[rbldnsd] initial IPv6 support

Don Owens (doowens) doowens at cisco.com
Sat Feb 18 03:24:36 MSK 2012 

Has anyone used the IPv6 support in a production environment yet?  I want to use this for real traffic in a couple of months.  It looks fine so far, but I haven't seen any comments about it on this list.

Any issues found so far?

Thanks.

./don

On Mar 7, 2011, at 01:40:44, Michael Tokarev wrote:

> Hello.
> 
> I completed initial IPv6 support in rbldnsd, in a form of
> ip6tset dataset, in similarity with ip4tset (trivial set).
> 
> The difficulty with IPv6 is that the address size is large
> (so it requires both more memory and complex arithmetic),
> and potential amount of addresses is huge too.
> 
> Initially I considered using only first half of IPv6 address
> for listing, ie, listing by /64 networks (which is a end-user
> allocation size).  This is easy, since it will require just
> a sorted array of 64bit integers, and all modern computers
> are 64bits and supports 64bit integers natively (so comparisons
> will be fast).
> 
> But it quickly turned to be insufficient.  Imagine a single
> end-user /64 allocation with a mail server in there and a lot
> of infected machines - we should have a way to whitelist at
> least that single mailserver (/128) but keep other zombies
> in the same /64 away.
> 
> Using /128 (or any size between /65 and /128 actually) for
> listings isn't really productive either, since it's completely
> controllable by the "bad guys", and it's possible to fill up
> all resources on the DNSBL side by using some round-robin
> mechanism for all your 2^64 addresses.  This can be detected
> and addressed on the collector side somehow by aggregating
> "many" listings into larger blocks, so at least in theory
> this can be worked around somehow.
> 
> So for now, I implemented a first preview/RFC variant, which
> has quite some limitations, and which I never ever actually
> tested with any real software (like an MTA) - I can perform
> queries using a command-line dns client and see adequate
> replies, and that's about it for now... ;)
> 
> Currently, it has 2 lists: one "main" list, for networks of
> size /64 _only_, and another "whitelist", for individual
> /128 addresses only.
> 
> So it works for a scenario where you want to list whole
> end-user /64 but have an ability to whitelist a single
> mailserver or two inside.
> 
> This is just a test implementation, -- in a somewhat long
> time I didn't do any C programming, and this served me as
> a excersise to remember how things are done to start with,
> so it had to be something smallish.  But at the same time
> it should already be useful and I want to hear opinions
> from others about what _should_ be done.  So it is quite
> possible that the semantics will change or even whole
> this dataset be removed later, when real-use scenarious
> will be considered.
> 
> Current (preview) version can be found at
> 
> http://www.corpit.ru/mjt/rbldnsd/rbldnsd-0.996-ipv6-0.tar.gz
> 
> and the actual code is in the "ipv6" branch of the git tree,
> see 
> http://git.corpit.ru/?p=rbldnsd.git;a=shortlog;h=ipv6
> 
> 
> Any comments about how it should be done are apprecated.
> 
> Thanks!
> 
> /mjt
> 
>

More information about the rbldnsd mailing list