Chris Lewis wrote:
Many DNSBLs arrange to have a query
of 127.0.0.2 return an A record indicating that the IP is
listed, and
a query of 127.0.0.1 return no A record (NXDOMAIN). When both of
these indicators are present, this indicates that the DNSBL is
functioning normally. See [DNSBL-EMAIL].
There is a problem with the above. The reason for the "MUST NOT list
127.0.0.1" (elsewhere) is that listing it will cause many mail servers
to block _themselves_ (eg: MSA/MTA configurations of sendmail). This is
something that Vixie said years ago. Yet, we're telling them to
explicitly list it here. Which is almost as bad as a 0/0 listing. Tho,
a little more obvious ;-)
SORBS has listed 127.0.0.1 in the past, though never used it as a return
code. It occurred due to error, but it was an easy one - the relay
tester was triggered to test localhost by someone first setting up an
open relay then sending spam, then within hours changing the DNS record
to return 127.0.0.1 for the host. Result, a request for a valid
hostname was put in the system then before it was tested someone changed
the target IP to localhost. This was fixed fairly promptly but it was
not an indicator of a shutdown. I believe other DNSBls have listed
127.0.0.1 on occasion.
Does anybody know what the current thinking on 127.0.0.1 listing for
"DNSBL down" is? Or should I just yank that?
Yank it in the current form. I've said this before I think putting
something in that will never be in a valid listing (including an error
listing) is the only answer to that one. Something in 0/8 would work -
however this is easily typo'd as 0.0.0.0/0, and would easily be machine
generated so personally I would suggest 255.255.255.255/32. Using such
an address would indicate deliberate listing of the world as well as
'this is now no longer a DNSbl you may use' (regardless of authors wish
or whether the DNSbl is acutally shut/shutting).
I can't remember where I saw this recommendation (of listing the .1 for
"DNSBL down"). It was a strong one, otherwise, it wouldn't be there.
Maybe I misremembered.
Some mail systems are unable to differentiate between these various
results or flags, however, so a public DNSBL MUST NOT include
opposing or widely different meanings -- such as 127.0.0.23 for
"sends good mail" and 127.0.0.99 for "sends bad mail" -- within the
same DNS zone.
Not sure why this is a MUST NOT. If people are dumb enough to use a
mixed list in a broken way they get what they deserve. What's the
justification?
"Suicidal administrator" prevention. JD suggested it. I like it, but
I'm not committed to it. Thoughts?
I disagree, simply: not in the same zone - but no problem with the same
DNSBl.
Regards,
Mat
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/asrg