Rbldns for text and data

Alessandro Vesely vesely@tana.it
Fri Jan 11 11:39:40 CET 2019


On Thu 10/Jan/2019 21:02:51 +0100 Denny Watson via dev wrote:
>>> Had it asked for ANY, it would know how to handle (or at least look for
>>> things that it could handle) in the response.
>> 
>> Yes.  However, ANY is going to be deprecated:
>> https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any-07
>> 
>> (That's still a draft but it made enough noise already.)


Now it's an RFC.  See attachment.


> I haven't been following this discussion, but reviewing the document
> suggests that QTYPE ANY isn't being removed from the protocol, it's just
> that you shouldn't expect it to be available when the requests hit the
> final system authoritative for the labels you query, or if it is
> available it might not contain the specific types that you might find
> interesting.  This is dependent on that remote system's configuration.


You seem to be right.  It'd be nice if someone will say what DNSxLs are
supposed to do, typically return A + TXT on ANY.  Anyway, it seems that
omitting ANY was a premature decision of the MTA implementor.  Thank you for
the advice.


> [...]

> Having said all of that, I want to make sure that I understand your use
> case.  Assumptions follow;
> 
> Your MTA is using A record responses to make filtering decisions -- this
> is normal, and I would suggest the more proper way of doing this.  QTYPE
> A records tend to be better suited for this than TXT records.
> 
> Your MTA is using TXT records for SMTP textual responses, or even for
> the log files.


The MTA can accept a whitelisted message even if configured to
reject-on-SPF-fail. It then adds the dnswl record to the message header, like so:

Authentication-Results: wmail.tana.it;
    dnswl=pass dns.zone=list.dnswl.org
    policy.ip=127.0.6.2

Had a TXT record been found, the header field would also have had:

    policy.txt="bofh.it https://dnswl.org/s/?s=62352"


Almost always that information is redundant.  In this case, for example, I
already have this:

Received: from attila.bofh.it (attila.bofh.it [85.94.204.146])
  (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-GCM-SHA384)
  by wmail.tana.it with ESMTPS; Thu, 10 Jan 2019 21:02:58 +0100
  id 00000000005DC03D.000000005C37A4F2.00000A6B

However, sometimes the Received: is obscure, and there's no PTR, so that one
cannot tell what domain is responsible for the message.  In such cases,
policy.txt tells the domain name.  That feature makes a successful dnswl lookup
semantically equivalent to other email authentication  methods, such as SPF and
DKIM.

(The above Authentication-Results: field is not (yet) mentioned in the IANA
Email Authentication Parameters[*], because of the "dns.zone" which should have
been named something like "policy.zone" according to rfc7601.  I'll try again
after rfc7601bis will have been published.)

[*] https://www.iana.org/assignments/email-auth/email-auth.xml


> Side-note:
> In the past, when I was managing MTAs, I didn't return the DNSBL's TXT
> responses via SMTP and instead returned URLs for my own "postmaster"
> webpage with a CGI flagged IP.  This was another lifetime ago, and I
> would do silly things like reject only if on List-A and List-B, or
> List-C but not List-D, and it was easier to explain it all and provide a
> separate white-listing process for my systems outside of the reputation
> providers (DNSBLs).


I find it useful to outsource also whitelisting.


Best
Ale
-- 





-------------- next part --------------
An embedded message was scrubbed...
From: rfc-editor@rfc-editor.org
Subject: RFC 8482 on Providing Minimal-Sized Responses to DNS Queries That Have QTYPE=ANY
Date: Thu, 10 Jan 2019 18:23:34 -0800 (PST)
Size: 7192
URL: <http://list.rbldnsd.io/pipermail/dev/attachments/20190111/44038667/attachment.eml>


More information about the dev mailing list