Home page logo
/

nanog logo nanog mailing list archives

Re: Re[2]: relays.osirusoft.com
From: Paul Vixie <vixie () vix com>
Date: 27 Aug 2003 07:37:26 +0000


ok so this part does not mystify me...

Someone has been in contact with Joe via phone and posted
to another mailing list That Zhall Not Be Named that
exactly that is happening.  The zone is dead, ...

...because running blackhole lists is surprisingly more hard
than most people think.  (witness the sorbs.net message here
a few hours ago complaining of 50Kpkt/day query loads.)  i've
paid some dues in this area, so i feel qualified to say that
"i told you so" on this topic.  but at least there's no mystery.

this part, on the other hand...

                                              he's put
*.*.*.* in, he's asking people not to use it anymore.

...mystifies me.  anyone who has read rfc1034 or rfc1035, even
if they did not also read rfc2181 or rfc2136 or rfc2308, knows
that in a zone containing the following wildcardish data:

        $ORIGIN example.vix.com.
        *                       1H IN A         127.0.0.1
        *.*                     1H IN A         127.0.0.2
        *.*.*                   1H IN A         127.0.0.3
        *.*.*.*                 1H IN A         127.0.0.4

the result will be that only the top one will match:

        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16926
        ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
        ;; QUERY SECTION:
        ;;      40.30.20.10.example.vix.com, type = A, class = IN

        ;; ANSWER SECTION:
        40.30.20.10.example.vix.com.  1H IN A  127.0.0.1

and that in a zone containing only this data:

        $ORIGIN example.vix.com.
        *.*.*.*                 1H IN A         127.0.0.4

the result will be that none of them ever match:

        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44811
        ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
        ;; QUERY SECTION:
        ;;      40.30.20.10.example.vix.com, type = A, class = IN

you don't even need to read draft-ietf-dnsext-wcard-clarify-01.txt to know
that putting "*.*.*.*" into a zone won't actually mean, or do, *anything*.

It may be back in the future with a new network setup,
but right now consider it down.

i'm not completely sure, but i don't think this list will see much action
in the future from the sysadmins who had to make emergency config changes
today to avoid bouncing all their e-mail.  "once burned, twice shy," eh?
when i deprecated the old $foo.maps.vix.com zones in favour of the their
corresponding replacements $bar.mail-abuse.org some years ago, i had the
foresight to ensure that no mail would be blocked by people who failed to
put in the configuration change.  now you can all see why that was nec'y.
-- 
Paul Vixie


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault