<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class="">

<div><br class=""><blockquote type="cite" class=""><div class="">On 24 Aug 2022, at 16.52, Greg Choules <<a href="mailto:gregchoules+bindusers@googlemail.com" class="">gregchoules+bindusers@googlemail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">Hi Sten.<div class="">That is absolutely what you do *not* want to do.</div><div class=""><br class=""></div><div class="">Writing it out in binary might help. /23 means the following:</div><div class="">11111111 11111111 11111110 00000000</div><div class=""><br class=""></div><div class="">'1' bits mean, test an incoming address against the corresponding bit from the address in the mask.</div><div class="">'0' bits mean, don't test an incoming address against the corresponding bit from the address in the mask.</div><div class=""><br class=""></div><div class="">The ACL <a href="http://10.60.0.0/23" class="">10.60.0.0/23</a> will match *any* address from 10.60.0.0 to 10.60.1.255 *inclusive*.</div><div class=""><br class=""></div><div class="">There is no concept of network address and broadcast address here. It is just pattern matching.</div></div></div></blockquote><div><br class=""></div>Yes, I was (incorrectly) thinking in terms of a /24 network and assumed that removing the ..0 and ..255 addresses was the issue. The proposal would do that by first rejecting (! - means reject) the offending addresses (all have to be listed separately) before doing the above pattern matching.</div><div><br class=""><blockquote type="cite" class=""><div class=""><div dir="ltr" class=""><div class=""><br class=""></div><div class="">Cheers, Greg</div></div><br class=""><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, 24 Aug 2022 at 15:40, Sten Carlsen <<a href="mailto:stenc@s-carlsen.dk" class="">stenc@s-carlsen.dk</a>> wrote:<br class=""></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="overflow-wrap: break-word;" class="">I think you want something like this:<div class=""><br class=""></div><div class="">(!10.60.0.0; !10.60.0.255; <a href="http://10.60.0.0/24" target="_blank" class="">10.60.0.0/24</a>)</div><div class=""><br class=""></div><div class="">First deny the two addresses you want not to be part of the <b class="">ACL</b> and then accept the whole network.</div><div class=""><br class=""></div><div class="">First match is used, so 10.60.0.0 would match !10.60.0.0 and be rejected before the next <address_match_element> are tested.</div><div class=""><br class=""></div><div class=""><div class="">
<div style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none;" class="">Thanks</div><div style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none;" class=""><br class=""></div><div style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none;" class="">Sten</div>
</div>

<div class=""><br class=""><blockquote type="cite" class=""><div class="">On 24 Aug 2022, at 16.05, Ondřej Surý <<a href="mailto:ondrej@isc.org" target="_blank" class="">ondrej@isc.org</a>> wrote:</div><br class=""><div class=""><div style="overflow-wrap: break-word;" class=""><br class=""><div class=""><blockquote type="cite" class=""><div class="">On 24. 8. 2022, at 15:58, Elias Pereira <<a href="mailto:empbilly@gmail.com" target="_blank" class="">empbilly@gmail.com</a>> wrote:</div><br class=""><div class=""><div dir="ltr" class=""><div class="gmail_default" style="font-family:tahoma,sans-serif">hello Ondrej,</div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br class=""></div><div class="gmail_default" style="font-family:tahoma,sans-serif">Not completely wrong, because 255 is the broadcast.<br class=""></div></div></div></blockquote><div class=""><br class=""></div><div class="">No, it's not. This is ACL specification, not a interface/network configuration.</div><br class=""><blockquote type="cite" class=""><div class=""><div dir="ltr" class=""><div class="gmail_default" style="font-family:tahoma,sans-serif">For a better understanding, then it would be Available range 10.60.0.1 to 10.60.1.254.</div></div></div></blockquote><div class=""><br class=""></div><div class="">No, I've already provided you with a correct answer what <a href="http://10.60.0.0/23" target="_blank" class="">10.60.0.0/23</a> means in terms of range, why do you insist on this?