Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blacklists and Whitelists)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi.  All of these questions have come up before on the various lists
where this draft was developed, but I suppose it's worth going through
them again.

>On the other hand, I have a few questions: the first one, why
>"Proposed standard"? Is it really a good idea to standardize these
>lists (most being badly managed)? Why not just "Informational" if we
>just want to document what people are doing?

The decscription of IPv4 DNSBLs/DNSWLs and most of the description of
domain DNSBLs document existing practice.  There aren't any v6 DNSBLs
yet, other than for testing, but there certainly will be, and my hope
here is to preemptively nail down the bits that are arbitrary choices,
e.g., the test addresses, so that software that uses v6 DNSBLs will
continue to interoperate, and DNSBL users continue to be able to
select the most effective lists by changing lines in a config file
rather than reprogramming.  Hence proposed standard.

>Second question, the document indeed standardizes many things which
>are not in common use but does not point towards a rationale, so some
>choices are puzzling. Why TXT records to point to an URL and not
>NAPTR?

That's what nearly all DNSBLs do now.  As the draft says in section
2.1, the contents of the TXT are useful to put into a 5xx SMTP
rejection message or the report from a scoring spam filter.

> Is this because of current usage in DNSxL? If so, this should be
> noted. But why IPv6 lists use a A record and not a AAAA?

Because the value isn't an address, it's a 32 bit value typically
interpreted as bitfields, which happens to be most easily transmitted
in an A record.  I've rewritten that part of the doc a few times
trying to make that clear, but I'd be happy to accept language which
makes it clearer.

Incidentally, although it may still be the conventional wisdom in the
IETF that DNSBLs don't work and aren't useful, in the outside world
where 95% or more of mail is spam, they're essential tools to run a
mail server.  Although there are indeed lots of stupid DNSBLs, those
aren't the ones that people use, and there are widely used ones that
have vanishingly low false positive rates that let you knock out most
of the spam cheaply so you can afford to do more expensive filtering
on what's left.  Spamhaus estimates, based on the systems that pay for
their data feeds, that there are about 1.4 billion mailboxes whose
mail is filtered using their lists, and they're the biggest but hardly
the only popular high quality DNSBL.  It's pretty clear that there are
a lot more mail systems that do use DNSBLs than don't.

R's,
John

PS: I noticed a buglet -- in section 5 it says that the apex of a DNSxL
zone may have an A record that points to a web server that contains
explanatory material.  It should of course say A and/or AAAA record.
_______________________________________________

Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]