From c5b8b7411391d8a2172567a9d24f91ec92d6a3f9 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Mon, 26 Dec 2016 16:51:55 -0800
Subject: [PATCH] [master] clarify auth ECS is not meant for production use

---
 doc/arm/Bv9ARM-book.xml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index b73e909768..9249e7ac63 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -17205,6 +17205,18 @@ zone "example.com" {
 	  in ACLs that are not prefixed with "ecs" are matched only
 	  against the source address.
 	</para>
+	<note>
+	  <simpara>
+	    (Note: The authoritative ECS implementation in
+	    <command>named</command> is based on an early version of the
+	    specification, and is known to have incompatibilities with
+	    other implementations.  It is also inefficient, requiring
+	    a separate view for each client subnet to be sent different
+	    answers, and it is unable to correct for overlapping subnets in
+	    the configuration.  It can be used for testing purposes, but is
+	    not recommended for production use.)
+	  </simpara>
+	</note>
 	<para>
 	  When <acronym>BIND</acronym> 9 is built with GeoIP support,
 	  ACLs can also be used for geographic access restrictions.