ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] Implementing IPv6 DNSBLs

2010-12-10 14:34:50
from [David Nicol] [Permanent Link] 
On Fri, Dec 10, 2010 at 1:05 PM, John Levine <johnl(_at_)taugh(_dot_)com> wrote:

I think that if you're proposing any changes at all to the existing
DNS protocol, it'd be easier to invent something new that handles
the situation directly. ...



I'm not doing that. I'm proposing an alteration of your granularity
proposal (as I understand it) that doesn't require either TXT records
or DNSSEC.


But, unless I'm misunderstanding it, it does require new status codes
which would require upgrading every DNS cache, client library, and
middlebox on the net.  If that's not right, could you show some
examples of a query for an entry that's in the BL, and for an entry
that's not in the BL?


okay okay, I've finally gone and reviewed
http://tools.ietf.org/html/rfc5782 and I think its expansion of ipv6
by nybble is dumb, but that's outside the scope of this communication.

rfc3782 gives 24 bits to work with in every response, as the first
octet is 0xFF to avoid collateral damage. It recommends that those 24
bits are allocated from the right end to list answers that the server
knows about, allowing a server to simultaneously give 24 simultaneous
boolean answers.

I propose that an answer code is reserved to indicate "grain size
error", including other bits to indicate the correct granularity at
which questions can be answered for an address.

At nybble resolution with 128-bit addresses -- in a possible future
where there is at least one 1pv6 range that has allocated all the way
down, to different people -- and presuming that at least one nybble
will always be provided -- the second octet could be divided in two,
the first nybble being the coarsest range in the too-loose answer
range and the second being the finest range, giving 16 bits to use for
answers -- although if a bit is reserved for "this is an answer, not a
granularity correction" the answers and range advice don't have to
coexist, and a full (ha!) seven bits aligned at an octet boundary can
be given to both the low and high range. When they match, of course,
that's the granularity at which an asked question should receive a
response.

Also, Matthias Leisi is correct.

-- 
“The aeroplane is fatally defective. It is merely a toy—a sporting
play-thing.  It can never become commercially practical." -- Nikola
Tesla
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Implementing IPv6 DNSBLs, Matthias Leisi
Next by Date:  Re: [Asrg] Implementing IPv6 DNSBLs, Douglas Otis
Previous by Thread:  Re: [Asrg] Implementing IPv6 DNSBLs, John Levine
Next by Thread:  Re: [Asrg] Implementing IPv6 DNSBLs, Matthias Leisi
Indexes:  [Date] [Thread] [Top] [All Lists]