[Asrg] Another dnsbl draft, now standards flavored
Chris Lewis
clewis at nortel.com
Tue Jul 29 10:26:45 PDT 2008
Tony Hansen wrote:
> My take:
>
> Think of DNSxL as an exercise in steganography: A few bits of
> information are encoded into something that looks an awful lot like an
> IP address and can be carried over a channel intended to transmit IP
> addresses. Otherwise it's an opaque value.
>
> The choice of 127.0.0.0/8 and ANY sort of range in the IPv6 address
> space is truly irrelevant. These are not IP addresses; they just look
> like IP addresses.
Correct. But having the DNSBL return addresses that may actually be in
use means that you can't tell the difference between a correctly
operating DNSBL and an ordinary DNS server returning real IP addresses.
Eg: a DNSBL domain gets typo-squattered (or reclaimed), whereupon the
domain owner puts in wildcarded A records pointing at their click thru
advertising page. In ipv4 space, there is a not insignificant fraction
of DNSBL clients that will treat this as meaning all IPs are listed.
The slightly better ones know that non-127/8 returns should be ignored.
We need the same safety net in ipv6.
More information about the Asrg
mailing list