Re: [Asrg] domain specific DNS blacklists (or whitelists)

[Roland <list-asrg@openrbl.org>]

--wayne wrote on 03.03.03 13:25 -0600:

> In <20030303092027.GA3073@danisch.de> Hadmut Danisch <hadmut@danisch.de> writes:
> 
>> > Why this is superior to Adam Filip's proposal (
>> > http://groups.google.com/groups?q=vixie+mx+records+spam&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=3E18B0B3.43939A35%40Andrzej.Adam.Filip&rnum=10
>> > )  to overload the existing MX record?
> 
> This proposal appears to overload A records, not MX records.

Getting a new RR implemented into bind will likely take years,
a solution based on the existing records could be much faster.

The solution as presented in the posting of Andrzej Filip would
reject mail from the whole NU-TLD by default, and also from any
domain which has a wildcard defined:

$ dig 4.3.2.1.smtp-out.anything.nu

At least one should reject only if 127.0.0.2 gets returned, many
dnsbl-implementations already allow to distinguish by the last
octet, and there are many more mta's than sendmail.
(which should be _immediately_ updated to 8.12.8 because of a
dangerous remote root-compromise btw)

But the current scheme of dnsbl really only works for blacklists,
this application would be a whitelist by definition and the
implementation requires some more work.

One solution could be to reserve a magic (like 127.0.0.127 or maybe
better something like 255.255.255.255) for this purpose and create
some kind of standard which also may be used by other whitelists,
and can be easy integrated into the code of existing dnsbl-clients.

A-records are preferred because all dnsbl-clients (except rblsmtpd
which only queries for TXT) already know how to look them up.

Roland

_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg