Matt Sergeant wrote:
On 1-Apr-08, at 1:07 PM, Chris Lewis wrote:
2.1. Transparency
A DNSBL SHOULD carefully describe the criteria which are the cause
for adding, and the criteria for removing an IP address or domain
name on the list.
Here we talk about IP addresses or domain names. I think we should
stick with "Listing" or "Entry".
Fixed.
And did you add something somewhere about how a Listing/Entry might
map to >1 "thing" in the list? e.g. a range/ASN/whatever?
Should I? Or is John's document the right place for that?
3.3. DNSBLs SHOULD Provide Operational Flags
Most DNSBLs follow a convention of entries for IPs in
127.0.0.0/8 to
provide online indication of whether the DNSBL is operational. In
other words, the result of a DNS lookup will be in the range of
127.0.0.1 through 127.0.0.255.
I don't think this "in other words" fits. The first talks about
operational entries, the second talks of results. And the first talks
of a /8 and the latter the /24.
Yes, confusing. Redrafting:
Most DNSBLs follow a convention of entries for IPs in
127.0.0.0/8 (127.0.0.0-127.0.0.255) to
provide online indication of whether the DNSBL is operational.
Many DNSBLs arrange to have a query
of 127.0.0.2 return an A record indicating that the IP is
listed, and
a query of 127.0.0.1 return no A record (NXDOMAIN). When both of
these indicators are present, this indicates that the DNSBL is
functioning normally. See [DNSBL-EMAIL].
There is a problem with the above. The reason for the "MUST NOT list
127.0.0.1" (elsewhere) is that listing it will cause many mail servers
to block _themselves_ (eg: MSA/MTA configurations of sendmail). This is
something that Vixie said years ago. Yet, we're telling them to
explicitly list it here. Which is almost as bad as a 0/0 listing. Tho,
a little more obvious ;-)
Does anybody know what the current thinking on 127.0.0.1 listing for
"DNSBL down" is? Or should I just yank that?
I can't remember where I saw this recommendation (of listing the .1 for
"DNSBL down"). It was a strong one, otherwise, it wouldn't be there.
Maybe I misremembered.
Some mail systems are unable to differentiate between these various
results or flags, however, so a public DNSBL MUST NOT include
opposing or widely different meanings -- such as 127.0.0.23 for
"sends good mail" and 127.0.0.99 for "sends bad mail" -- within the
same DNS zone.
Not sure why this is a MUST NOT. If people are dumb enough to use a
mixed list in a broken way they get what they deserve. What's the
justification?
"Suicidal administrator" prevention. JD suggested it. I like it, but
I'm not committed to it. Thoughts?
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/asrg