[rbldnsd] Announce: experimental rbldnsd-0.994.92: EDNS0 and ACL support

Michael Tokarev mjt at tls.msk.ru
Sat Apr 16 20:39:00 MSD 2005 

Together with a bugfix 0.994b release, I also uploaded
experimental (aka "pre") release 0.994.92, the code which
eventually become 0.995 version.  This is a development
snapshot intended to show what's going on, for comments
and testing, NOT for production usage.

The changes are:

  - feature: (initial, experimental) ACL support.  It is possble to force
    certain kinds of replies to be sent to certain clients (based on the
    client IP address), regardless of the query the client performs.
    Read rbldnsd(8) manpage for the details.
    This feature is experimental.  Basic idea will remain but details are
    likely to change in the future, as requiriments will be understood
    better.

  - feature: ENDS0 support for UDPsize, allowing replies larger than 512
    bytes for clients claiming EDNS0 support (appropriate OPT record in
    additional section in query).  Not really user-visible change per se,
    but may be quite visible for clients especially when our replies are large.


Several words about ACLs.  The thing looks like:

  rbldnsd ... bl.ex.com:ip4set:bldata bl.ex.com:acl:acldata ...

Ie, there's a new dataset type named "acl", which is NOT included into
the zone, but instead controls which clients receives which treatment.
Only one acl-type dataset can be specified for a given zone (rbldnsd
will complain if more are specified).  It is possible to specify
global acl too, by omitting the zone name, like:

  rbldnsd ... bl.ex.com:ip4set:bldata :acl:acldata ...

(note the leading colon before "acl...").

Content of `acldata' file is pretty like the one of ip4trie, ie,
CIDRs and "values", where "value" can be one of:

  :ignore -- to mean ignore all queries made from the given CIDR
  :refuse -- to mean refuse all queries from the given range
  :empty  -- for queries from the range, pretend no entries are
    listed in a dnsbl at all
  usual_A+TXT_template -- always return this template to valid
    dnsbl queries made from the given range.

First two are terminates processing immediately - rbldnsd either
"forgots" about the packet or just returns REFUSED, without
looking further.

But the last two are more "intelligent": rbldnsd tries to determine
whenever the query was for DNSBL data (all "real" dnsbl datasets --
ip4set, ip4tset, ip4trie, dnset) or for metadata, including generic
dataset and all the normal NS+SOA records.  In the later case,
rbldnsd still constructs the reply as if there was no ACL.  But
if it was a valid DNSBL query, result will contain no A+TXT data
at all (even if the object/entry being queried is in fact listed)
or will contain A+TXT specified by the ACL (even if the entry is
not listed, or listed with different data).

In the later case ("pretend-all-listed"), $-substitutes are made
using the IP address of the client, not the one contained in the
query.

For now, the ACL system only supports IPv4 addresses.  IPv6 addresses
will be supported together with the first ip6something dataset,
in some probably distant future.

This whole ACL stuff is new, and is subject to changes/refiniments.
I don't yet know whenever current functionality fits current (and
especially future ;) demands.  Comments are welcome.

As usual, rbldnsd homepage is at
  http://www.corpit.ru/mjt/rbldnsd.html
All prereleases are at
   http://www.corpit.ru/mjt/pre/

/mjt

/mjt

More information about the rbldnsd mailing list