[rbldnsd] Excluding a CIDR range

Matthew Sullivan matthew at sorbs.net
Fri Dec 2 02:15:33 MSK 2005 

Chris Gabe wrote:

> Matthew Sullivan wrote:
>
>> Chris Gabe wrote:
>>
>>> It seems that the ! directive works only on individual ip addresses, 
>>> not address ranges.
>>> I need to exclude a long list of CIDRs, effectively something like this
>>>    !1.2/16
>>>    !3.4.5/24
>>>    .... (many more entries)
>>> Short of expanding these all out, is there any way to effect this?
>>>
>> This one can be answered in the archives...
>>
>> exclusions will always work if the CIDR mask is smaller than 24 (ie 
>> 25 -> 32).  However because of the way rbldnsd stores each entry 
>> internally if you have the following:
>>
>> 1.2.0.0/16
>> !1.2.3.0/24
>> 1.3.4.128/25
>> !1.3.4.0/24
>> 1.4.4.0/22
>> !1.4.5.0/24
>>
>> Then the range 1.2.3.0/24 *will* be excluded,. but 1.3.4.128/25 *will 
>> not* be excluded, and 1.4.5.0/24 *will* be excluded.  The boundaries 
>> for this behavior are /8, /16 and /24.
>>
>> Regards,
>>
>> Mat
>>
>> PS: I still think we should have some sort of 'super exclude' which 
>> always overrides so people can whitelist their own ranges there the 
>> MTA has no mechanism for this.
>
>
> So there's a problem implementing exclude within the normal include 
> framework.
> To turn the problem around, since rbldnsd is so good at *includes*, 
> why not have an agreed ip address like 0.255.9.9 (or even a special 
> nonsensical A or TXT result) that means "clear any A records already 
> encountered, return no A record".  Then you could have
>    :0.255.9.9
>    1.2/16
>    etc
> meaning in effect, exclude 1.2/16 etc.  Then the excludes don't need 
> to worry about the way rbldnsd stores stuff, it just rewinds and kicks 
> out when it encounters the ip.
>
> Or maybe
>    :127.0.0.2:excludehereafter
>
IIRC its based on how the structures are held within rbldnsd and Michael 
also asked previously of what should happen if we see:

1.2/16
!1.2/16

or

!1.2/16
1.2/16

At this point remember that everyone has their own zone format, eg SORBS 
will create the zones with includes first and excludes afterwards.  Also 
what do you do if you see:

1/8
!1.2/16
1.2.3/24

Personally I would expect, to exclude 1.2/16 from 1/8 but include 
1.2.3/24 specifically.... seems a reasonable request, but how about if 
we do this:

1/8
1.2.3/24
!1.2/16

Would this be handled differently?

.... adn that not even touching on the technical reasons why this won't 
work in the current version of rbldnsd.  I am sure Michael will explain 
in detail the issue when it is day light in Russia ;-)

Regards,

Mat

More information about the rbldnsd mailing list