Re: Bind 9.11 question (ACL ecs )
You use the "ecs" key word like this. acl example { ecs 10.0.0.0/8; }; view ecs-net-10-only { match-clients { example; }; }; Also using colour or fonts is not a good way to highlight what the issue is. Not everyone reads email on a display which supports different colours or fonts. Also acls are *first* *match* so match-clients { area02; ecs-area02; !{!ecs-area02; any; }; key Area02.mydomain.idv.; }; and match-clients { area02; ecs-area02; }; are the *same* as all "ecs-area02;" addresses have already been matched by the time you get to looking at "!{!ecs-area02; any; };". Bob, !{!ecs-area01; any; }; is reject anything which isn't in ecs-area01. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.11 question (ACL ecs )
On Tue, Oct 25, 2016 at 2:04 AM,wrote: > From 9.1 ARM chapter 7 that mention > > The EDNS Client Subnet (ECS) option is used by a recursive resolver to > inform an authoritative > name server of the network address block from which the original query was > received, enabling > authoritative servers to give different answers to the same resolver for > different resolver clients. > > > > *An ACL containing an element of the form ecs prefix will match if a > request arrives in containing* > *an ECS option encoding an address within that prefix. If the request has > no ECS option,* > *then "ecs" elements are simply ignored*. Addresses in ACLs that are not > prefixed with "ecs" are > matched only against the source address. > > > > Now i was migrate DNS bint fro 9.10 to 9.11 and use ECS prefix on my > allow-query entry but when i use dig > > test (not include +subnet) it not response but when i remvoe that ecs > keyword every thing was OK. > > > > I was use bind 9.11 setup three dns server one for mydomain.idv and two > are sub.mydomain.idv. > > my sub.mydomain.idv has multi view but has same zone. > > when i use dig query sub.mydomain.idv entry it always return last match > view, it will not reponse by client subnet > > following was my partial named.conf content > > > > sub.mydomain.idv (Primary server -ip:a.b.c.d) > = > > acl "slave-ips" { a.b.c.d; }; > > server a.b.c.d { > provide-ixfr yes; > request-nsid yes; > send-cookie yes; > edns-udp-size 4096; > max-udp-size 4096; > transfer-format many-answers; > }; > > server a1.b1.c1.d1 { // mydomain.idv primary server > request-nsid yes; > send-cookie yes; > edns-udp-size 4096; > max-udp-size 4096; > }; > > include "d:\isc bind 9\etc\ecs-acl-list.txt"; > include "d:\isc bind 9\etc\no-ecs-acl-list.txt"; > include "d:\isc bind 9\etc\KeyFiles.txt"; > include "d:\isc bind 9\etc\logging.conf"; > > options { > directory "d:\isc bind 9\var\named"; > allow-update {none;}; > notify explicit; > allow-transfer { none; }; > allow-query { none; }; > }; > > // End Options > > view "area01" { > match-clients { area01; ecs-area01; !{!ecs-area01; any; } ; key > Area01.mydomain.idv.;}; > zone "sub.mydomain.idv" in { > type master; > allow-query { area01; ecs-area01; }; > file "sub/area01.mydomain.idv.txt"; > also-notify { a.b.c1.d key Area01.mydomain.idv.; }; > allow-transfer { key Area01.mydomain.idv.; }; > }; > }; // End View > > view "area02" { > match-clients { area02; ecs-area02; !{!ecs-area02; any; } ; key > Area02.mydomain.idv.; }; > zone "sub.mydomain.idv" in { > type master; > allow-query { area02; ecs-area02; }; > file "sub/area02.mydomain.idv.txt"; > also-notify { a.b.c1.d key Area02.mydomain.idv.; }; > allow-transfer { key Area02.mydomain.idv.; }; > }; > }; // End View > > view "area03" { > match-clients { area03; ecs-area03; !