Re: [dnsext] Fwd: djb on NXDOMAIN/NODATA for non-terminals

[Paul Vixie <vixie@isc.org>]

> From: Florian Weimer <fweimer@bfk.de>
> Date: Tue, 29 Mar 2011 09:25:05 +0000
> 
> > ...  nobody is querying intersticial names from an rbl so even if
> > there were millions of rbldnsd servers running on autopilot it would
> > not have an operational effect.
> 
> Will this remain true if ISC changes BIND to synthesize NXDOMAIN
> responses for children of names already known to not exist?

let's assume that if reimprove passes to rfc as-is that everybody will
implement it (not just ISC for BIND) and that if it does not than nobody
will implement it (not even ISC for BIND).  as to "remain true", probably
it will, since if spammers actually cared enough to pollute caches with
negative elements -- which they don't since the RBL's aren't stopping
them and they won't make more money by bypassing them even if it was
easier than this -- ...

> In many cases, it will not be too difficult to reflect a query for the
> non-terminal through the MTA, and after that, the blacklist is
> partially bypassed.  So I wouldn't be surprised if such queries turned
> somewhat popular, suddenly.

i'm trying to guess what you mean by "not too difficult".  the RBL logic
i know about is in sendmail and postfix, which always asks for the full
name.  how would you go about getting the MTA to request something like
187.152.204.rbl.mail-abuse.org assuming that trend was using rbldnsd and
would answer with nxdomain so that one could then spam less impededly
from 204.152.187.111 ?

> And regarding the idea of a new EDNS option---we already have plenty
> of NXDOMAIN signalling in the form of NSEC(3) records.  We just have
> to agree to use it.  What's worse, it seems to me that past experience
> shows that EDNS options cause interoperability issues, too.

this sounds like a veiled suggestion that we remove this from resimprove
and that someone get working on an aggressive negative caching proposal?