[dns-operations] OT: NXDOMAIN / public resolvers and zen.spamhaus.org
Jelte Jansen
jelte at isc.org
Wed Mar 30 08:13:23 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/29/2011 04:57 PM, Robert Edmonds wrote:
> Jelte Jansen wrote:
>> I wonder if they would consider supporting google's ip-client draft,
>> should it get traction.
>
> since there's no way for the authoritative server to authenticate the
> client-ip option provided by the recursive server, there would be no
> reason to trust it; anyone could then use the client-ip option to evade
> the rate-based filters that spamhaus and the other DNSBLs employ.
>
Right, that's why I said I wonder, not they should :)
> the only way it would be workable would be if the DNSBLs whitelisted the
> resolvers that they would accept the client-ip option from.
>
I still hope there will be a 'debug' option in client-ip (if it goes
through), which would allow any value be put in there by anyone, which
would make this option unusable too. But we're getting off-topic here
> DNSBLs are IMO a specialized case of DNS-tunnelled database lookups and
> they shouldn't really share a general purpose cache with other clients.
> high volume mail filters should use a nearby, dedicated cache for DNSBL
> lookups.
>
Maybe that would be a good thing to say in their faq :)
Jelte
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2S5iIACgkQ4nZCKsdOncUMNgCfZofl2VHLww+hFjyYMR5NlF6K
IbUAn0D/gGPwFJCkaf0vt30HlckbsrNz
=PeDr
-----END PGP SIGNATURE-----
More information about the dns-operations
mailing list