On Wed, 29 Dec 2010 22:05:16 +0100 Matthias Leisi <matth...@leisi.net> wrote:
> Today, querying IPv4 DNSxLs is more or less limited to individual IPs. > Making a new protocol that has more flexibility is very much needed - > one size will not fit all, especially not in the protocol design. OK. But I think the draft is very complex and makes many DNS queries. Why not something like: Look up the first 64 bits: 0.1.2.3.4.5.6.7.8.9.a.b.c.d.e.f.whitelist.example.org If you get back nothing, it's not whitelisted. If you get back 127.0.0.1, it's whitelisted. If you get back some magical value like 127.224.X.1, then you need to do a query against a /X (where X must be multiple of 4 and 64 < X <= 128). So if you wanted to list to the granularity of a /128, the query above would return 127.224.128.1 and you'd redo the query with the full 32-nibble address. This is less flexible, but results in only one query in the common case or two in the worst-case. (Naturally, you could use TXT records instead of magic A records; this is just for illustration.) List managers would have to be *very* careful not to list networks to a fine granularity unless they know for sure the manager of the network block takes precautions against IP address spoofing (using ingress/egress filtering or similar.) Regards, David.