replaced by something more "practical to 
deploy"? I found some discussion regarding support for "The PROXY 
Protocol" (https://www.haproxy.org/download/2.2/doc/proxy-protocol.txt) 
but I don't believe it's planned. This seems like such a common 
scenario, I'm surprised the support that was there was removed but not 
replaced by anything. I suppose it is open-source software and I'm free 
to port it into 9.16, but this isn't a big enough problem for me 
personally to justify the time spent.

-Ryan

On 9/2/21 2:16 PM, Evan Hunt wrote:
>> I did compile 9.16.20 from source since the latest in Debian repos is
>> 9.16.15 but the result is the same. The doc snippet in my original email
>> was from 9.11 docs -- could this feature not have been brought forward
>> into 9.16 at all? The only related documented removed feature is
>> geoip-use-ecs.
> It was actually removed in 9.14:
>
> 4952.   [func]          Authoritative server support in named for the
>                          EDNS CLIENT-SUBNET option (which was experimental
>                          and not practical to deploy) has been removed.
>
>                          The ECS option is still supported in dig and mdig
>                          via the +subnet option, and can be parsed and logged
>                          when received by named, but it is no longer used
>                          for ACL processing. The "geoip-use-ecs" option
>                          is now obsolete; a warning will be logged if it is
>                          used in named.conf. "ecs" tags in an ACL definition
>                          are also obsolete and will cause the configuration
>                          to fail to load.  [GL #32]
>
> Sorry about the inadequate documentation. There's a mechanism for flagging
> obsolete options in named.conf and logging a useful message about them, but
> it's not so straightforward when the option is still valid but the
> parameters have changed.
>


More information about the bind-users mailing list