[dns-operations] OT: NXDOMAIN / public resolvers and zen.spamhaus.org

Jelte Jansen jelte at isc.org
Wed Mar 30 08:13:23 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/29/2011 04:57 PM, Robert Edmonds wrote:
> Jelte Jansen wrote:
>> I wonder if they would consider supporting google's ip-client draft,
>> should it get traction.
> 
> since there's no way for the authoritative server to authenticate the
> client-ip option provided by the recursive server, there would be no
> reason to trust it; anyone could then use the client-ip option to evade
> the rate-based filters that spamhaus and the other DNSBLs employ.
> 

Right, that's why I said I wonder, not they should :)

> the only way it would be workable would be if the DNSBLs whitelisted the
> resolvers that they would accept the client-ip option from.
> 

I still hope there will be a 'debug' option in client-ip (if it goes
through), which would allow any value be put in there by anyone, which
would make this option unusable too. But we're getting off-topic here

> DNSBLs are IMO a specialized case of DNS-tunnelled database lookups and
> they shouldn't really share a general purpose cache with other clients.
> high volume mail filters should use a nearby, dedicated cache for DNSBL
> lookups.
> 

Maybe that would be a good thing to say in their faq :)

Jelte
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk2S5iIACgkQ4nZCKsdOncUMNgCfZofl2VHLww+hFjyYMR5NlF6K
IbUAn0D/gGPwFJCkaf0vt30HlckbsrNz
=PeDr
-----END PGP SIGNATURE-----



More information about the dns-operations mailing list