Douglas Otis <dotis(_at_)mail-abuse(_dot_)org> wrote:
On 1/18/11 7:46 AM, John Levine wrote:
https://datatracker.ietf.org/doc/draft-irtf-asrg-bcp-blacklists/
C. This draft continues the delusion of IP address listings for IPv6.
An important feature of IPv6 is the ability to rapidly renumber. Any
scheme that attempts to apply policy against IPv6 addresses removes this
important feature.
I'm afraid Doug is a bit in the rough here: most of us seem hell-bent
on _making_ IPv6 DNSBLs work.
(I do, however, share Doug's doubt that we'll succeed.)
This draft should caution against assumptions that suggest IPv4
practices can be extended for use with IPv6!
+1
(I didn't stumble upon any exactly contrary statement; but I think we
need an explicit explanation that IPv6 DNSBLs are a work-in-progress at
best, and this documents cannot make recommendations specific to IPv6.)
====
Other than that, I stumbled upon some of the MUSTard.
In general, we cannot enforce any behavior on list maintainers.
Specifically, the "MUST NOT charge" in Section 2.5 is inappropriate.
DNSBLs that do not charge for access will necessarily need to recover
costs for manual actions that exceed de-minimis, or simply not do them.
A strong "SHOULD NOT charge" is appropriate.
We could probably even get away with a "MUST NOT use" such DNSBLs
in that paragraph, although personally I'd prefer "SHOULD NOT charge"
and "SHOULD NOT use".
In Section 2.2.2, the "MUST NOT use..." such that removal requests
would be blocked is a bit strong for my taste. DDoS attacks are very
real, and defensive action _is_ needed from time to time. I think a
strong SHOULD NOT is appropriate, and I'd suggest adding text to the
effect that the website "SHOULD list short-lived alternatives"
whenever the usual removal-request path may be blocked.
In Section 3.4, the "MUST NOT list the entire Internet" is a bit
strong as well. While I think you have given plenty of suggested
alternatives to this, folks _do_ paint themselves into corners where
such a doomsday-weapon becomes needed. (Listing the entire Internet
_does_ mean they're outside the specification we're writing; but it
comes across as an attempt to control a behavior we can't control.
Perhaps we could suggest alternatives, not use the MUSTard, and say
that listing the entire Internet puts a DNSBL list out of conformance
with this set of practices.)
Whatever, we should make sure that language about testing for
list-the-entire-Internet SHOULD be done is found within this Section.
====
Overall, very good work!
--
John Leslie <john(_at_)jlc(_dot_)net>
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg