ietf-asrg
[Top] [All Lists]

Re: [Asrg] Final(?) draft of DNSwL draft

2007-07-27 21:14:16

In security consideration should say more then just DNS service
subjected to various types of attacks, I'd like to see on that
line that without DNSSEC the response is not authenticated and
DNS being UDP service, it means it can easily be forged by 3rd
party. DNS security issues are really the most important so that
paragraph should go first either way. In prior paragraph of security section at the end of it gives reference to "[5,6]", I really
dont see anything in "[6]" that is relevant.

And while this may not be exactly right doc, I think it should be mentioned that if for some reason domain expires and it is in TLDs that has wildcard entries, that would cause equivalent to all listed response. However these would then not be 127.0.0.1 so it should
say somewhere that clients SHOULD only use entries in blacklist that
are in 127/8 range (rather then just check if there is any A record
at all as some are doing) and ignore all others unless list
documentation says otherwise.

Also in general it should say that while DNSxL use is primary
centered around email, the method described is general and also
used by other applications (in fact consider even changing
title and removing "for E-Mail" at the end) as way to verify
that certain ip address or domain zone is or is not in some list.
Examples of where its heavily used outside of email are ip->country lists which are used by all types of applications
from weblog & security analyzers to real-time HTTP apps.
And DNSBL lists that are used for email blocking also found
use in blocking of unwanted web comments spam, etc (this is
similar to email blocking but point is its not email).

On Fri, 27 Jul 2007, John L wrote:

I got some review comments back from the IRTF on the DNSwL draft, so I've done another version:

        http://asrg.sp.am/draft-irtf-asrg-dnsbl-03.txt

Please take a look, if nobody hates it I'll send it off on Monday.

Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor
"More Wiener schnitzel, please", said Tom, revealingly.

PS: The comments said:

I have done a review of this document.  I think it could use a bit
more attention in section 2.3.  This section mentions an
"organization" may use a variety of DNSxLs for different purposes.
I believe this statement can be expanded and made more clear.  In
particular, the next sentence discusses "multiple sublists", but no
definition has yet been given for just what that is, and how it
relates to an organization and its variety of DNSxLs.  In the next
paragraph it mentions subdomains and sublists.

I think with another pass on this part {and a definition for the term rDNS
in 2.1} and the doc would be ok.

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg