[Asrg] Another dnsbl draft, now standards flavored

Walter Dnes waltdnes at waltdnes.org
Mon Jul 28 20:40:45 PDT 2008 

On Tue, Jul 29, 2008 at 02:43:37AM +0200, Frank Ellermann wrote
> Walter Dnes wrote:
> 
> > - If a server gets a query via IPV4, it should return an A record
> > - If a server gets a query via IPV6, it should return an AAAA record
> 
> That's IMO a bit exaggerated, DNSBLs in essence (ab)use one IPv4
> 127.0.0.2 to signal "listed".  Extended to 127/8, maybe avoiding
> 127/31, to indicate also some kind of reason, e.g. defining sets
> for the up to 32-8 (or 32-8-1) "free" bits in this range.

  This is a case of "everything you know is wrong", because there are
fundamental differences between IPV4 and IPV6.  In short, *** IPV6 DOES
NOT HAVE ANYTHING EQUIVALANT TO IPV4's 127.0.0.0/8 address range ***.
It's true that IPV6 ::1 is the functional equivalant of IPV4's
127.0.0.1.  But unlike IPV4, which devotes 16 million addresses to
"this machine", IPV6 allocates only 1 address to "this machine".  Given
that IPV6 doesn't have such a range, I suggested using the
RFC1918-equivalent range fc00:: /7 instead.  It's sort of like
192.168.0.0 /16, but with a lot more room.

> An open question is which IPv6 could be used as test entry, to
> check that a DNSBL is alive and supporting IPv6.  The draft has
> it clear that ::1 MUST NOT be listed (like 127.0.0.1), that is
> good to find maniacs suddenly listing "the world" (it happened).

::1 is *NOT* part of a "this machine" address range, because there
ain't no such animal in IPV6.  Don't assume that you can play fast and
loose with 16 million addresses in the range ::0 to ::FF:FF:FF:FF.
This doesn't exclude the possibility of using ::2 as a test address.
I feel that meta-data/control-data should be "out-of-band" from actual
data.  Not only should the submitted address be out-of-band, so should
the result.  Again, I suggest checking with the official IPV6 gurus, as
to which addresses we can safely use.

> The draft proposes (or proposed if John changed it) to use ::2
> as test entry (like 127.0.0.2).  I wasn't sure if this is as it
> should be, and proposed ::FFFF:127.0.0.2 (as the always listed
> IPv6 test entry).

  We don't know what will happen with that range once IPV4 goes away. 
and why restrict ourselves to 24 bits, anyways?

> DNSBLs don't need more "reason codes" than 127/8 (minus 127/31
> in my parallel universe, but that is not a part of the draft).

  That attitude is what got us into this mess in the first place.  If
CIDRs and NAT had been used from day 1, we'd be another few years from
running out of addresses.

-- 
Walter Dnes <waltdnes at waltdnes.org>

More information about the Asrg mailing list