On 11-12-22 04:24 PM, Matthias Leisi wrote:
On Thu, Dec 22, 2011 at 5:06 PM, Chris
Lewis<clewis+ietf(_at_)mustelids(_dot_)ca> wrote:
The DNSBL shutdown process would _also_ be perfectly appropriate for
blocking abusive DNS queries, _without_ listing the world, _and_ by its very
nature shedding the abusive queries.
Note that the case referred to by the OP is not about shutting down a
DNSxL, but about signaling to client applications (and
resolvers/forwarders) that their use is considered not acceptable by
the operator of the service.
I realized that before I commented.
The point is that the "shutdown procedure" has the right result -
shedding load and trying to signal to client applications that they
should stop querying it. All without touching any client code
whatsoever. A more sophisticated client could check the name server
returned and thereby identify immediately that the DNSBL is in shutdown
mode (if for an individual querier or in general).
Unfortunately, a straightforward REFUSED rcode results in a three-fold
increase in queries due to retries in most cases. A dedicated return
value which would cause at least certain applications to at least
temporarily suspend queries is helpful.
The problem is that with the installed base, returning any A record
(whether 127/8 or not) has the risk of causing "list the world"
behaviour in the client.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg