date:20161025

Re: Bind 9.11 question (ACL ecs )

2016-10-25 Thread Mark Andrews


You use the "ecs" key word like this.

acl example { ecs 10.0.0.0/8; };

view ecs-net-10-only {
match-clients { example; };
};

Also using colour or fonts is not a good way to highlight
what the issue is.  Not everyone reads email on a display
which supports different colours or fonts.

Also acls are *first* *match* so

match-clients {
 area02; ecs-area02;
 !{!ecs-area02; any; };
 key Area02.mydomain.idv.;
};

and

match-clients { area02; ecs-area02; };

are the *same* as all "ecs-area02;" addresses have already
been matched by the time you get to looking at "!{!ecs-area02;
any; };".

Bob,
!{!ecs-area01; any; }; is reject anything which
isn't in ecs-area01.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind 9.11 question (ACL ecs )

2016-10-25 Thread Bob Harold

On Tue, Oct 25, 2016 at 2:04 AM,  wrote:

> From 9.1 ARM chapter 7 that mention
>
> The EDNS Client Subnet (ECS) option is used by a recursive resolver to
> inform an authoritative
> name server of the network address block from which the original query was
> received, enabling
> authoritative servers to give different answers to the same resolver for
> different resolver clients.
>
>
>
> *An ACL containing an element of the form ecs prefix will match if a
> request arrives in containing*
> *an ECS option encoding an address within that prefix. If the request has
> no ECS option,*
> *then "ecs" elements are simply ignored*. Addresses in ACLs that are not
> prefixed with "ecs" are
> matched only against the source address.
>
>
>
> Now i was migrate DNS bint fro 9.10 to 9.11 and use ECS prefix on my
> allow-query entry but when i use dig
>
> test (not include +subnet) it not response but when i remvoe that ecs
> keyword every thing was OK.
>
>
>
> I was use bind 9.11 setup three dns server one for mydomain.idv and two
> are sub.mydomain.idv.
>
> my sub.mydomain.idv has multi view but has same zone.
>
> when i use dig query sub.mydomain.idv entry it always return last match
> view, it will not reponse by client subnet
>
> following was my partial named.conf content
>
>
>
> sub.mydomain.idv (Primary server -ip:a.b.c.d)
> =
>
> acl "slave-ips" { a.b.c.d; };
>
> server  a.b.c.d {
> provide-ixfr yes;
> request-nsid yes;
> send-cookie yes;
> edns-udp-size 4096;
> max-udp-size 4096;
> transfer-format many-answers;
> };
>
> server  a1.b1.c1.d1 {  // mydomain.idv primary server
> request-nsid yes;
> send-cookie yes;
> edns-udp-size 4096;
> max-udp-size 4096;
> };
>
> include "d:\isc bind 9\etc\ecs-acl-list.txt";
> include "d:\isc bind 9\etc\no-ecs-acl-list.txt";
> include "d:\isc bind 9\etc\KeyFiles.txt";
> include "d:\isc bind 9\etc\logging.conf";
>
> options {
>   directory   "d:\isc bind 9\var\named";
> allow-update {none;};
> notify explicit;
> allow-transfer { none; };
> allow-query { none; };
> };
>
> // End Options
>
> view "area01" {
> match-clients { area01; ecs-area01; !{!ecs-area01; any; } ; key
> Area01.mydomain.idv.;};
> zone "sub.mydomain.idv" in {
>  type master;
>  allow-query { area01; ecs-area01; };
>   file "sub/area01.mydomain.idv.txt";
>  also-notify { a.b.c1.d key Area01.mydomain.idv.; };
>  allow-transfer { key Area01.mydomain.idv.; };
>  };
> }; // End View
>
> view "area02" {
> match-clients { area02; ecs-area02; !{!ecs-area02; any; } ; key
> Area02.mydomain.idv.; };
> zone "sub.mydomain.idv" in {
>  type master;
>  allow-query { area02; ecs-area02; };
>   file "sub/area02.mydomain.idv.txt";
>  also-notify { a.b.c1.d key Area02.mydomain.idv.; };
>  allow-transfer { key Area02.mydomain.idv.; };
>  };
> }; // End View
>
> view "area03" {
> match-clients {  area03; ecs-area03; !{!ecs-area03; any; } ; key
> Area03.mydomain.idv.; };
> zone "sub.mydomain.idv" in {
>  type master;
>  allow-query {  area03; ecs-area03; };
>   file "sub/area03.mydomain.idv.txt";
>   also-notify { a.b.c1.d key Area03.mydomain.idv.;};
>   allow-transfer { key Area03.mydomain.idv.; };
>  };
> }; // End View
>
> view "deafult" {  // Default
> match-clients {any; };
> zone "sub.mydomain.idv" in {
>  type master;
>  allow-query { any; };
>   file "sub/default.mydomain.idv.txt";
>  also-notify { a.b.c1.d key Default.mydomain.idv.;};
>  allow-transfer { key Default.mydomain.idv.; };
>  };
> }; // End View
>
> sub.mydomain.idv (Slave server -ip:a.b.c1.d)
> =
>
> server  a.b.c.d {
> provide-ixfr yes;
> request-nsid yes;
> send-cookie yes;
> edns-udp-size 4096;
> max-udp-size 4096;
> transfer-format many-answers;
> };
>
> server  a1.b1.c1.d1 {  // mydomain.idv primary server
> request-nsid yes;
> send-cookie yes;
> edns-udp-size 4096;
> max-udp-size 4096;
> };
>
> include "d:\isc bind 9\etc\ecs-acl-list.txt";
> include "d:\isc bind 9\etc\no-ecs-acl-list.txt";
> include "d:\isc bind 9\etc\KeyFiles.txt";
> include "d:\isc bind 9\etc\logging.conf";
>
> options {
>   directory   "d:\isc bind 9\var\named";
> allow-update {none;};
> notify explicit;
> allow-transfer { none; };
> allow-query { none; };
> };
>
> // End Options
>
> view "area01" {
> match-clients { area01; ecs-area01; !{!ecs-area01; any; } ; key
> Area01.mydomain.idv.;};
> zone "sub.mydomain.idv" in {
>  type slave;
>  allow-query { area01; ecs-area01; };
>   file "sub/area01.mydomain.idv.ca";
>  masters { a.b.c.d key

