[rbldnsd] Problems with exemptions

Matthew Sullivan matthew at isux.com
Wed Apr 7 13:59:57 MSD 2004 

Michael Tokarev wrote:

> Karl Maftoum wrote:
>
>> The exemptions file is in the format:
>>
>> !123.456.789.0/16 etc, but individual entries within that range are 
>> not exempted.
>>
>> What are we doing wrong?
>
>
> Nothing.
>
> Rbldnsd "exception mechanism" isn't supposed to work this way
> in the first place.  It was meant to be used to excempt a small
> netrange from larger listing.  Classical example of this is
> a dynablock (DUL, DUHL, whatever): you list large dialup pool,
> and want to excempt some individual IP addresses in that range
> (e.g. IPs of known mailservers etc).  Basically (but not exactly),
> the "idea" is that smaller, more specific entry wins.  If you
> have large listing range and small exception range, the exception
> wins.  If the reverse, the listing wins.
>
> We talked with Matthew on IRC yesterday about this very issue
> (referencing Telstra net ranges).  Basically some wants to
> "whitelist" all the Telstra net range, which is listed as spam
> support/whatever in SORBS, and Mattew suggested including a huge
> exception entry for all Telstra networks "together" with the
> SORBS data. 

This is one of the people I spoke of....

> There are 2 ways to solve this issue (code modifications are
> reqd anyway):
>
>  a) always consider exceptions, regardless of the size of the
>     netrange, i.e., ignore all, even smaller, listings, if we
>     have a larger exception entry.  I guess this may conflict
>     with some current usages of exceptions, where one depends
>     on current "more specific entry wins" rule.  This should
>     work in a single dataset only, not affecting other datasets
>     for the zone in question.
>
>  b) introduce "super-exception" (e.g. prefixed with double-!,
>     !!127.0.0.0/8), that "propagate" to other datasets for a
>     zone in question too, and made the order of datasets to
>     be important (so that if we have 3 datasets for a zone,
>     first and 3th have listings for a given query, and 2nd
>     have "super-exception", the result will be the listing
>     from first dataset only, and processing will stop after
>     finding the super-exception (not even consulting 3th
>     dataset). 

The 'super expection' method will fixe 98% of those who have asked about 
their own whitelists - they need to whitelist their own networks (or 
others) completely across all datasets....

I wondered if an 'exception' dataset could be created which would cause 
alllookups matching anything in this dataset to return 3(NXDOMAIN) ....?

/ Mat

More information about the rbldnsd mailing list