[rbldnsd] Migrating From Aggregate to Combined

Michael Tokarev mjt at tls.msk.ru
Sat Dec 2 23:53:06 MSK 2006 

David Cary Hart wrote:
>>> #Current:
>>>      RBLDNSD="dsbl -f -c10m -r/var/lib/rbldnsd -s+stats
>>> -b127.0.0.1 \ spam.tqmcube.com:ip4set:spam \
>>>      dhcp.tqmcube.com:ip4set:dhcp \
>>>      prc.tqmcube.com:ip4set:prc \
>>>      ko.tqmcube.com:ip4set:ko \
>>> #Eliminate:
>>>      dnsbl.tqmcube.com:ip4set:spam,dhcp,prc,ko \ 
>>>
>>> #New:
>>>      spam.dnsbl.tqmcube.com:ip4set:spam \
>>>      dhcp.dnsbl.tqmcube.com:ip4set:dhcp \
>>>      prc.dnsbl.tqmcube.com:ip4set:prc \
>>>      ko.dnsbl.tqmcube.com:ip4set:ko \
>>>      dnsbl.tqmcube.com:combined:dataset_map \
[]
> The current aggregate zone applies exclusions globally. Exclusions in
> any zone will create an exclusion in the aggregate zone. Correct?

No.
Exclusions are per-dataset.  In case of combined dataset, they're
per-subdataset.

This way, you can have dialups (dhcp, whatever) dataset which lists
large netblocks and contains exclusions for certain addresses in that
netblocks.  And you can have, say, open relays.  Two datasets (probably
of different types - first is ip4set or ip4trie, and second is ip4tset).
Obviously you don't want an open mail relay which has been excluded in
first to not appear in second.

The algorithm looks like this:

 find closest zone
 for each dataset in that zone; do
   if ip_excluded continue;  // not break, but continue!
   if ip_listed emit_a_txt_RR
 done

For combined zone, the body of the loop becomes a bit more complex:

 find closest zone
 for each dataset in that zone; do
   if dataset_is_combined; then
     find_closest_subzone
     for each subdataset in that subzone; do
       if ip_excluded continue;
       if ip_listed emit_a_txt_RR;
     done
   else
     if ip_excluded continue;  // not break, but continue!
     if ip_listed emit_a_txt_RR
   end if
 done

As you can see, the inner loop is exactly the same as outer,
with the only obvious difference - dealing with subzones and
subdatasets instead of zones and datasets.

In other words: there's no way to have global exclusions in
rbldnsd.  It has been asked before, but I gave up trying to
implement it.  The only way to do global exclusions currently
is to add them to every dataset.

> I am trying to create a combined zone so that a range excluded in the
> dhcp zone will not nullify a listing in the spam zone. I am trying to
> do so in a way that will allow users to continue to use the existing
> zones.

As I said before, switching to (single!) combined ds from your current
setup will be mostly a no-op as seen externally.  And there's no need
to repeat your subzones wich you aggregated before - if you want to
include the same data into combined ds, they will be here just as before.

/mjt

More information about the rbldnsd mailing list