From marka@isc.org Thu Oct 5 18:36:46 2017 X-Original-To: bind9-confidential@bugs.isc.org Return-Path: X-RT-Interface: Email content-type: text/plain; charset="utf-8" Delivered-To: bind9-confidential@bugs.isc.org To: bind9-confidential@isc.org In-Reply-To: Your message of "Thu, 05 Oct 2017 12:23:44 -0000." Date: Fri, 06 Oct 2017 05:36:39 +1100 X-RT-Incoming-Encryption: Not encrypted Message-ID: <20171005183639.17C968996304@rock.dv.isc.org> From: "Mark Andrews" References: <28c1d743800cc0edaf991c7cf9595002@www.isc.org> X-RT-Original-Encoding: utf-8 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mx.ams1.isc.org Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "mx.ams1.isc.org", Issuer "COMODO RSA Organization Validation Secure Server CA" (not verified)) by bugs.isc.org (Postfix) with ESMTPS id 7C42FD78B0A for ; Thu, 5 Oct 2017 18:36:46 +0000 (UTC) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.ams1.isc.org (Postfix) with ESMTPS id 2F72C24AE39 for ; Thu, 5 Oct 2017 18:36:34 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id F13D316007B for ; Thu, 5 Oct 2017 18:36:41 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id D7AA416007A for ; Thu, 5 Oct 2017 18:36:41 +0000 (UTC) Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id i1grMrphWpvH for ; Thu, 5 Oct 2017 18:36:41 +0000 (UTC) Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 7312816006E for ; Thu, 5 Oct 2017 18:36:41 +0000 (UTC) Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 17C968996304 for ; Fri, 6 Oct 2017 05:36:39 +1100 (AEDT) X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00, RP_MATCHES_RCVD autolearn=ham autolearn_force=no version=3.4.1 Subject: Re: [ISC-Bugs #46202] BIND 9.9.5 - loopback address issue on "listen-on" parameter RT-Message-ID: Content-Length: 1035 Remember listen-on and listen-on-v6 are ACLs. Take the addresses on the system and apply check them against the ACL and if they match open a socket. listen-on { any; }; opens two sockets for every IPv4 interface (TCP and UDP) so that UDP replies get the correct source address on multi-homed machines. TCP automatically does this. For IPv6 the Advanced Sockets API lets you specify the source address of UDP packets and to get the destination address of received packets so its possible to get the reply source addresses correct with a single socket for listen-on-v6 { any; }; if the OS supports it. For AnyIP the server would have to take the ACL list, workout which prefixes are actually complete addresses, then apply a 127/8 filter to them and attempt to open them only on Linux boxes making sure not to match any addresses already configured by matching against the existing interfaces. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org