Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blacklists and Whitelists)
SM <sm@resistor.net> Tue, 11 November 2008 22:22 UTC
Return-Path: <ietf-bounces@ietf.org>
X-Original-To: ietf-archive@megatron.ietf.org
Delivered-To: ietfarch-ietf-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 51E1028C184; Tue, 11 Nov 2008 14:22:04 -0800 (PST)
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7D85A28C184 for <ietf@core3.amsl.com>; Tue, 11 Nov 2008 14:22:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.8
X-Spam-Level:
X-Spam-Status: No, score=-1.8 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, SARE_SUB_RAND_LETTRS4=0.799]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GDQFugagmTFa for <ietf@core3.amsl.com>; Tue, 11 Nov 2008 14:22:01 -0800 (PST)
Received: from ns1.qubic.net (ns1.qubic.net [208.69.177.116]) by core3.amsl.com (Postfix) with ESMTP id 880C328C162 for <ietf@ietf.org>; Tue, 11 Nov 2008 14:22:01 -0800 (PST)
Received: from subman.resistor.net ([10.0.0.1]) (authenticated bits=0) by ns1.qubic.net (8.14.3/8.14.3) with ESMTP id mABMLppe020922 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf@ietf.org>; Tue, 11 Nov 2008 14:21:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=resistor.net; s=mail; t=1226442120; x=1226528520; bh=9FGhqnShuugyYn/ajIqhkw0giY9w51JAWwuCLVBlwnM=; h=Message-Id:Date:To:From:Subject:In-Reply-To:References: Mime-Version:Content-Type:Cc; b=IobmYp3rendGJsuwOIgEF+o6cZOJB38q/XCEndxKCeBHGY45OIGj8tWd1QFfb4MNR T3TF77c9urH2fqnDP6PNx71EWGp6g1uT/+EyM58KJOaXBFyNN6j1L3rHsX2dP7qPE1 Xx9Crvqoxc5tSDwxYcCQBUnkwtlPFWzMM/NTsQ5c=
DomainKey-Signature: a=rsa-sha1; s=mail; d=resistor.net; c=simple; q=dns; b=hJMmkk6SXoVPrbk53AXk6dHuAMlzHp/FHvMuMlv1eBe6egywNXXaE27CEZCUImlUa glb6+2Rz0sVj/YPa5/JNHjFT11hdWG1TMmyRSHiIZT6eWxR/uJjOKNGGlOSwj1u98p9 9M2A+uwNxMfFyTULr8bbOygvpjjEqd6Nl20lfnY=
Message-Id: <6.2.5.6.2.20081111113937.02c66538@resistor.net>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6
Date: Tue, 11 Nov 2008 14:02:10 -0800
To: ietf@ietf.org
From: SM <sm@resistor.net>
Subject: Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blacklists and Whitelists)
In-Reply-To: <200811102019.PAA20968@Sparkle.Rodents-Montreal.ORG>
References: <200811091733.MAA04258@Sparkle.Rodents-Montreal.ORG> <491879D3.5020907@network-heretics.com> <200811102019.PAA20968@Sparkle.Rodents-Montreal.ORG>
Mime-Version: 1.0
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org
At 11:50 10-11-2008, der Mouse wrote: >What the IETF _does_ have a chance to do here is to improve the quality >of a critical piece of Internet infrastructure (email without DNSLs in >today's net is either unusable or very heavily balkanized) by >standardizing those aspects that are in shape to be standardized. The >IETF says "rough consensus and running code". We have the running >code. We even have something close to rough consensus in the field, in >the form of the many DNSL providers and users; I hope the IETF can >recognize that consensus and echo it enough to do what it can to help. As this document is Standard Track, it's in the IETF stream. Documents on the Standard track require IETF review and the consensus of the IETF community. It's not the same as rough consensus in the field. Quoting the document: "This document represents the consensus of the Anti-Spam Research Group of the Internet Research Task Force." If this document is published in its current form, I suggest removing the IRTF Notice. There is a large user-base for DNSBLs as it's viewed as a cheap (resource-wise) way to stop spam. Most MTAs have built-in features to query DNSBLs and reject incoming SMTP connections if the IP address is listed. Some vendors enable DNSBLs in the default configuration of the MTA they ship. This has lead to problems over the years as some DNSBLs were receiving queries even after they were shut down. Some of them resorted to returning positive responses for all queries get the attention of the mail administrator as it caused all mail to be rejected. The document recommends that: "DNSxL clients SHOULD periodically check appropriate test entries to ensure that the DNSxLs they are using are still operating." That would require a change, for the better, in the implementation of DNSBLs in MTAs. I would go further and suggest that DNSxL clients should rate limit their queries if the test address does not exist and must not generate queries to the DNSxL if the test is unsuccessful after a period of time. In Section 6: "A client MUST interpret any returned A record as meaning that an address or domain is listed in a DNSxL." There have been cases where a mail server used a DNS server which returned an A record instead of NXDOMAIN. That can lead to incorrect results if the above recommendation is followed. It may be better for the client to validate the returned A record for correctness. The Security Considerations could have been more exhaustive for a Standard Track document. For example, if the DNSxLs are unresponsive, it can affect mail delivery. DNSBLs are somewhat different from other DNS based services due to their controversial role. They are generally subject to Denial of Service and it is worth the emphasis instead of only having a pointer to RFC 3833. "Since DNSxL users usually make a query for every incoming e-mail message, the operator of a DNSxL can extract approximate mail volume statistics from the DNS server logs." Operators of some types of DNSxLs might also be able to extract some information about the senders. As mentioned in the document, name-based DNSBLs are also used to check the domains found in URLs in message bodies. That can lead to unintended information disclosure. Regards, -sm _______________________________________________ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Stephane Bortzmeyer
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… John Levine
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Stephane Bortzmeyer
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… John L
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Dave CROCKER
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Sam Hartman
- The purpose of a Last Call Dave CROCKER
- RE: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Livingood, Jason
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Doug Otis
- Re: The purpose of a Last Call Pete Resnick
- Re: The purpose of a Last Call Sam Hartman
- Re: The purpose of a Last Call Leslie Daigle
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Keith Moore
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Keith Moore
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Keith Moore
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… John C Klensin
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… ned+ietf
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Dave CROCKER
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Eric Rescorla
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Keith Moore
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Dave CROCKER
