回复: Access Control Lists error

Duan Duan 1422807819 at qq.com
Thu Feb 20 03:52:04 UTC 2025 

从今以后
1422807819 at qq.com



 




------------------ 原始邮件 ------------------
发件人:                                                                                                                        "stuart at registry.godaddy"                                                                                    <stuart at registry.godaddy>;
发送时间: 2025年2月20日(星期四) 上午10:56
收件人: "Duan Duan"<1422807819 at qq.com>;"bind-users"<bind-users at lists.isc.org>;

主题: Re: Access Control Lists error



> From: bind-users <bind-users-bounces at lists.isc.org> on behalf of Duan Duan via bind-users <bind-users at lists.isc.org>
> 
> Hey Guys,
> 
> I am upgrading my bind version from 9.11.0 to 9.18.31.
> 
> But I have some questions about Access Control Lists(acls).
> 
> I am in version 9.11.0 acl file is like this
> 
> root at hz#cat tsg_acl
> acl "tsg_acl" {
>     ecs 10.56.21.236/30;
> };
> 
> But when I upgraded to version 9.18.31, it reported an error.
> 
> error :  /home/named/acl/tsg_acl:2: missing ';' before '10.56.21.236'

Hi Duan,

It appears that the "ecs" functionality in an ACL was removed in 9.13.1 (according to the release notes):

4952. [func] Authoritative server support in named for the
  EDNS CLIENT-SUBNET option (which was experimental
  and not practical to deploy) has been removed.

  The ECS option is still supported in dig and mdig
  via the +subnet option, and can be parsed and logged
  when received by named, but it is no longer used
  for ACL processing. The "geoip-use-ecs" option
  is now obsolete; a warning will be logged if it is
  used in named.conf. "ecs" tags in an ACL definition
  are also obsolete and will cause the configuration
  to fail to load. [GL #32] 

Stuart


--------------------------------------------------------------------------------


Hi, Stuart


Thank you for your reply.


But I still have a lot of doubts.


That's mean my Authoritative server can't use any acl of view to respond to dig +subnet?

How can I use dig +subnet=interior_ip to get parsing in the view_interior of my authoritative service?


And I had to use ip to distinguish views.


Do you have any ideas? 


Kind regards
Duan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250220/89111d66/attachment.htm>

More information about the bind-users mailing list