<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

Re: Domain spoofing - was Re: [anti-spam-wg@localhost] I wrote a spamfilter in Perl

  • To: der Mouse < >
  • From: Bruce Campbell < >
  • Date: Thu, 9 Oct 2003 23:51:04 +0200 (CEST)

On Thu, 9 Oct 2003, der Mouse wrote:

> > One of the underlying reasons behind the Reverse DNS restructuring
> > (see dns-wg and ncc-services-wg) is this very thing.  See
> > http://www.ripe.net/reverse/proposal.html for further details.
>
> One thing listed there I find baffling:
>
>    - The introduction of 'name' syntax checks for the ip6.arpa and
>    in-addr.arpa domains, only allowing domain for names that make sense
>    in the address hierarchy i.e. those that represent "reversed"
>    addresses.
> [...]
>    - The motivation for the 'name syntax check' is because there are
>    currently domain objects that clearly cannot exist in the address
>    hierarchy (e.g. 666.193.in-addr.arpa).
>
> I must be missing something here.  Such objects that do not represent
> reversed addresses are not problematic as far as I can see,

But they serve no purpose.

> Or am I misunderstanding, and only _some_ such "not a reversed address"
> objects are to be eliminated?  If so, it's certainly not clear from the
> webpage which ones are considered problematic - and in any case, I see
> nothing explaining what the problem this chagne will fix is (that is,
> what damage is or would be done by the presence of such objects).

The end result desired is that the NCC generates zone files that contain
only 'clean' data, being those delegations that represent valid IP ranges.
After all, there is no point to generating zone files that contain
delegations that point to impossible IP ranges (such as 193.666.0.0/16).

Hence, only delegations that match the criteria (broadly speaking, each
octet must be between 0 and 255 for IPv4, and each nibble between 0 and f
for IPv6, or its an RFC 2317-style delegation with accompanying CNAMES)
will be entered into the database, and delegations that do not meet the
criteria will be removed from the database.

Regards,

-- 
                             Bruce Campbell                            RIPE
                   Systems/Network Engineer                             NCC
                 www.ripe.net - PGP562C8B1B             Operations/Security



  • Post To The List:
<<< Chronological >>> Author    Subject <<< Threads >>>