nanog mailing list archives
Re: Anyone from AT&T here? (AT&T bogus DNSBL answers)
From: Paul Vixie <vixie () vix com>
Date: 19 Apr 2004 21:41:54 +0000
i consider myself an expert on the question, "what dns is not". for example, dns is not a directory service, or, dns is not a load balancer, or, dns is about fact rather than policy. so, when Michael Dillon wrote about this topic today, i decided to pay attention:
DNSBLs are using the DNS to do general purpose database lookups instead of using a generic database lookup protocol like LDAP.
dns is a distributed, reliable, autonomous, hierarchical database. any data you can map into rrsets and ownernames is "fair game." see the second half of rfc1101 (the part that goes beyond network naming) to see what the inventor had in mind. dns blackhole lists (of which eric ziegast invented the first one as a way to encode the first RBL into a format sendmail could read) are an excellent example of what i call "DNS Services". just as the web has all kinds of things on it that aren't web pages (or web browsers) and we call those "Web Services".
It's not surprising that this sort of ugly hack has unintended side effects. After all, people who build DNS infrastructure intend it to be used to for generic DNS translations, not generic database lookups.
just because it isn't gethostbyname() or gethostbyaddr() and isn't replacing the use of YP/NIS or /etc/hosts or HOSTS.TXT, does not make it inappropriate for dns. indeed, RFC1034 2.1, 2.2 and especially 2.3 go into this in detail, so you don't need to read the (later) RFC1101 document to get the full flavour of the inventor's intentions for DNS.
Funny thing is that most mailer software that uses DNSBLs also supports LDAP database lookups so there is really no good reason why DNSBLs exist in the first place.
at the time the first DNS blackhole list was invented (here, by ziegast), there was no support for LDAP in the version of sendmail we were running. now that there are a hundred or more diverse/disparite DNS blackhole lists, i think the likelihood of changing the way blackhole data is delivered to be LDAP rather than DNS should be considered a "very long range" goal, or worse.
IMHO, the DNSBL experiment has proved the usefulness of having a variety of blacklist/whitelist/greylist databases for mail servers to query. It's high time that folks shift these databases onto a protocol that does not interfere with the Internet's critical DNS systems and I believe that LDAP is that protocol.
re-inventing a distributed, hierarchical, autonomous, reliable database just to avoid using DNS as its inventor intended it, seems like a great waste of time, IMHO. -- Paul Vixie
Current thread:
- Anyone from AT&T here? (AT&T bogus DNSBL answers) Steve Linford (Apr 14)
- Re: Anyone from AT&T here? (AT&T bogus DNSBL answers) Patrick W . Gilmore (Apr 14)
- <Possible follow-ups>
- Re: Anyone from AT&T here? (AT&T bogus DNSBL answers) jlewis (Apr 17)
- Re: Anyone from AT&T here? (AT&T bogus DNSBL answers) Steve Linford (Apr 17)
- Re: Anyone from AT&T here? (AT&T bogus DNSBL answers) Raymond Dijkxhoorn (Apr 17)
- Re: Anyone from AT&T here? (AT&T bogus DNSBL answers) Michael . Dillon (Apr 19)
- Re: Anyone from AT&T here? (AT&T bogus DNSBL answers) Patrick W . Gilmore (Apr 19)
- Re: Anyone from AT&T here? (AT&T bogus DNSBL answers) just me (Apr 19)
- Re: Anyone from AT&T here? (AT&T bogus DNSBL answers) Valdis . Kletnieks (Apr 19)
- Re: Anyone from AT&T here? (AT&T bogus DNSBL answers) Joe Abley (Apr 19)
- Re: Anyone from AT&T here? (AT&T bogus DNSBL answers) Steve Linford (Apr 17)
- Re: Anyone from AT&T here? (AT&T bogus DNSBL answers) Paul Vixie (Apr 19)