[dns-operations] OT: NXDOMAIN / public resolvers and zen.spamhaus.org
jelte at isc.org
Wed Mar 30 08:13:23 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
On 03/29/2011 04:57 PM, Robert Edmonds wrote:
> Jelte Jansen wrote:
>> I wonder if they would consider supporting google's ip-client draft,
>> should it get traction.
> since there's no way for the authoritative server to authenticate the
> client-ip option provided by the recursive server, there would be no
> reason to trust it; anyone could then use the client-ip option to evade
> the rate-based filters that spamhaus and the other DNSBLs employ.
Right, that's why I said I wonder, not they should :)
> the only way it would be workable would be if the DNSBLs whitelisted the
> resolvers that they would accept the client-ip option from.
I still hope there will be a 'debug' option in client-ip (if it goes
through), which would allow any value be put in there by anyone, which
would make this option unusable too. But we're getting off-topic here
> DNSBLs are IMO a specialized case of DNS-tunnelled database lookups and
> they shouldn't really share a general purpose cache with other clients.
> high volume mail filters should use a nearby, dedicated cache for DNSBL
Maybe that would be a good thing to say in their faq :)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the dns-operations