<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Greg: I looked for <tt>ecs-forward</tt> in the ARM in 9.12.3,
9.18.21, and in <a class="moz-txt-link-freetext" href="https://bind9.readthedocs.io/en/latest/#">https://bind9.readthedocs.io/en/latest/#</a> and did
not find it. If such a jackalope appears, it will probably be
welcomed however it won't be the end of this issue.</p>
<p><br>
</p>
<p>Sami: DNS is both a wire protocol and an application protocol. By
analogy, an HTTP proxy server is an application protocol. What
happens if you chain several HTTP proxies together, and try to set
headers? It's a mess. There is no fundamental requirement that an
application server honor what some other application server
requests ("forward my headers"), in fact there are a lot of
counterarguments that it shouldn't. Should your little server be
able to dictate what BIND advertises (via EDNS) to its upstream as
PMTU? Should it be able to force TCP or UDP?<br>
</p>
<p>Proper network design has segmentation, and part of segmentation
is actual DNS at the edge. Always has been, switches and servers
all the way down. But you do what you need to do, of course. I've
just heard of so many sightings of this beast usually with a whiff
of FOMO to maybe get me to do / commit to something without giving
it proper diligence. Heffalumps.</p>
<p>--</p>
<p>Fred Morris, internet plumber<br>
</p>
<div class="moz-cite-prefix">On 3/3/26 5:02 AM, Greg Choules via
bind-users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CANsEUy0Q2MjzC+Lg2Rd5M570EvGPjiPkPhW69wJmaA7OcFZ_pA@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div>Hi Sami.</div>
<div>Have you tried `ecs-forward` in your BIND configuration? it
will be described in the -S ARM.</div>
<div><br>
</div>
<div>Cheers, Greg</div>
</div>
<br>
<div class="gmail_quote gmail_quote_container">
<div dir="ltr" class="gmail_attr">On Tue, 3 Mar 2026 at 12:54,
<<a href="mailto:sami.rahal@sofrecom.com"
moz-do-not-send="true">sami.rahal@sofrecom.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div class="msg-8261435367296355182">
<div style="overflow-wrap: break-word;" lang="FR">
<div class="m_-8261435367296355182WordSection1">
<p class="MsoNormal"><span
style="font-size:10pt;font-family:"Nunito
Sans""> </span></p>
<p class="MsoNormal"><span lang="EN-US">Hello,</span></p>
<p class="MsoNormal"><span lang="EN-US">I am reaching
out regarding the use of EDNS Client Subnet (ECS) in
BIND.</span></p>
<p class="MsoNormal"><span lang="EN-US">Context:<br>
I am testing an environment where:</span></p>
<ul style="margin-top:0cm" type="disc">
<li class="MsoNormal"><span lang="EN-US">A dnsdist
server receives client queries and injects a
specific ECS (e.g., <a
href="http://41.226.22.0/24" target="_blank"
moz-do-not-send="true">41.226.22.0/24</a>).</span></li>
<li class="MsoNormal"><span lang="EN-US">These queries
are then forwarded to a BIND 9.18-S1 server
configured as the final resolver.</span></li>
</ul>
<p class="MsoNormal"><span lang="EN-US">Issue:<br>
BIND does not forward the ECS to upstream servers
and does not preserve this information in responses.</span></p>
<p class="MsoNormal">Questions:</p>
<ul style="margin-top:0cm" type="disc">
<li class="MsoNormal"><span lang="EN-US">Can BIND
9.18-S1 be configured to rewrite or forward an ECS
injected by dnsdist?</span></li>
<li class="MsoNormal"><span lang="EN-US">If not, which
version or configuration would you recommend for
BIND to meet this requirement?</span></li>
</ul>
<p class="MsoNormal" style="margin-left:36pt"><span
lang="EN-US"> </span></p>
</div>
</div>
</div>
</blockquote>
</div>
</blockquote>
</body>
</html>