On 12/30/2010 12:47 PM, David F. Skoll wrote: > On 30 Dec 2010 17:13:07 -0000 > John Levine <jo...@taugh.com> wrote >> We'll have to change our software to handle v6 lookups no matter what, >> so I don't see it as a big deal whether it's a small change or a >> slightly larger change. > I agree, so I propose a much larger change: Stop using DNS for this > purpose. I don't think it's the right tool for the job. > > Any protocol that makes lookups in a huge adress space efficient and > efficiently-cacheable is going to leak much of the list information. > So why not just distribute copies of the entire list in a format that > permits efficient lookups and efficient sychronization (eg with > rsync)?
Which leads to another potential problem.... If blacklists like CBL are currently at 100 MBs (for IPv4)... the bloat for IPv6 could break DNSBLs. RSYNCing Gigabyte (or terabyte!) -sized files is memory and CPU intensive. Loading those into rbldnsd is also resource expensive! Furthermore, getting that data out to DNS mirrors quickly and efficiently is going to be a nightmare! And... this requires that ALL mirrors be upgraded to accommodate the vastly larger size. A better solution (John, I hope you are willing to help with this...) involves some combination of the following three ideas: (1) create a standard whereby non-authenticated IPv6 mail can ONLY be accepted by certain IPs (such as x.x.x.0, if this were an IPv4 rule... translate that to IPv6... perhaps just one designated IP per /48 ??) Any other IP tries to send mail, and it get rejected if it isn't your own user doing SMTP AUTH. Btw - yes, you household appliance can STILL send an email... it will just have to SMTP authenticate to a more valid server first! (2) Why can't "Forward Confirmed reverse DNS" (FCrDNS) become a standard for IPv6? And we just all agree to reject anything less that this? (sure, some will ignore that... but if enough of us stick together on that... including a few large ISPs... this should gain critical mass!) (3) A shifting of focus on whitelists is important... but some of those shouldn't really be "whitelists" in the traditional sense. Instead, they should merely indicate that an IP is a candidate for sending mail. Call it an "IPv6-sender's list". Don't accept mail unless the sender's IP is on that list... THEN check that IP against an IPv6 blacklist. To get on the generic "IPv6-sender's list" is easy... but might require (a) FCrDNS, (b) filling out a CAPTCHA-protected form, (c) e-mail verification, using a non-freemail e-mail address, (d) NOT having a non-hidden registration for the domain used in the e-mail address, etc, etc, etc. At the least this prevent a spammer from sending a million spams from a million individual IPs, with each IP never to be seen again--and then bloating IPv6 DNBSLs with useless data! Yes, spammers will /easily/ get on the "IPv6-sender's list".. and if that bothers you, you've missed the point! Sure, you can /also/ have REAL whitelists... but they'd serve a different purpose. Now... who would run the "IPv6-sender's list"? ...I don't know. Even if just individual DNSBLs did this, that would be helpful!! Time is short. If these types of things aren't in an RFC soon, it will be too late. John, please feel free to take any of these ideas and put them in an rfc. No need to give me any credit. I doubt that I'm the first to things of these things anyways! -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032
