Syntax for ECS ACL Entry
Ryan McGuire
rmcguire at libretechconsulting.com
Thu Sep 2 18:26:59 UTC 2021
Thank you, in my searching I failed to come across that.
Do you know if it's been replaced by something more "practical to
deploy"? I found some discussion regarding support for "The PROXY
Protocol" (https://www.haproxy.org/download/2.2/doc/proxy-protocol.txt)
but I don't believe it's planned. This seems like such a common
scenario, I'm surprised the support that was there was removed but not
replaced by anything. I suppose it is open-source software and I'm free
to port it into 9.16, but this isn't a big enough problem for me
personally to justify the time spent.
-Ryan
On 9/2/21 2:16 PM, Evan Hunt wrote:
>> I did compile 9.16.20 from source since the latest in Debian repos is
>> 9.16.15 but the result is the same. The doc snippet in my original email
>> was from 9.11 docs -- could this feature not have been brought forward
>> into 9.16 at all? The only related documented removed feature is
>> geoip-use-ecs.
> It was actually removed in 9.14:
>
> 4952. [func] Authoritative server support in named for the
> EDNS CLIENT-SUBNET option (which was experimental
> and not practical to deploy) has been removed.
>
> The ECS option is still supported in dig and mdig
> via the +subnet option, and can be parsed and logged
> when received by named, but it is no longer used
> for ACL processing. The "geoip-use-ecs" option
> is now obsolete; a warning will be logged if it is
> used in named.conf. "ecs" tags in an ACL definition
> are also obsolete and will cause the configuration
> to fail to load. [GL #32]
>
> Sorry about the inadequate documentation. There's a mechanism for flagging
> obsolete options in named.conf and logging a useful message about them, but
> it's not so straightforward when the option is still valid but the
> parameters have changed.
>
More information about the bind-users
mailing list