address/prefix length mismatch

Ondřej Surý ondrej at isc.org
Wed Aug 24 16:23:31 UTC 2022 

The original problem was that BIND 9.16 now requires use of CIDR blocks rather than using IP addresses in CIDR notation. Using arbitrary IP address to specify CIDR block doesn’t make much sense and is prone to errors - when you see 10.10.1.0/23 it’s quite hard to tell what was the original intention and whether it’s a typo in the network or in the bits - did the origin author meant 10.10.0.0-10.10.1.255 or 10.20.1.0-10.10.1.255 or something completely else (like 10.10.1.0-10.10.2.255 based on wrong assumption?)

--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.

> On 24. 8. 2022, at 17:34, Sten Carlsen <stenc at s-carlsen.dk> wrote:
> 
> 
> 
>>> On 24 Aug 2022, at 16.52, Greg Choules <gregchoules+bindusers at googlemail.com> wrote:
>>> 
>>> Hi Sten.
>>> That is absolutely what you do *not* want to do.
>>> 
>>> Writing it out in binary might help. /23 means the following:
>>> 11111111 11111111 11111110 00000000
>>> 
>>> '1' bits mean, test an incoming address against the corresponding bit from the address in the mask.
>>> '0' bits mean, don't test an incoming address against the corresponding bit from the address in the mask.
>>> 
>>> The ACL 10.60.0.0/23 will match *any* address from 10.60.0.0 to 10.60.1.255 *inclusive*.
>>> 
>>> There is no concept of network address and broadcast address here. It is just pattern matching.
>> 
>> Yes, I was (incorrectly) thinking in terms of a /24 network and assumed that removing the ..0 and ..255 addresses was the issue. The proposal would do that by first rejecting (! - means reject) the offending addresses (all have to be listed separately) before doing the above pattern matching.
>> 
>> 
>> Cheers, Greg
>> 
>>> On Wed, 24 Aug 2022 at 15:40, Sten Carlsen <stenc at s-carlsen.dk> wrote:
>>> I think you want something like this:
>>> 
>>> (!10.60.0.0; !10.60.0.255; 10.60.0.0/24)
>>> 
>>> First deny the two addresses you want not to be part of the ACL and then accept the whole network.
>>> 
>>> First match is used, so 10.60.0.0 would match !10.60.0.0 and be rejected before the next <address_match_element> are tested.
>>> 
>>> Thanks
>>> 
>>> Sten
>>> 
>>>>> On 24 Aug 2022, at 16.05, Ondřej Surý <ondrej at isc.org> wrote:
>>>>> 
>>>>> 
>>>>>> On 24. 8. 2022, at 15:58, Elias Pereira <empbilly at gmail.com> wrote:
>>>>>> 
>>>>>> hello Ondrej,
>>>>>> 
>>>>>> Not completely wrong, because 255 is the broadcast.
>>>>> 
>>>>> No, it's not. This is ACL specification, not a interface/network configuration.
>>>>> 
>>>>> For a better understanding, then it would be Available range 10.60.0.1 to 10.60.1.254.
>>>> 
>>>> No, I've already provided you with a correct answer what 10.60.0.0/23 means in terms of range, why do you insist on this?
>>>> 
>>>>>> Correctly specified range (without address/host bits) does takes the whole range.
>>>>> 
>>>>> Like this 10.60/23; ?
>>>> 
>>>> I think others have already answered that, I would be just repeating their answers.
>>>> 
>>>> Ondrej
>>>> --
>>>> Ondřej Surý (He/Him)
>>>> ondrej at isc.org
>>>> 
>>>> My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
>>>> 
>>>> 
>>>>>> On Wed, Aug 24, 2022 at 10:33 AM Ondřej Surý <ondrej at isc.org> wrote:
>>>>>> 
>>>>>> 
>>>>>>>> On 24. 8. 2022, at 15:26, Elias Pereira <empbilly at gmail.com> wrote:
>>>>>>>> 
>>>>>>> 
>>>>>>> Hello Greg,
>>>>>>> 
>>>>>>> Why doesn't bind work with networks/subnets in the conventional way?
>>>>>> 
>>>>>> It does.
>>>>>> 
>>>>>>> If the private subnet is 10.60.0.0/23, then it means that the address range is 10.60.0.1 to 10.60.1.254.
>>>>>> 
>>>>>> That’s wrong. 10.60.0.0/23 means 10.60.0.0 to 10.60.1.255 range.
>>>>>> 
>>>>>>> How do I configure this ACL in named.conf.local so that it takes the whole range?
>>>>>> 
>>>>>> Correctly specified range (without address/host bits) does takes the whole range.
>>>>>> 
>>>>>> Ondrej 
>>>>>> --
>>>>>> Ondřej Surý — ISC (He/Him)
>>>>>> 
>>>>>> My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
>>>>>> 
>>>>>>>> On Wed, Aug 24, 2022 at 9:31 AM Anand Buddhdev <anandb at ripe.net> wrote:
>>>>>>>> On 24/08/2022 14:16, Elias Pereira wrote:
>>>>>>>> 
>>>>>>>> Hi Elias,
>>>>>>>> 
>>>>>>>> > Oh, sorry... :D
>>>>>>>> > 
>>>>>>>> > here it is
>>>>>>>> > 
>>>>>>>> > # cat named.conf.local
>>>>>>>> > # ACL das redes internas
>>>>>>>> > # Ultima modificação: 24/08/2022
>>>>>>>> > 
>>>>>>>> > acl "internal" {
>>>>>>>> > 10.60.0.1/23;
>>>>>>>> 
>>>>>>>> This is the issue. The address part of the prefix should be the lowest 
>>>>>>>> address in that prefix. If you change this to 10.60.0.0/23, it will be 
>>>>>>>> fine. The same goes for all the other prefixes in your list. Change the 
>>>>>>>> 1's to 0's.
>>>>>>>> 
>>>>>>>> > 10.10.1.1/24;
>>>>>>>> > 10.10.2.1/25;
>>>>>>>> > 10.10.3.1/25;
>>>>>>>> > 10.10.4.1/25;
>>>>>>>> > 10.10.5.1/25;
>>>>>>>> > 10.51.0.1/23;
>>>>>>>> > 10.10.6.1/25;
>>>>>>>> > 10.10.7.1/26;
>>>>>>>> > 172.20.0.1/26;
>>>>>>>> > 10.50.0.1/23;
>>>>>>>> > 10.40.0.1/22;
>>>>>>>> > 10.56.0.1/22;
>>>>>>>> > };
>>>>>>> 
>>>>>>> 
>>>>>>> -- 
>>>>>>> Elias Pereira
>>>>>>> -- 
>>>>>>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>>>>>> 
>>>>>>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>>>>>> 
>>>>>>> 
>>>>>>> bind-users mailing list
>>>>>>> bind-users at lists.isc.org
>>>>>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>>> 
>>>>> 
>>>>> -- 
>>>>> Elias Pereira
>>>> 
>>>> -- 
>>>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>>> 
>>>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>>> 
>>>> 
>>>> bind-users mailing list
>>>> bind-users at lists.isc.org
>>>> https://lists.isc.org/mailman/listinfo/bind-users
>>> 
>>> -- 
>>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>> 
>>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>> 
>>> 
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220824/0580d598/attachment.htm>

More information about the bind-users mailing list