<html>

  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

  </head>

  <body>

    <p>I did compile 9.16.20 from source since the latest in Debian

      repos is 9.16.15 but the result is the same. The doc snippet in my

      original email was from 9.11 docs -- could this feature not have

      been brought forward into 9.16 at all? The only related documented

      removed feature is geoip-use-ecs.<br>

    </p>

    <p>-Ryan<br>

    </p>

    <div class="moz-cite-prefix">On 9/2/21 10:06 AM, Ryan McGuire wrote:<br>

    </div>

    <blockquote type="cite"

      cite="mid:5dda988c-fb3a-62b1-63dd-3707c25cfe6c@libretechconsulting.com">

      <meta http-equiv="content-type" content="text/html; charset=UTF-8">

      <p>I'm setting ECS in dnsdist in hopes of using it in an ACL to

        choose a view. The views are working well, and the ECS is read

        by bind9 (see log below), but I can't seem to find a syntax for

        adding an ecs entry into an acl. Here is what I've tried:</p>

      <p>acl "filtered" {<br>

          192.168.0.90;<br>

          192.168.0.91;<br>

          192.168.0.92;<br>

          192.168.0.93;<br>

        <b>  ecs 192.168.99.0/24;</b><br>

        };</p>

      <p>view filtered-view {<br>

          match-clients { filtered; };<br>

          {...}<br>

      </p>

      <p>When I try to start bind with this config, I get the following

        error:<br>

        /etc/bind/named.conf.local:6: missing ';' before '192.168.99.0'<br>

      </p>

      <p>Everything works as it should if I remove the ecs entry from

        the acl.</p>

      <p>I can see the ECS is being set by dnsdist when I enable query

        logging:<br>

        client @0x7f21840117e8 192.168.0.1#43466

        (elastic.mcguire.local): view filtered-view: query:

        elastic.mcguire.local IN A +E(0) (192.168.0.5) <b>[ECS

          192.168.99.0/24/0]</b></p>

      <p>From the docs<b>:</b></p>

      <p>"An ACL containing an element of the form ecs prefix will match

        if a request arrives in containing an ECS option encoding an

        address within that prefix. If the request has no ECS option,

        then "ecs" elements are simply ignored. Addresses in ACLs that

        are not prefixed with "ecs" are matched only against the source

        address."<b><br>

        </b></p>

      <p>I am running bind9 version 9.16.15.</p>

      <p>Regards,<br>

      </p>

      <div class="moz-signature">

        <table style="width: 550px;" cellspacing="0" cellpadding="0"

          border="0">

          <tbody>

            <tr>

              <td style="padding-right: 0px; vertical-align:middle">

                <table cellspacing="0" cellpadding="0" border="0">

                  <tbody>

                    <tr>

                      <td style="font-family: 'Georgia'; font-size:

                        11pt; color: #333333;"> <span

                          style="font-weight: bold;">Ryan McGuire</span>

                      </td>

                    </tr>

                    <tr>

                      <td style="font-family: 'Georgia'; font-size:

                        10pt;"> <span style="color: #333333; font-size:

                          10pt; font-family: Georgia">p. <a

                            href="tel:260.202.0500" style="color:

                            #156022" moz-do-not-send="true">260.202.0500</a></span>

                        <span style="color: #333333; font-size: 10pt;

                          font-family: Georgia">m. <a

                            href="tel:978.501.3620" style="color:

                            #156022" moz-do-not-send="true">978.501.3620</a></span>

                        <span style="color: #333333; font-size: 10pt;

                          font-family: Georgia">f. <a

                            href="tel:978.501.3620" style="color:

                            #156022" moz-do-not-send="true">260.202.0420</a></span>

                      </td>

                    </tr>

                    <tr>

                      <td style="font-family: 'Georgia'; font-size:

                        10pt;"> <span style="color: #333333; font-size:

                          10pt; font-family: Georgia">w. <a

                            href="https://libretechconsulting.com"

                            style="color: #156022"

                            moz-do-not-send="true">www.libretechconsulting.com</a>

                        </span> </td>

                    </tr>

                  </tbody>

                </table>

              </td>

              <td style="vertical-align: middle; text-align: left;"

                valign="middle"> <a

                  href="https://libretechconsulting.com"

                  moz-do-not-send="true"><img id="TemplateLogo"

                    data-class="external"

                    src="https://www.libretechconsulting.com/images/ltc_logo_00.jpg"

                    alt="Libre Tech Consulting" style="display: block"

                    moz-do-not-send="true"></a> </td>

            </tr>

          </tbody>

        </table>

      </div>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <pre class="moz-quote-pre" wrap="">_______________________________________________

Please visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at <a class="moz-txt-link-freetext" href="https://www.isc.org/contact/">https://www.isc.org/contact/</a> for more information.

bind-users mailing list

<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>

<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>

</pre>

    </blockquote>

  </body>

</html>