https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6484
--- Comment #36 from D. Stussy <[email protected]> 2011-06-27 00:02:29 UTC --- I have a solution to the problem of the IPv4/IPv6 lookup overlap (which will hold true for other DNS based lists too). It involves the DNS DNAME-RR. However, for the FULL IPv6 address space, it may not scale well as it would require 16,666 DNAME entries in a given zone. There is NO need to further modify SA for this solution, but SA should still be modified so as not to make unnecessary queries (i.e. to IPv4-only or IPv6-only databases). The Solution - DNS records only. Takes avantage of two factors: 1) Some IPv6 labels in the reverse zone are alphabetic -- which never appears in an IPv4 reverse. 2) The nature of the DNAME-RR once we get to 4 specified label levels. Let's call the IPv4 based list "dnsbl4.example.org." Let's let the IPv6 based list "dnsbl6.example.org" also exist. First, let's eliminate/redirect the last six labels of the IPv6 address range. (Using BIND syntax): $ORIGIN dnsbl4.example.org. ; ; 6 labels take care of the top 37.5% of IPv6 space: ; A IN DNAME A.dnsbl6.example.org. ... F IN DNAME F.dnsbl6.example.org. ; ; Repeating this for the second nybble does scale for BIND. ; Other DNS software - you're on your own.... ; This adds 60 more DNAME-RR's (23.4375% coverage of IPv6 space) ; $GENERATE 0-9 A.$ IN DNAME A.$.dnsbl6.example.org. ... $GENERATE 0-9 F.$ IN DNAME F.$.dnsbl6.example.org. ; Repeating that with a two-level generate (if permitted; else by hand) for 600 more records takes care of all 3-label levels. (Another 14.648%) At the 4th label level, we have 16,000 DNAMES generated (16 x 10^3), and in that leading label (the least significant), we generate all 16 hexidecimal digits (the remaining 24.414%). Such yields entries such as: 1.0.0.2 IN DNAME 1.0.0.2.dnsbl6.example.org. 2.0.0.2 IN DNAME 2.0.0.2.dnsbl6.example.org. 3.0.0.2 IN DNAME 3.0.0.2.dnsbl6.example.org. ... Since DNAME implicitly requires a label below that specified (as it applies to subzones only), this does not conflict with IPv4 addresses which would terminate here. However, it does mean that IPv4 addresses NOT listed which overlap with IPv6 prefixes may no longer return "NXDOMAIN" but may return "NOERROR" with zero answers. Hopefully, no DNS-based list query (including DNSBLs and DNSWLs) would react differently. I have also posted this idea to Usenet and maybe we should have comments there? cf. Newsgroups: news.admin.net-abuse.email,news.admin.net-abuse.misc,alt.ipv6,alt.internet.ipv6,alt.comp.networking.ipv6,alt.dns Since we currently don't have to cover 100% of IPv6 address space at this time, we could get by with fewer than the 16,666 DNAME RR's needed for full coverage. -- Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
