The spamhaus supported version of rbldnsd may understand the use of keys
in this fashion.
If an ordinary DNS server is configured correctly, it should return
NXDOMAIN for those who don't know the key (the DNS server is SOA'd to
the base name, not the base+key. But this will be a problem if you want
to have multiple keys.
On 2021-11-04 9:28 a.m., Nicolas JEAN via mailop wrote:
On 03/11/2021 15:20, Bill Cole via mailop wrote:
On 2021-11-03 at 05:42:36 UTC-0400 (Wed, 3 Nov 2021 10:42:36 +0100)
Nicolas JEAN via mailop <nico+mai...@lightmeter.io>
is rumored to have said:
On 15/10/2021 23:22, Paul Gregg via mailop wrote:
The trick to this is not to limit by IP address - but to implement
service (API) keys.
e.g. each authorised user is given a key e.g. sj3Fa3Gomd937Z12
Then they make queries for
44.33.22.11.sj3Fa3Gomd937Z12.myserver.example.com.
That way you don't care what IP it comes from, but you know who it is.
Nice trick. :)
Unfortunately, it seems that it would require modifications to e.g.
postfix, or other software, in order to add that identifying string
to the DNS query.
Not software modification, just normal configuration.
In Postfix, postscreen_dnsbl_sites, reject_rbl_client, and every other
directive to do DNSBL queries takes arbitrary zone labels as the basis
of queries so you can just use secretclientkey.dnsbl.example.com
instead of dnsbl.example.com. Postfix also has the ability to
customize the error message sent to listed clients so that you do not
reveal your client key.
Thanks Paul and Bill, you're right.
So it just amounts to some DNS config, and writing the DNS server
software that recognizes and acts upon the given 'secret', then.
Regards,
Nico
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
