Some tidbits.
d/
Chris Lewis wrote:
Al Iverson wrote:
On Sun, Nov 23, 2008 at 6:37 PM, Chris Lewis <clewis(_at_)nortel(_dot_)com>
wrote:
Hey, RG, other than the procedural issues, how do you like the -08 draft
of the description of DNSBLs?
Ditto (after a few more typographical nits are corrected) on the BCP?
You are looking for public responses indicating we're happy with the
current (or soon to be current) versions? Yes to both, from me.
Yes please. Thanks.
2. Structure of an IP address DNSBL or DNSWL
A DNSxL is a zone in the DNS[RFC1034][RFC1035]. The zone containing
resource records identifies hosts present in a blacklist or
whitelist. Hosts were originally encoded into DNSxL zones using a
A 'zone' is an administrative construct, rather than a queriable user-visible
semantic construct, such as a sub-tree. If 'zone' is in fact correct, why? If
not, then I suggest saying sub-tree.
2.1. IP address DNSxL
An IPv4 address DNSxL has a structure adapted from that of the rDNS.
(The rDNS, reverse DNS, is the IN-ADDR.ARPA[RFC1034] and
IP6.ARPA[RFC3596] domains used to map IP addresses to domain names.)
Each IPv4 address listed in the DNSxL has a corresponding DNS entry.
The entry's name is created by reversing the order of the octets of
the text representation of the IP address, and appending the domain
name of the DNSxL.
If, for example, the DNSxL is called bad.example.com, and the IPv4
address to be listed is 192.0.2.99, the name of the DNS entry would
be 99.2.0.192.bad.example.com. Each entry in the DNSxL MUST have an
A record. DNSBLs SHOULD have a TXT record that describes the reason
for the entry. DNSWLs MAY have a TXT record that describes the
reason for the entry. The contents of the A record MUST NOT be used
as an IP address. The A record contents conventionally has the value
record contents... has -> record contents... have
If a range of addresses is listed in the DNSxL, the DNSxL MUST
contain an A record (or a pair of A and TXT records) for every
address in the DNSxL. Conversely, if an IP address is not listed in
Each address results in a different queriable domain name
<reverse-addre>.<service domain>, so I think the requirement is deeper than just
separate pseudo-A records: each must have its own name (and, yes, each with its
own A record underneath.)
7. Security Considerations
Any system manager that uses DNSxLs is entrusting part of his or her
his or her -> their
see: <http://dcrocker.net/#they>
server management to the parties that run the lists, and SHOULD
ensure that the management policies for the lists are consistent with
the policies the system manager intends to use. Poorly chosen DNSBLs
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
https://www.irtf.org/mailman/listinfo/asrg