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Keith Moore
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… John Levine
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Steven M. Bellovin
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Eric Rescorla
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… John C Klensin
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… John C Klensin
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Keith Moore
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Chris Lewis
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… John Levine
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Keith Moore
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Keith Moore
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Paul Hoffman
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Doug Ewell
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Chris Lewis
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Chris Lewis
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Chris Lewis
- draft-irtf-asrg-bcp-blacklists John Leslie
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Theodore Tso
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Keith Moore
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… John Levine
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Keith Moore
- Re: draft-irtf-asrg-bcp-blacklists SM
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Keith Moore
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Theodore Tso
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… John Levine
- Re: draft-irtf-asrg-bcp-blacklists John Levine
- Re: draft-irtf-asrg-bcp-blacklists Chris Lewis
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… David Conrad
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… John C Klensin
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… John C Klensin
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… John C Klensin
- RE: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Livingood, Jason
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… John Levine
- RE: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Livingood, Jason
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Chris Lewis
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Keith Moore
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Chris Lewis
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Keith Moore
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Matthias Leisi
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Keith Moore
- RE: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… michael.dillon
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Tony Hansen
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Steven M. Bellovin
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Chris Lewis
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Matthias Leisi
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… John Levine
- RE: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Livingood, Jason
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Keith Moore
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Dave CROCKER
- RE: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Steve Linford
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Tony Finch
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… der Mouse
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Keith Moore
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Keith Moore
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Tony Finch
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Keith Moore
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Tony Finch
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Keith Moore
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Tony Finch
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Tim Chown
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Theodore Tso
- RE: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… michael.dillon
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Steve Linford
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Lisa Dusseault
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Joe St Sauver
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Jamie Tomasello
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Tony Finch
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… der Mouse
- Re: draft-irtf-asrg-bcp-blacklists Rich Kulawiec
- IPv6 traffic stats (was: Re: Last Call: draft-irt… David Kessens
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Chris Lewis
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Keith Moore
- Re: IPv6 traffic stats Harald Alvestrand
- Re: IPv6 traffic stats Turchanyi Geza
- Re: IPv6 traffic stats Harald Alvestrand
- Re: IPv6 traffic stats Marc Manthey
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… SM
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Andrew Sullivan
- Re: IPv6 traffic stats Pekka Savola
- Re: IPv6 traffic stats Harald Alvestrand
- RE: IPv6 traffic stats Hallam-Baker, Phillip
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Tony Finch
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Andrew Sullivan
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Tony Finch
- Re: IPv6 traffic stats Geoff Huston
- Re: IPv6 traffic stats Peter Sherbin
- Re: IPv6 traffic stats Pekka Savola
- Re: IPv6 traffic stats (was: Re: Last Call: draft… Danny McPherson
- Re: IPv6 traffic stats Danny McPherson
- Re: IPv6 traffic stats Iljitsch van Beijnum
- Re: IPv6 traffic stats Iljitsch van Beijnum
- Re: IPv6 traffic stats (was: Re: Last Call: draft… David Kessens
- RE: IPv6 traffic stats TJ
- Re: IPv6 traffic stats (was: Re: Last Call: draft… Danny McPherson
- Re: IPv6 traffic stats (was: Re: Last Call: draft… David Kessens
- Re: IPv6 traffic stats (was: Re: Last Call: draft… Olivier MJ Crepin-Leblond
- Re: IPv6 traffic stats - limitations of 6to4 Pekka Savola
- Re: IPv6 traffic stats Pekka Savola
- Re: IPv6 traffic stats - limitations of 6to4 Rémi Després
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Doug Otis
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Chris Lewis
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Florian Weimer
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Florian Weimer
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Mark Andrews
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Florian Weimer
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Chris Lewis
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Florian Weimer
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… John Levine
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Florian Weimer
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Mark Andrews
- Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blackli… Mark Andrews
- Re: Last Call: draft-irtf-asrg-blinds (DNS Blackl… Chris Lewis