</div><br class=""><blockquote type="cite" class=""><div class=""><div dir="ltr" class=""><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote"><span class="gmail_default" style="font-family:tahoma,sans-serif"></span>Correctly specified range (without address/host bits) does takes the whole range.<span style="font-family:tahoma,sans-serif" class=""></span></blockquote><div class="gmail_default" style="font-family:tahoma,sans-serif"><br class=""></div><div class="gmail_default" style="font-family:tahoma,sans-serif">Like this 10.60/23; ?</div></div></div></blockquote><div class=""><br class=""></div><div class="">I think others have already answered that, I would be just repeating their answers.</div><div class=""><br class=""></div><div class="">Ondrej</div><div class=""><div class=""><div dir="auto" style="overflow-wrap: break-word;" class=""><div style="overflow-wrap: break-word;" class=""><div style="overflow-wrap: break-word;" class=""><div class="">--</div><div class="">Ondřej Surý (He/Him)</div><div class=""><a href="mailto:ondrej@isc.org" target="_blank" class="">ondrej@isc.org</a></div><div class=""><br class=""></div><div class="">My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.</div><div class=""><br class=""></div></div></div></div></div></div><br class=""><blockquote type="cite" class=""><div class=""><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Aug 24, 2022 at 10:33 AM Ondřej Surý <<a href="mailto:ondrej@isc.org" target="_blank" class="">ondrej@isc.org</a>> wrote:<br class=""></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto" class=""><div dir="ltr" class=""><br class=""></div><div dir="ltr" class=""><br class=""><blockquote type="cite" class="">On 24. 8. 2022, at 15:26, Elias Pereira <<a href="mailto:empbilly@gmail.com" target="_blank" class="">empbilly@gmail.com</a>> wrote:<br class=""><br class=""></blockquote></div><blockquote type="cite" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div class="gmail_default" style="font-family:tahoma,sans-serif">Hello Greg,</div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br class=""></div><div class="gmail_default" style="font-family:tahoma,sans-serif">Why doesn't bind work with networks/subnets in the conventional way?<br class=""></div></div></div></blockquote><div class=""><br class=""></div><div class="">It does.</div><br class=""><blockquote type="cite" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div class="gmail_default" style="font-family:tahoma,sans-serif">If the private subnet is <a href="http://10.60.0.0/23" target="_blank" class="">10.60.0.0/23</a>, then it means that the address range is 10.60.0.1 to 10.60.1.254.<br class=""></div></div></div></blockquote><div class=""><br class=""></div><div class="">That’s wrong. <a href="http://10.60.0.0/23" target="_blank" class="">10.60.0.0/23</a> means 10.60.0.0 to 10.60.1.255 range.</div><br class=""><blockquote type="cite" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div class="gmail_default" style="font-family:tahoma,sans-serif">How do I configure this ACL in named.conf.local so that it takes the whole range?</div></div></div></blockquote><div class=""><br class=""></div><div class="">Correctly specified range (without address/host bits) does takes the whole range.</div><div class=""><br class="">Ondrej <br class=""><div dir="ltr" class=""><div class="">--</div>Ondřej Surý — ISC (He/Him)<div class=""><br class=""></div><div class="">My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.</div><div class=""><br class=""></div></div></div><blockquote type="cite" class=""><div dir="ltr" class=""><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Aug 24, 2022 at 9:31 AM Anand Buddhdev <<a href="mailto:anandb@ripe.net" target="_blank" class="">anandb@ripe.net</a>> wrote:<br class=""></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 24/08/2022 14:16, Elias Pereira wrote:<br class="">
<br class="">
Hi Elias,<br class="">
<br class="">
> Oh, sorry... :D<br class="">
> <br class="">
> here it is<br class="">
> <br class="">
> # cat named.conf.local<br class="">
> # ACL das redes internas<br class="">
> # Ultima modificação: 24/08/2022<br class="">
> <br class="">
> acl "internal" {<br class="">
