address/prefix length mismatch

Wed Aug 24 16:36:29 UTC 2022

As I initially thought that bind worked with the normal notation of a
subnet, I did the configuration as I initially posted.

Now with your explanations I see that it is as Greg commented. This is just
pattern matching.

Thank you all!!!

On Wed, Aug 24, 2022 at 1:23 PM Ondřej Surý <ondrej at isc.org> wrote:

> The original problem was that BIND 9.16 now requires use of CIDR blocks
> rather than using IP addresses in CIDR notation. Using arbitrary IP address
> to specify CIDR block doesn’t make much sense and is prone to errors - when
> you see 10.10.1.0/23 it’s quite hard to tell what was the original
> intention and whether it’s a typo in the network or in the bits - did the
> origin author meant 10.10.0.0-10.10.1.255 or 10.20.1.0-10.10.1.255 or
> something completely else (like 10.10.1.0-10.10.2.255 based on wrong
> assumption?)
>
> --
> Ondřej Surý — ISC (He/Him)
>
> My working hours and your working hours may be different. Please do not
> feel obligated to reply outside your normal working hours.
>
> On 24. 8. 2022, at 17:34, Sten Carlsen <stenc at s-carlsen.dk> wrote:
>
> 
>
> On 24 Aug 2022, at 16.52, Greg Choules <
> gregchoules+bindusers at googlemail.com> wrote:
>
> Hi Sten.
> That is absolutely what you do *not* want to do.
>
> Writing it out in binary might help. /23 means the following:
> 11111111 11111111 11111110 00000000
>
> '1' bits mean, test an incoming address against the corresponding bit from
> the address in the mask.
> '0' bits mean, don't test an incoming address against the
> corresponding bit from the address in the mask.
>
> The ACL 10.60.0.0/23 will match *any* address from 10.60.0.0 to
> 10.60.1.255 *inclusive*.
>
> There is no concept of network address and broadcast address here. It is
> just pattern matching.
>
>
> Yes, I was (incorrectly) thinking in terms of a /24 network and assumed
> that removing the ..0 and ..255 addresses was the issue. The proposal would
> do that by first rejecting (! - means reject) the offending addresses (all
> have to be listed separately) before doing the above pattern matching.
>
>
> Cheers, Greg
>
> On Wed, 24 Aug 2022 at 15:40, Sten Carlsen <stenc at s-carlsen.dk> wrote:
>
>> I think you want something like this:
>>
>> (!10.60.0.0; !10.60.0.255; 10.60.0.0/24)
>>
>> First deny the two addresses you want not to be part of the *ACL* and
>> then accept the whole network.
>>
>> First match is used, so 10.60.0.0 would match !10.60.0.0 and be rejected
>> before the next <address_match_element> are tested.
>>
>> Thanks
>>
>> Sten
>>
>> On 24 Aug 2022, at 16.05, Ondřej Surý <ondrej at isc.org> wrote:
>>
>>
>> On 24. 8. 2022, at 15:58, Elias Pereira <empbilly at gmail.com> wrote:
>>
>> hello Ondrej,
>>
>> Not completely wrong, because 255 is the broadcast.
>>
>>
>> No, it's not. This is ACL specification, not a interface/network
>> configuration.
>>
>> For a better understanding, then it would be Available range 10.60.0.1 to
>> 10.60.1.254.
>>
>>
>> No, I've already provided you with a correct answer what 10.60.0.0/23
>> means in terms of range, why do you insist on this?
>>
>> Correctly specified range (without address/host bits) does takes the
>>> whole range.
>>
>>
>> Like this 10.60/23; ?
>>
>>
>> I think others have already answered that, I would be just repeating
>> their answers.
>>
>> Ondrej
>> --
>> Ondřej Surý (He/Him)
>> ondrej at isc.org
>>
>> My working hours and your working hours may be different. Please do not
>> feel obligated to reply outside your normal working hours.
>>
>>
>> On Wed, Aug 24, 2022 at 10:33 AM Ondřej Surý <ondrej at isc.org> wrote:
>>
>>>
>>>
>>> On 24. 8. 2022, at 15:26, Elias Pereira <empbilly at gmail.com> wrote:
>>>
>>> 
>>> Hello Greg,
>>>
>>> Why doesn't bind work with networks/subnets in the conventional way?
>>>
>>>
>>> It does.
>>>
>>> If the private subnet is 10.60.0.0/23, then it means that the address
>>> range is 10.60.0.1 to 10.60.1.254.
>>>
>>>
>>> That’s wrong. 10.60.0.0/23 means 10.60.0.0 to 10.60.1.255 range.
>>>
>>> How do I configure this ACL in named.conf.local so that it takes the
>>> whole range?
>>>
>>>
>>> Correctly specified range (without address/host bits) does takes the
>>> whole range.
>>>
>>> Ondrej
>>> --
>>> Ondřej Surý — ISC (He/Him)
>>>
>>> My working hours and your working hours may be different. Please do not
>>> feel obligated to reply outside your normal working hours.
>>>
>>> On Wed, Aug 24, 2022 at 9:31 AM Anand Buddhdev <anandb at ripe.net> wrote:
>>>
>>>> On 24/08/2022 14:16, Elias Pereira wrote:
>>>>
>>>> Hi Elias,
>>>>
>>>> > Oh, sorry... :D
>>>> >
>>>> > here it is
>>>> >
>>>> > # cat named.conf.local
>>>> > # ACL das redes internas
>>>> > # Ultima modificação: 24/08/2022
>>>> >
>>>> > acl "internal" {
>>>> > 10.60.0.1/23;
>>>>
>>>> This is the issue. The address part of the prefix should be the lowest
>>>> address in that prefix. If you change this to 10.60.0.0/23, it will be
>>>> fine. The same goes for all the other prefixes in your list. Change the
>>>> 1's to 0's.
>>>>
>>>> > 10.10.1.1/24;
>>>> > 10.10.2.1/25;
>>>> > 10.10.3.1/25;
>>>> > 10.10.4.1/25;
>>>> > 10.10.5.1/25;
>>>> > 10.51.0.1/23;
>>>> > 10.10.6.1/25;
>>>> > 10.10.7.1/26;
>>>> > 172.20.0.1/26;
>>>> > 10.50.0.1/23;
>>>> > 10.40.0.1/22;
>>>> > 10.56.0.1/22;
>>>> > };
>>>>
>>>
>>>
>>> --
>>> Elias Pereira
>>> --
>>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>>> from this list
>>>
>>> ISC funds the development of this software with paid support
>>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>>> information.
>>>
>>>
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>>>
>>
>> --
>> Elias Pereira
>>
>>
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> from this list
>>
>> ISC funds the development of this software with paid support
>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>> information.
>>
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>>
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> from this list
>>
>> ISC funds the development of this software with paid support
>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>> information.
>>
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
>

-- 
Elias Pereira
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220824/1fef48f6/attachment-0001.htm>