[Asrg] Another dnsbl draft, now standards flavored
Steve Atkins
steve at blighty.com
Tue Jul 29 10:32:34 PDT 2008
On Jul 29, 2008, at 10:26 AM, Chris Lewis wrote:
> Tony Hansen wrote:
>> My take:
>> Think of DNSxL as an exercise in steganography: A few bits of
>> information are encoded into something that looks an awful lot like
>> an IP address and can be carried over a channel intended to
>> transmit IP addresses. Otherwise it's an opaque value.
>> The choice of 127.0.0.0/8 and ANY sort of range in the IPv6 address
>> space is truly irrelevant. These are not IP addresses; they just
>> look like IP addresses.
>
> Correct. But having the DNSBL return addresses that may actually be
> in use means that you can't tell the difference between a correctly
> operating DNSBL and an ordinary DNS server returning real IP
> addresses.
>
> Eg: a DNSBL domain gets typo-squattered (or reclaimed), whereupon
> the domain owner puts in wildcarded A records pointing at their
> click thru advertising page. In ipv4 space, there is a not
> insignificant fraction of DNSBL clients that will treat this as
> meaning all IPs are listed. The slightly better ones know that
> non-127/8 returns should be ignored.
>
> We need the same safety net in ipv6.
You'd only need the same safety net for IPv6 responses if you decided
to have a DNSBL return IPv6 responses, which I don't think anyone is
seriously suggesting, are they?
Otherwise, it returns an A record and, after you've gone through the
step of converting the IP address you're querying to a hostname,
everything behaves identically for v4 and v6 queries.
Cheers,
Steve
More information about the Asrg
mailing list