> <a href="http://10.60.0.1/23" rel="noreferrer" target="_blank" class="">10.60.0.1/23</a>;<br class="">
<br class="">
This is the issue. The address part of the prefix should be the lowest <br class="">
address in that prefix. If you change this to <a href="http://10.60.0.0/23" rel="noreferrer" target="_blank" class="">10.60.0.0/23</a>, it will be <br class="">
fine. The same goes for all the other prefixes in your list. Change the <br class="">
1's to 0's.<br class="">
<br class="">
> <a href="http://10.10.1.1/24" rel="noreferrer" target="_blank" class="">10.10.1.1/24</a>;<br class="">
> <a href="http://10.10.2.1/25" rel="noreferrer" target="_blank" class="">10.10.2.1/25</a>;<br class="">
> <a href="http://10.10.3.1/25" rel="noreferrer" target="_blank" class="">10.10.3.1/25</a>;<br class="">
> <a href="http://10.10.4.1/25" rel="noreferrer" target="_blank" class="">10.10.4.1/25</a>;<br class="">
> <a href="http://10.10.5.1/25" rel="noreferrer" target="_blank" class="">10.10.5.1/25</a>;<br class="">
> <a href="http://10.51.0.1/23" rel="noreferrer" target="_blank" class="">10.51.0.1/23</a>;<br class="">
> <a href="http://10.10.6.1/25" rel="noreferrer" target="_blank" class="">10.10.6.1/25</a>;<br class="">
> <a href="http://10.10.7.1/26" rel="noreferrer" target="_blank" class="">10.10.7.1/26</a>;<br class="">
> <a href="http://172.20.0.1/26" rel="noreferrer" target="_blank" class="">172.20.0.1/26</a>;<br class="">
> <a href="http://10.50.0.1/23" rel="noreferrer" target="_blank" class="">10.50.0.1/23</a>;<br class="">
> <a href="http://10.40.0.1/22" rel="noreferrer" target="_blank" class="">10.40.0.1/22</a>;<br class="">
> <a href="http://10.56.0.1/22" rel="noreferrer" target="_blank" class="">10.56.0.1/22</a>;<br class="">
> };<br class="">
</blockquote></div><br clear="all" class=""><div class=""><br class=""></div>-- <br class=""><div dir="ltr" class="">Elias Pereira</div>
<span class="">-- </span><br class=""><span class="">Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank" class="">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list</span><br class=""><span class=""></span><br class=""><span class="">ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" target="_blank" class="">https://www.isc.org/contact/</a> for more information.</span><br class=""><span class=""></span><br class=""><span class=""></span><br class=""><span class="">bind-users mailing list</span><br class=""><span class=""><a href="mailto:bind-users@lists.isc.org" target="_blank" class="">bind-users@lists.isc.org</a></span><br class=""><span class=""><a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank" class="">https://lists.isc.org/mailman/listinfo/bind-users</a></span><br class=""></div></blockquote></div></blockquote></div><br clear="all" class=""><div class=""><br class=""></div>-- <br class=""><div dir="ltr" class="">Elias Pereira</div>
</div></blockquote></div><br class=""></div>-- <br class="">Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank" class="">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br class=""><br class="">ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" target="_blank" class="">https://www.isc.org/contact/</a> for more information.<br class=""><br class=""><br class="">bind-users mailing list<br class=""><a href="mailto:bind-users@lists.isc.org" target="_blank" class="">bind-users@lists.isc.org</a><br class=""><a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank" class="">https://lists.isc.org/mailman/listinfo/bind-users</a><br class=""></div></blockquote></div><br class=""></div></div>-- <br class="">
Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank" class="">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br class="">
<br class="">
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank" class="">https://www.isc.org/contact/</a> for more information.<br class="">
<br class="">
<br class="">
bind-users mailing list<br class="">
<a href="mailto:bind-users@lists.isc.org" target="_blank" class="">bind-users@lists.isc.org</a><br class="">
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank" class="">https://lists.isc.org/mailman/listinfo/bind-users</a><br class="">
</blockquote></div>
</div></blockquote></div><br class=""></body></html>