North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: what the heck do i do now?
>>>>> "Warren" == Warren Kumari <[email protected]> writes: Warren> Sure, but if we could all agree that 127.255.255.255 (or Warren> something) means that the BL has been shutdown then in the Warren> future this sort of issue could be mitigated. You don't need to agree on something - it's already possible to apply automated checks to a DNSBL that detect all known methods of shutting it down. Applying these same checks in configuration tools would also prevent users specifying things which are not live DNSBLs, thus avoiding a lot of excess query load on nameservers that just happen to serve domains that have been mistaken for DNSBLs. The algorithm is very simple: - if 220.127.116.11.dnsbl.example. is not NXDOMAIN, this is a hard failure. - if 18.104.22.168.dnsbl.example. is NXDOMAIN or SERVFAIL, or lacks an A record, or has an A record which is not 127.x.x.x, then this is a soft failure. - otherwise the test passes. DNSBLs that soft-fail should be removed from use but continue to be tested regularly, and at least optionally added back automatically if they pass within a reasonable period (days, say) of failing - after that they should be treated as hard failures and removed completely. Warren> Yes, this doesn't fix Paul's problem (or anyone who setup a Warren> blacklist before this is standardized) and there is no way to Warren> enforce this, but it is bunch better than not doing Warren> anything... It has been possible all along, so why aren't people doing it already? -- Andrew, Supernews http://www.supernews.com