Re: [dnsext] Fwd: djb on NXDOMAIN/NODATA for non-terminals

Paul Vixie <> Tue, 29 March 2011 13:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 281233A67B3 for <>; Tue, 29 Mar 2011 06:02:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.365
X-Spam-Status: No, score=-2.365 tagged_above=-999 required=5 tests=[AWL=-0.081, BAYES_00=-2.599, SARE_MILLIONSOF=0.315]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id j5RSP-uM-iSq for <>; Tue, 29 Mar 2011 06:02:10 -0700 (PDT)
Received: from (unknown [IPv6:2001:4f8:3:bb:230:48ff:fe5a:2f38]) by (Postfix) with ESMTP id 676813A67A6 for <>; Tue, 29 Mar 2011 06:02:10 -0700 (PDT)
Received: from (localhost []) by (Postfix) with ESMTP id 4BF73A1031 for <>; Tue, 29 Mar 2011 13:03:47 +0000 (UTC) (envelope-from
From: Paul Vixie <>
In-Reply-To: Your message of "Tue, 29 Mar 2011 09:25:05 GMT." <>
References: <> <> <> <> <>
X-Mailer: MH-E 8.2; nmh 1.3; XEmacs 21.4 (patch 22)
Date: Tue, 29 Mar 2011 13:03:47 +0000
Message-ID: <>
Subject: Re: [dnsext] Fwd: djb on NXDOMAIN/NODATA for non-terminals
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 29 Mar 2011 13:02:12 -0000

> From: Florian Weimer <>
> Date: Tue, 29 Mar 2011 09:25:05 +0000
> > ...  nobody is querying intersticial names from an rbl so even if
> > there were millions of rbldnsd servers running on autopilot it would
> > not have an operational effect.
> Will this remain true if ISC changes BIND to synthesize NXDOMAIN
> responses for children of names already known to not exist?

let's assume that if reimprove passes to rfc as-is that everybody will
implement it (not just ISC for BIND) and that if it does not than nobody
will implement it (not even ISC for BIND).  as to "remain true", probably
it will, since if spammers actually cared enough to pollute caches with
negative elements -- which they don't since the RBL's aren't stopping
them and they won't make more money by bypassing them even if it was
easier than this -- ...

> In many cases, it will not be too difficult to reflect a query for the
> non-terminal through the MTA, and after that, the blacklist is
> partially bypassed.  So I wouldn't be surprised if such queries turned
> somewhat popular, suddenly.

i'm trying to guess what you mean by "not too difficult".  the RBL logic
i know about is in sendmail and postfix, which always asks for the full
name.  how would you go about getting the MTA to request something like assuming that trend was using rbldnsd and
would answer with nxdomain so that one could then spam less impededly
from ?

> And regarding the idea of a new EDNS option---we already have plenty
> of NXDOMAIN signalling in the form of NSEC(3) records.  We just have
> to agree to use it.  What's worse, it seems to me that past experience
> shows that EDNS options cause interoperability issues, too.

this sounds like a veiled suggestion that we remove this from resimprove
and that someone get working on an aggressive negative caching proposal?