North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: what the heck do i do now?

  • From: Andrew - Supernews
  • Date: Sun Feb 04 21:38:58 2007

>>>>> "Warren" == Warren Kumari <[email protected]> writes:

 Warren> Sure, but if we could all agree that (or
 Warren> something) means that the BL has been shutdown then in the
 Warren> future this sort of issue could be mitigated.

You don't need to agree on something - it's already possible to apply
automated checks to a DNSBL that detect all known methods of shutting
it down.

Applying these same checks in configuration tools would also prevent
users specifying things which are not live DNSBLs, thus avoiding a
lot of excess query load on nameservers that just happen to serve
domains that have been mistaken for DNSBLs.

The algorithm is very simple:

  - if is not NXDOMAIN, this is a hard failure.
  - if is NXDOMAIN or SERVFAIL, or lacks an
    A record, or has an A record which is not 127.x.x.x, then this is a
    soft failure.
  - otherwise the test passes.

DNSBLs that soft-fail should be removed from use but continue to be
tested regularly, and at least optionally added back automatically if
they pass within a reasonable period (days, say) of failing - after
that they should be treated as hard failures and removed completely.

 Warren> Yes, this doesn't fix Paul's problem (or anyone who setup a
 Warren> blacklist before this is standardized) and there is no way to
 Warren> enforce this, but it is bunch better than not doing
 Warren> anything...

It has been possible all along, so why aren't people doing it already?

Andrew, Supernews