[Asrg] moving the two DNSBL drafts forward

Dave CROCKER dhc at dcrocker.net
Mon Nov 24 16:11:29 PST 2008 

Some tidbits.

d/


Chris Lewis wrote:
> Al Iverson wrote:
>> On Sun, Nov 23, 2008 at 6:37 PM, Chris Lewis <clewis at nortel.com> wrote:
>>
>>>> Hey, RG, other than the procedural issues, how do you like the -08 draft
>>>> of the description of DNSBLs?
>>> Ditto (after a few more typographical nits are corrected) on the BCP?
>> You are looking for public responses indicating we're happy with the
>> current (or soon to be current) versions? Yes to both, from me.
> 
> Yes please.  Thanks.




> 2.  Structure of an IP address DNSBL or DNSWL
> 
>    A DNSxL is a zone in the DNS[RFC1034][RFC1035].  The zone containing
>    resource records identifies hosts present in a blacklist or
>    whitelist.  Hosts were originally encoded into DNSxL zones using a

A 'zone' is an administrative construct, rather than a queriable user-visible 
semantic construct, such as a sub-tree.  If 'zone' is in fact correct, why?  If 
not, then I suggest saying sub-tree.


> 2.1.  IP address DNSxL
> 
>    An IPv4 address DNSxL has a structure adapted from that of the rDNS.
>    (The rDNS, reverse DNS, is the IN-ADDR.ARPA[RFC1034] and
>    IP6.ARPA[RFC3596] domains used to map IP addresses to domain names.)
>    Each IPv4 address listed in the DNSxL has a corresponding DNS entry.
>    The entry's name is created by reversing the order of the octets of
>    the text representation of the IP address, and appending the domain
>    name of the DNSxL.
> 
>    If, for example, the DNSxL is called bad.example.com, and the IPv4
>    address to be listed is 192.0.2.99, the name of the DNS entry would
>    be 99.2.0.192.bad.example.com.  Each entry in the DNSxL MUST have an
>    A record.  DNSBLs SHOULD have a TXT record that describes the reason
>    for the entry.  DNSWLs MAY have a TXT record that describes the
>    reason for the entry.  The contents of the A record MUST NOT be used
>    as an IP address.  The A record contents conventionally has the value

record contents... has -> record contents... have



>    If a range of addresses is listed in the DNSxL, the DNSxL MUST
>    contain an A record (or a pair of A and TXT records) for every
>    address in the DNSxL.  Conversely, if an IP address is not listed in

Each address results in a different queriable domain name 
<reverse-addre>.<service domain>, so I think the requirement is deeper than just 
separate pseudo-A records:  each must have its own name (and, yes, each with its 
own A record underneath.)



> 7.  Security Considerations
> 
>    Any system manager that uses DNSxLs is entrusting part of his or her

his or her -> their

see: <http://dcrocker.net/#they>


>    server management to the parties that run the lists, and SHOULD
>    ensure that the management policies for the lists are consistent with
>    the policies the system manager intends to use.  Poorly chosen DNSBLs
-- 

   Dave Crocker
   Brandenburg InternetWorking
   bbiw.net

More information about the Asrg mailing list