{!ecs-area03; any; } ; key > Area03.mydomain.idv.; }; > zone "sub.mydomain.idv" in { > type master; > allow-query { area03; ecs-area03; }; > file "sub/area03.mydomain.idv.txt"; > also-notify { a.b.c1.d key Area03.mydomain.idv.;}; > allow-transfer { key Area03.mydomain.idv.; }; > }; > }; // End View > > view "deafult" { // Default > match-clients {any; }; > zone "sub.mydomain.idv" in { > type master; > allow-query { any; }; > file "sub/default.mydomain.idv.txt"; > also-notify { a.b.c1.d key Default.mydomain.idv.;}; > allow-transfer { key Default.mydomain.idv.; }; > }; > }; // End View > > sub.mydomain.idv (Slave server -ip:a.b.c1.d) > = > > server a.b.c.d { > provide-ixfr yes; > request-nsid yes; > send-cookie yes; > edns-udp-size 4096; > max-udp-size 4096; > transfer-format many-answers; > }; > > server a1.b1.c1.d1 { // mydomain.idv primary server > request-nsid yes; > send-cookie yes; > edns-udp-size 4096; > max-udp-size 4096; > }; > > include "d:\isc bind 9\etc\ecs-acl-list.txt"; > include "d:\isc bind 9\etc\no-ecs-acl-list.txt"; > include "d:\isc bind 9\etc\KeyFiles.txt"; > include "d:\isc bind 9\etc\logging.conf"; > > options { > directory "d:\isc bind 9\var\named"; > allow-update {none;}; > notify explicit; > allow-transfer { none; }; > allow-query { none; }; > }; > > // End Options > > view "area01" { > match-clients { area01; ecs-area01; !{!ecs-area01; any; } ; key > Area01.mydomain.idv.;}; > zone "sub.mydomain.idv" in { > type slave; > allow-query { area01; ecs-area01; }; > file "sub/area01.mydomain.idv.ca"; > masters { a.b.c.d key
Respect for other posters and use of appropriate language on our community mailing lists
We should like to remind list users that irrespective of the basic levels of experience or knowledge of some of the posters here, that they are asking for community help and that advice should be given politely and with respect shown both towards the original poster and other contributors to a thread. The same courtesy and respect is also expected of list members towards others when discussing more advanced and complex topics. Please remember that: - English is not the first language for all - this can lead to misunderstandings - Beginners don't always 'get it' from the start (but with gentle guidance may become the experts of the future and surprise us all) If you disagree with another poster on a technical matter, please explain your position clearly, thoughtfully, and with appropriate support for your viewpoint. If you believe that you are the target of an insulting or inappropriate post, please alert the list administrators rather than retaliating on the mailing list. If you have any other concerns about a poster, please bring them to the attention of the list administrators. Insulting and derogatory posts will not be tolerated and will result in future posts from those list members who are posting in this manner being held for moderation or suspended indefinitely from this community. Cathy Almond ISC Support ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: authority
Am 25.10.2016 um 06:16 schrieb Nick Edwards: On Tue, Oct 25, 2016 at 7:11 AM, Reindl Harald> wrote: i don't understand your question Since you have NOTHING to do with ISC or even remotely with bind, if you dont understand , LEAVE IT TO SOMEONE WHO DOES and YOU have something to do with ISC? i doubt! since i maintain hundrets of domains and wrote admin-backends for BIDN i pretend to have more than remotely to do with bind for many many years PRETEND is the key operative word here, you have ZERO to do with ISC Bind, you are not a member of the consortium, yes, that I know! I'll leave it for a list moderator to cane your arse for trying to imply you are associated with bind project where did i imply that damned? this is a USERS LIST so stop trolling and that post *was not* understandable for anybody however - as the OP did understand my basic explainations my reply seemed to be more helpful then your biting around when nobody asked you just creep away when you don't have something useful to say which i did in the parts you stripped out in your selectve quoting (as you always do when you are lucky to try biting again in my direction) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind 9.11 question (ACL ecs )
