Anyone from AT&T here? (AT&T bogus DNSBL answers)

• Previous message (by thread): Anyone from AT&T here? (AT&T bogus DNSBL answers)
• Next message (by thread): Anyone from AT&T here? (AT&T bogus DNSBL answers)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

i consider myself an expert on the question, "what dns is not".  for
example, dns is not a directory service, or, dns is not a load balancer,
or, dns is about fact rather than policy.  so, when Michael Dillon wrote
about this topic today, i decided to pay attention:

> DNSBLs are using the DNS to do general purpose database
> lookups instead of using a generic database lookup 
> protocol like LDAP.

dns is a distributed, reliable, autonomous, hierarchical database.  any
data you can map into rrsets and ownernames is "fair game."  see the
second half of rfc1101 (the part that goes beyond network naming) to see
what the inventor had in mind.  dns blackhole lists (of which eric
ziegast invented the first one as a way to encode the first RBL into a
format sendmail could read) are an excellent example of what i call "DNS
Services".  just as the web has all kinds of things on it that aren't
web pages (or web browsers) and we call those "Web Services".

> It's not surprising that this sort of ugly hack has unintended side
> effects. After all, people who build DNS infrastructure intend it to
> be used to for generic DNS translations, not generic database lookups.

just because it isn't gethostbyname() or gethostbyaddr() and isn't 
replacing the use of YP/NIS or /etc/hosts or HOSTS.TXT, does not make
it inappropriate for dns.  indeed, RFC1034 2.1, 2.2 and especially 2.3
go into this in detail, so you don't need to read the (later) RFC1101
document to get the full flavour of the inventor's intentions for DNS.

> Funny thing is that most mailer software that uses DNSBLs also
> supports LDAP database lookups so there is really no good reason why
> DNSBLs exist in the first place.

at the time the first DNS blackhole list was invented (here, by ziegast),
there was no support for LDAP in the version of sendmail we were running.

now that there are a hundred or more diverse/disparite DNS blackhole lists, 
i think the likelihood of changing the way blackhole data is delivered to
be LDAP rather than DNS should be considered a "very long range" goal, or
worse.

> IMHO, the DNSBL experiment has proved the usefulness of having a
> variety of blacklist/whitelist/greylist databases for mail servers to
> query. It's high time that folks shift these databases onto a protocol
> that does not interfere with the Internet's critical DNS systems and I
> believe that LDAP is that protocol.

re-inventing a distributed, hierarchical, autonomous, reliable database
just to avoid using DNS as its inventor intended it, seems like a great
waste of time, IMHO.
-- 
Paul Vixie

• Previous message (by thread): Anyone from AT&T here? (AT&T bogus DNSBL answers)
• Next message (by thread): Anyone from AT&T here? (AT&T bogus DNSBL answers)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]