Respect for other posters and use of appropriate language on our community mailing lists

2016-10-25 Thread Cathy Almond

We should like to remind list users that irrespective of the basic
levels of experience or knowledge of some of the posters here, that they
are asking for community help and that advice should be given politely
and with respect shown both towards the original poster and other
contributors to a thread.

The same courtesy and respect is also expected of list members towards
others when discussing more advanced and complex topics.  Please
remember that:

- English is not the first language for all - this can lead to
misunderstandings

- Beginners don't always 'get it' from the start (but with gentle
guidance may become the experts of the future and surprise us all)

If you disagree with another poster on a technical matter, please
explain your position clearly, thoughtfully, and with appropriate
support for your viewpoint.

If you believe that you are the target of an insulting or inappropriate
post, please alert the list administrators rather than retaliating on
the mailing list.

If you have any other concerns about a poster, please bring them to the
attention of the list administrators.

Insulting and derogatory posts will not be tolerated and will result in
future posts from those list members who are posting in this manner
being held for moderation or suspended indefinitely from this community.

Cathy Almond
ISC Support
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: authority

2016-10-25 Thread Reindl Harald




Am 25.10.2016 um 06:16 schrieb Nick Edwards:

On Tue, Oct 25, 2016 at 7:11 AM, Reindl Harald > wrote:


i don't understand your question


Since you have NOTHING to do with ISC or even remotely with
bind, if you
dont understand , LEAVE IT TO SOMEONE WHO DOES


and YOU have something to do with ISC?
i doubt!

since i maintain hundrets of domains and wrote admin-backends for
BIDN i pretend to have more than remotely to do with bind for many
many years

PRETEND is the key operative word here, you have  ZERO to do with ISC
Bind, you are not a member of the consortium, yes, that I know!

I'll leave it for a list moderator to cane your arse for trying to imply
you are associated with bind project


where did i imply that damned?
this is a USERS LIST so stop trolling

and that post *was not* understandable for anybody

however - as the OP did understand my basic explainations my reply 
seemed to be more helpful then your biting around when nobody asked you


just creep away when you don't have something useful to say which i did 
in the parts you stripped out in your selectve quoting (as you always do 
when you are lucky to try biting again in my direction)


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Bind 9.11 question (ACL ecs )

2016-10-25 Thread HsuLiPing

From 9.1 ARM chapter 7 that mention

The EDNS Client Subnet (ECS) option is used by a recursive resolver to inform 
an authoritative
name server of the network address block from which the original query was 
received, enabling
authoritative servers to give different answers to the same resolver for 
different resolver clients.



An ACL containing an element of the form ecs prefix will match if a request 
arrives in containing
an ECS option encoding an address within that prefix. If the request has no ECS 
option,
then "ecs" elements are simply ignored. Addresses in ACLs that are not prefixed 
with "ecs" are
matched only against the source address.



Now i was migrate DNS bint fro 9.10 to 9.11 and use ECS prefix on my 
allow-query entry but when i use dig

test (not include +subnet) it not response but when i remvoe that ecs keyword 
every thing was OK.



