> On Jan 21, 2016, at 11:57 AM, Steve Atkins <[email protected]> wrote: > > >> On Jan 21, 2016, at 11:35 AM, Michael Wise <[email protected]> >> wrote: >> >> Back In The Day, there was a BCP for shutting down a DNSBL that included >> running a daily check of the IP 127.0.0.1 (which should never hit), IIRC, as >> well as 127.0.0.2 (which should always return a hit); and if my memory >> serves, if either criteria was different (both listed or neither listed), >> the DNSBL should be flagged as not to be trusted. >> >> This is from memory, I remember a discussion … a decade or so ago? > > It's an obviously sensible thing to do, simple, cheap and doesn't require any > cooperation from the DNSBL operator more than all (but three) DNSBLs I know > of already do. > > IIRC it's explicitly called out as something you can do in Chris and Matt's > DNSBL RFC. >
http://tools.wordtothewise.com/rfc/rfc5782#section-5 (DNS Blacklists and Whitelists, John Levine) "IPv4-based DNSxLs MUST contain an entry for 127.0.0.2 for testing purposes. IPv4-based DNSxLs MUST NOT contain an entry for 127.0.0.1. ... The combination of a test address that MUST exist and an address that MUST NOT exist allows a client system to check that a domain still contains DNSxL data, and to defend against DNSxLs that deliberately or by accident install a wildcard that returns an A record for all queries. DNSxL clients SHOULD periodically check appropriate test entries to ensure that the DNSxLs they are using are still operating." and http://tools.wordtothewise.com/rfc/6471#section-3.3 (Overview of Best Email DNS-Based List (DNSBL) Operational Practices, Chris Lewis & Matt Sergeant) "Most IP address-based DNSBLs follow a convention of query entries for IP addresses in 127.0.0.0/8 (127.0.0.0-127.255.255.255) to provide online indication of whether the DNSBL is operational. Many, if not most, DNSBLs arrange to have a query of 127.0.0.2 return an A record (usually 127.0.0.2) indicating that the IP address is listed. This appears to be a de facto standard indicating that the DNSBL is operating correctly. ... Therefore, a positive listing for 127.0.0.1 SHOULD indicate that the DNSBL has started listing the world and is non-functional. ... Other results, such as 127.0.0.3, may have different meanings. This operational flag usage and meaning SHOULD be published on the DNSBL's web site, and the DNSBL user SHOULD periodically test the DNSBL." > I don't know of anyone who implemented it. > > Cheers, > Steve > > > _______________________________________________ > mailop mailing list > [email protected] > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop _______________________________________________ mailop mailing list [email protected] https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
