[Asrg] Round 2 of the DNSBL BCP

Peter J. Holzer hjp-asrg at hjp.at
Tue Apr 1 14:06:30 PDT 2008 

On 2008-04-01 15:39:39 -0400, Chris Lewis wrote:
> Matt Sergeant wrote:
> > On 1-Apr-08, at 1:07 PM, Chris Lewis wrote:
> >> 3.3.  DNSBLs SHOULD Provide Operational Flags
> >>
> >>    Most DNSBLs follow a convention of entries for IPs in  
> >> 127.0.0.0/8 to
> >>    provide online indication of whether the DNSBL is operational.  In
> >>    other words, the result of a DNS lookup will be in the range of
> >>    127.0.0.1 through 127.0.0.255.
> > 
> > I don't think this "in other words" fits. The first talks about  
> > operational entries, the second talks of results. And the first talks  
> > of a /8 and the latter the /24.
> 
> Yes, confusing.  Redrafting:
> 
> Most DNSBLs follow a convention of entries for IPs in
> 127.0.0.0/8 (127.0.0.0-127.0.0.255) to

Either "127.0.0.0/8 (127.0.0.0-127.255.255.255)"
or "127.0.0.0/24 (127.0.0.0-127.0.0.255)".


> >>   Many DNSBLs arrange to have a query
> >>    of 127.0.0.2 return an A record indicating that the IP is  
> >> listed, and
> >>    a query of 127.0.0.1 return no A record (NXDOMAIN).  When both of
> >>    these indicators are present, this indicates that the DNSBL is
> >>    functioning normally.  See [DNSBL-EMAIL].
> 
> There is a problem with the above.  The reason for the "MUST NOT list 
> 127.0.0.1" (elsewhere) is that listing it will cause many mail servers 
> to block _themselves_ (eg: MSA/MTA configurations of sendmail).  This is 
> something that Vixie said years ago.  Yet, we're telling them to 
> explicitly list it here.

Do you? I read the above as:

    127.0.0.2 is listed AND 127.0.0.1 is not listed means the DNSBL is
    functioning normally.

    Any other combination:

    127.0.0.2 is not listed AND 127.0.0.1 is not listed
    127.0.0.2 is not listed AND 127.0.0.1 is listed
    127.0.0.2 is listed     AND 127.0.0.1 is listed

    means the list is not functioning properly.

So listing 127.0.0.1 is way of telling the world that the list is not
functioning properly, but it isn't the only one: Simply not listing
127.0.0.2 means the same and is IMHO preferable.


I did stumble over "both of these indicators are present" at first
reading. The second indicator which must be present is the absence of
entry. Maybe that could be formulated in some way which doesn't force
the reader through such mental contortions.

> Which is almost as bad as a 0/0 listing.

A 0/0 listing will result in both 127.0.0.1 to be listed. Since
127.0.0.1 should never be listed during normal operation, a client can
detect the 0/0 case by quering only 127.0.0.1.

> Does anybody know what the current thinking on 127.0.0.1 listing for 
> "DNSBL down" is?  Or should I just yank that?
> 
> I can't remember where I saw this recommendation (of listing the .1 for 
> "DNSBL down").  It was a strong one, otherwise, it wouldn't be there. 
> Maybe I misremembered.

I don't remember it either but I think it may been intended not as a way
to signal "DNSBL down" but as a way to detect the "lists everything"
situation (and conversely, 127.0.0.2 can be used to test for "lists
nothing").

> >>    Some mail systems are unable to differentiate between these various
> >>    results or flags, however, so a public DNSBL MUST NOT include
> >>    opposing or widely different meanings -- such as 127.0.0.23 for
> >>    "sends good mail" and 127.0.0.99 for "sends bad mail" -- within the
> >>    same DNS zone.
> > 
> > Not sure why this is a MUST NOT. If people are dumb enough to use a  
> > mixed list in a broken way they get what they deserve. What's the  
> > justification?
> 
> "Suicidal administrator" prevention.  JD suggested it.  I like it, but 
> I'm not committed to it.  Thoughts?

The A record could be used to encode a range. For example 127.0.1.x
could mean "x % of the observed messages from this source are spam"
(in fact I think I've seen at least one such list). Clearly 127.0.1.0
and 127.0.1.100 have opposing meanings, but I don't see this as bad.

	hp

-- 
   _  | Peter J. Holzer    | It took a genius to create [TeX],
|_|_) | Sysadmin WSR       | and it takes a genius to maintain it.
| |   | hjp at hjp.at         | That's not engineering, that's art.
__/   | http://www.hjp.at/ |	-- David Kastrup in comp.text.tex
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://www.ietf.org/pipermail/asrg/attachments/20080401/7d0e6088/attachment.sig

More information about the Asrg mailing list