I was use bind 9.11 setup three dns server one for mydomain.idv and two are 
sub.mydomain.idv.

my sub.mydomain.idv has multi view but has same zone.

when i use dig query sub.mydomain.idv entry it always return last match view, 
it will not reponse by client subnet

following was my partial named.conf content



sub.mydomain.idv (Primary server -ip:a.b.c.d) 
=

acl "slave-ips" { a.b.c.d; };

server  a.b.c.d {
provide-ixfr yes;
request-nsid yes;
send-cookie yes;
edns-udp-size 4096;
max-udp-size 4096;
transfer-format many-answers;
};

server  a1.b1.c1.d1 {  // mydomain.idv primary server
request-nsid yes;
send-cookie yes;
edns-udp-size 4096;
max-udp-size 4096;
};

include "d:\isc bind 9\etc\ecs-acl-list.txt";
include "d:\isc bind 9\etc\no-ecs-acl-list.txt";
include "d:\isc bind 9\etc\KeyFiles.txt";
include "d:\isc bind 9\etc\logging.conf";

options {
  directory   "d:\isc bind 9\var\named";
allow-update {none;};
notify explicit;
allow-transfer { none; };
allow-query { none; };
};

// End Options

view "area01" {
match-clients { area01; ecs-area01; !{!ecs-area01; any; } ; key 
Area01.mydomain.idv.;};
zone "sub.mydomain.idv" in {
 type master;
 allow-query { area01; ecs-area01; };
  file "sub/area01.mydomain.idv.txt";
 also-notify { a.b.c1.d key Area01.mydomain.idv.; };
 allow-transfer { key Area01.mydomain.idv.; };
 };
}; // End View

view "area02" {
match-clients { area02; ecs-area02; !{!ecs-area02; any; } ; key 
Area02.mydomain.idv.; };
zone "sub.mydomain.idv" in {
 type master;
 allow-query { area02; ecs-area02; };
  file "sub/area02.mydomain.idv.txt";
 also-notify { a.b.c1.d key Area02.mydomain.idv.; };
 allow-transfer { key Area02.mydomain.idv.; };
 };
}; // End View

view "area03" {
match-clients {  area03; ecs-area03; !{!ecs-area03; any; } ; key 
Area03.mydomain.idv.; };
zone "sub.mydomain.idv" in {
 type master;
 allow-query {  area03; ecs-area03; };
  file "sub/area03.mydomain.idv.txt";
  also-notify { a.b.c1.d key Area03.mydomain.idv.;};
  allow-transfer { key Area03.mydomain.idv.; };
 };
}; // End View

view "deafult" {  // Default
match-clients {any; };
zone "sub.mydomain.idv" in {
 type master;
 allow-query { any; };
  file "sub/default.mydomain.idv.txt";
 also-notify { a.b.c1.d key Default.mydomain.idv.;};
 allow-transfer { key Default.mydomain.idv.; };
 };
}; // End View

sub.mydomain.idv (Slave server -ip:a.b.c1.d) 
=

server  a.b.c.d {
provide-ixfr yes;
request-nsid yes;
send-cookie yes;
edns-udp-size 4096;
max-udp-size 4096;
transfer-format many-answers;
};

server  a1.b1.c1.d1 {  // mydomain.idv primary server
request-nsid yes;
send-cookie yes;
edns-udp-size 4096;
max-udp-size 4096;
};

include "d:\isc bind 9\etc\ecs-acl-list.txt";
include "d:\isc bind 9\etc\no-ecs-acl-list.txt";
include "d:\isc bind 9\etc\KeyFiles.txt";
include "d:\isc bind 9\etc\logging.conf";

options {
  directory   "d:\isc bind 9\var\named";
allow-update {none;};
notify explicit;
allow-transfer { none; };
allow-query { none; };
};

// End Options

view "area01" {
match-clients { area01; ecs-area01; !{!ecs-area01; any; } ; key 
Area01.mydomain.idv.;};
zone "sub.mydomain.idv" in {
 type slave;
 allow-query { area01; ecs-area01; };
  file "sub/area01.mydomain.idv.ca";
 masters { a.b.c.d key Area01.mydomain.idv.; };
 };
}; // End View

view "area02" {
match-clients { area02; ecs-area02; !{!ecs-area02; any; } ; key 
Area02.mydomain.idv.;};
zone "sub.mydomain.idv" in {
 type slave;
 allow-query { area02; ecs-area02; };
  file "sub/area02.mydomain.idv.ca";
 masters { a.b.c.d key Area02.mydomain.idv.; };
}; //

Re: Bind 9.11 question (ACL ecs )

Re: Bind 9.11 question (ACL ecs )

Respect for other posters and use of appropriate language on our community mailing lists

Re: authority

Bind 9.11 question (ACL ecs )

5 matches

Site Navigation

Mail list logo

Footer information