From 9.1 ARM chapter 7 that mention The EDNS Client Subnet (ECS) option is used by a recursive resolver to inform an authoritative name server of the network address block from which the original query was received, enabling authoritative servers to give different answers to the same resolver for different resolver clients. An ACL containing an element of the form ecs prefix will match if a request arrives in containing an ECS option encoding an address within that prefix. If the request has no ECS option, then "ecs" elements are simply ignored. Addresses in ACLs that are not prefixed with "ecs" are matched only against the source address. Now i was migrate DNS bint fro 9.10 to 9.11 and use ECS prefix on my allow-query entry but when i use dig test (not include +subnet) it not response but when i remvoe that ecs keyword every thing was OK. I was use bind 9.11 setup three dns server one for mydomain.idv and two are sub.mydomain.idv. my sub.mydomain.idv has multi view but has same zone. when i use dig query sub.mydomain.idv entry it always return last match view, it will not reponse by client subnet following was my partial named.conf content sub.mydomain.idv (Primary server -ip:a.b.c.d) = acl "slave-ips" { a.b.c.d; }; server a.b.c.d { provide-ixfr yes; request-nsid yes; send-cookie yes; edns-udp-size 4096; max-udp-size 4096; transfer-format many-answers; }; server a1.b1.c1.d1 { // mydomain.idv primary server request-nsid yes; send-cookie yes; edns-udp-size 4096; max-udp-size 4096; }; include "d:\isc bind 9\etc\ecs-acl-list.txt"; include "d:\isc bind 9\etc\no-ecs-acl-list.txt"; include "d:\isc bind 9\etc\KeyFiles.txt"; include "d:\isc bind 9\etc\logging.conf"; options { directory "d:\isc bind 9\var\named"; allow-update {none;}; notify explicit; allow-transfer { none; }; allow-query { none; }; }; // End Options view "area01" { match-clients { area01; ecs-area01; !{!ecs-area01; any; } ; key Area01.mydomain.idv.;}; zone "sub.mydomain.idv" in { type master; allow-query { area01; ecs-area01; }; file "sub/area01.mydomain.idv.txt"; also-notify { a.b.c1.d key Area01.mydomain.idv.; }; allow-transfer { key Area01.mydomain.idv.; }; }; }; // End View view "area02" { match-clients { area02; ecs-area02; !{!ecs-area02; any; } ; key Area02.mydomain.idv.; }; zone "sub.mydomain.idv" in { type master; allow-query { area02; ecs-area02; }; file "sub/area02.mydomain.idv.txt"; also-notify { a.b.c1.d key Area02.mydomain.idv.; }; allow-transfer { key Area02.mydomain.idv.; }; }; }; // End View view "area03" { match-clients { area03; ecs-area03; !{!ecs-area03; any; } ; key Area03.mydomain.idv.; }; zone "sub.mydomain.idv" in { type master; allow-query { area03; ecs-area03; }; file "sub/area03.mydomain.idv.txt"; also-notify { a.b.c1.d key Area03.mydomain.idv.;}; allow-transfer { key Area03.mydomain.idv.; }; }; }; // End View view "deafult" { // Default match-clients {any; }; zone "sub.mydomain.idv" in { type master; allow-query { any; }; file "sub/default.mydomain.idv.txt"; also-notify { a.b.c1.d key Default.mydomain.idv.;}; allow-transfer { key Default.mydomain.idv.; }; }; }; // End View sub.mydomain.idv (Slave server -ip:a.b.c1.d) = server a.b.c.d { provide-ixfr yes; request-nsid yes; send-cookie yes; edns-udp-size 4096; max-udp-size 4096; transfer-format many-answers; }; server a1.b1.c1.d1 { // mydomain.idv primary server request-nsid yes; send-cookie yes; edns-udp-size 4096; max-udp-size 4096; }; include "d:\isc bind 9\etc\ecs-acl-list.txt"; include "d:\isc bind 9\etc\no-ecs-acl-list.txt"; include "d:\isc bind 9\etc\KeyFiles.txt"; include "d:\isc bind 9\etc\logging.conf"; options { directory "d:\isc bind 9\var\named"; allow-update {none;}; notify explicit; allow-transfer { none; }; allow-query { none; }; }; // End Options view "area01" { match-clients { area01; ecs-area01; !{!ecs-area01; any; } ; key Area01.mydomain.idv.;}; zone "sub.mydomain.idv" in { type slave; allow-query { area01; ecs-area01; }; file "sub/area01.mydomain.idv.ca"; masters { a.b.c.d key Area01.mydomain.idv.; }; }; }; // End View view "area02" { match-clients { area02; ecs-area02; !{!ecs-area02; any; } ; key Area02.mydomain.idv.;}; zone "sub.mydomain.idv" in { type slave; allow-query { area02; ecs-area02; }; file "sub/area02.mydomain.idv.ca"; masters { a.b.c.d key Area02.mydomain.idv.; }; }; //