[dns-operations] OT: NXDOMAIN / public resolvers and zen.spamhaus.org

[Robert Edmonds]

Jelte Jansen wrote:
> I wonder if they would consider supporting google's ip-client draft,
> should it get traction.

since there's no way for the authoritative server to authenticate the
client-ip option provided by the recursive server, there would be no
reason to trust it; anyone could then use the client-ip option to evade
the rate-based filters that spamhaus and the other DNSBLs employ.

the only way it would be workable would be if the DNSBLs whitelisted the
resolvers that they would accept the client-ip option from.

DNSBLs are IMO a specialized case of DNS-tunnelled database lookups and
they shouldn't really share a general purpose cache with other clients.
high volume mail filters should use a nearby, dedicated cache for DNSBL
lookups.

-- 
Robert Edmonds
edmonds at isc.org