ietf-asrg
[Top] [All Lists]

Re: [Asrg] Problems with wildcards in combined IPv4 + IPv6 DNS blacklists

2011-05-26 18:02:49
There's a problem when you use wildcards on IPv4 addresses:

 *.0.0.2.zone.example.com

Matches IPv6 2.0.0.* (2.0.0.0/8), but it also matches IPv6 2000/12.
Any IPv6 address starting with "200", as many do.

Indeed, but basically nobody serves DNSBLs from servers that use BIND
style zone files and wildcards, so it's unlikely to be an issue in
practice.

I think the RFC should be changed to add something to the IPv6 records to
differentiate them, just about anything but an integer from 0-255, like:

 [reversed IP].v6.[zone]

Is there a problem with doing that?

RFCs are by long tradition immutable so, no, it can't be changed.  You
can call your DNSBLs whatever you want, including using a different
base name for the v4 and v6 BLs, if it works better for you.

Due to the cache problems that any sort of per-IP queries are likely
to cause on production IPv6 networks (see previous discussion on this
list) I doubt there will ever be a lot of use of 5782 format IPv6 BLs,
so it doesn't seem like a good use of anyone's time to try to produce
a new version of the RFC with that change.

Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet 
for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg