On Nov 27, 2010, at 8:47 PM, John R. Levine wrote:
I have been pondering the swamp which is IPv6 DNS blacklists and whitelists.
[...]
What do you think?
I think you need to consider quitting using DNS. It's ill-suited to this
application (IPv4 or IPv6, though some of the weaknesses become more pronounced
in IPv6 space).
Something that looks suspiciously like DNS to communicate between, say, an MTA
and a local blacklist daemon makes some sense, for backwards compatibility if
nothing else, but distributing the data should be more pushing deltas to a
local authoritative store (a-la BGP) than querying to a remote server (or some
hybrid of course-grained local store and authoritative fine-grained queries to
a remote store in the case of a local store hit).
If y'all haven't read the specs of the Google malware blacklist protocol, it's
well worth a look. It's a hideously badly documented hack in some respects, but
is a good example of an efficient way of distributing blacklist data to the
edges.
http://code.google.com/p/google-safe-browsing/wiki/Protocolv2Spec
Cheers,
Steve
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg