On 10/26/12 2:34 AM, Hal Murray wrote:
Anyway, back on topic: I'm still not convinced we'd be talking about
IPv6-based blacklists if we didn't have a long and successful history of
IPv4-based blacklists.
How about enumerating goodness rather than badness?
Does anybody have a list of techniques to consider?
We don't have to list IP Addresses. We could list domains and only accept
mail if the IP Address reverses to a listed domain (and forward confirms).
It's even worse, probably.
Reverse DNS lookups have the same problem DNSxL lookups have about
caching. And usually also a much higher latency because they need to hop
through several delegations before getting an answer.
Can't we do something entirely different for IPv6? Like, use domain-based
filtering by making it mandatory to DKIM-sign a message you send over IPv6
outside of your network?
Does DKIM tell me anything about the sending site being good or bad?
No, but gives you an hook (the signing entity) you can bind to a
reputation score.
If I get a DKIM signed message, I could lookup the domain rather than the
sender's IP address. Does that avoid the too-many-IPv6 addresses problem?
Not necessarily. See subdomaining...
--
Paranoia is a disease unto itself. And may I add: the person standing
next to you may not be who they appear to be, so take precaution.
-----------------------------------------------------------------------------
http://bofhskull.wordpress.com/
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg