[Asrg] Round 2 of the DNSBL BCP

Chris Lewis clewis at nortel.com
Tue Apr 1 12:39:39 PDT 2008 

Matt Sergeant wrote:
> On 1-Apr-08, at 1:07 PM, Chris Lewis wrote:
> 
>> 2.1.  Transparency
>>
>>    A DNSBL SHOULD carefully describe the criteria which are the cause
>>    for adding, and the criteria for removing an IP address or domain
>>    name on the list.
> 
> Here we talk about IP addresses or domain names. I think we should  
> stick with "Listing" or "Entry".

Fixed.

> And did you add something somewhere about how a Listing/Entry might  
> map to >1 "thing" in the list? e.g. a range/ASN/whatever?

Should I?  Or is John's document the right place for that?

>> 3.3.  DNSBLs SHOULD Provide Operational Flags
>>
>>    Most DNSBLs follow a convention of entries for IPs in  
>> 127.0.0.0/8 to
>>    provide online indication of whether the DNSBL is operational.  In
>>    other words, the result of a DNS lookup will be in the range of
>>    127.0.0.1 through 127.0.0.255.
> 
> I don't think this "in other words" fits. The first talks about  
> operational entries, the second talks of results. And the first talks  
> of a /8 and the latter the /24.

Yes, confusing.  Redrafting:

Most DNSBLs follow a convention of entries for IPs in
127.0.0.0/8 (127.0.0.0-127.0.0.255) to
provide online indication of whether the DNSBL is operational.

>>   Many DNSBLs arrange to have a query
>>    of 127.0.0.2 return an A record indicating that the IP is  
>> listed, and
>>    a query of 127.0.0.1 return no A record (NXDOMAIN).  When both of
>>    these indicators are present, this indicates that the DNSBL is
>>    functioning normally.  See [DNSBL-EMAIL].

There is a problem with the above.  The reason for the "MUST NOT list 
127.0.0.1" (elsewhere) is that listing it will cause many mail servers 
to block _themselves_ (eg: MSA/MTA configurations of sendmail).  This is 
something that Vixie said years ago.  Yet, we're telling them to 
explicitly list it here. Which is almost as bad as a 0/0 listing.  Tho, 
a little more obvious ;-)

Does anybody know what the current thinking on 127.0.0.1 listing for 
"DNSBL down" is?  Or should I just yank that?

I can't remember where I saw this recommendation (of listing the .1 for 
"DNSBL down").  It was a strong one, otherwise, it wouldn't be there. 
Maybe I misremembered.

>>    Some mail systems are unable to differentiate between these various
>>    results or flags, however, so a public DNSBL MUST NOT include
>>    opposing or widely different meanings -- such as 127.0.0.23 for
>>    "sends good mail" and 127.0.0.99 for "sends bad mail" -- within the
>>    same DNS zone.
> 
> Not sure why this is a MUST NOT. If people are dumb enough to use a  
> mixed list in a broken way they get what they deserve. What's the  
> justification?

"Suicidal administrator" prevention.  JD suggested it.  I like it, but 
I'm not committed to it.  Thoughts?

More information about the Asrg mailing list