[rbldnsd] Extracting 'hidden' TXT records

Michael Tokarev mjt at tls.msk.ru
Sun Mar 21 16:31:24 MSK 2004 

[Please excuse me for late reply... i was very busy lately
  and thought there's nothing really urgent in your email... ;)]

furio ercolessi wrote:
> [ For the series 'weird questions' ]
> 
> I illustrate the point with an example taken from SBL.
> 61.143.182.145 is currently contained three times in SBL:
> 
> http://www.spamhaus.org/sbl/sbl.lasso?query=SBL13628  for 61.143.182.145/32
> http://www.spamhaus.org/sbl/sbl.lasso?query=SBL14180  for 61.143.182.144/28
> http://www.spamhaus.org/SBL/sbl.lasso?query=SBL12684  for 61.143.176.0/20
> 
> That is quite common: it is a hierarchy of escalations.
> 
> Now, a TXT query returns only the first two:
> ;; ANSWER SECTION:
> 145.182.143.61.sbl.spamhaus.org.  2H IN TXT  "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL14180"
> 145.182.143.61.sbl.spamhaus.org.  2H IN TXT  "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL13628"
> 
> This happens also for Bind nameservers, and it is perfectly understandable:
> the /20 listing really is sixteen /24 listings, and a /24 listing is 
> overridden by a /32 listing.
> 
> Good.  Now suppose that I want to build an application that tries to
> return all listings relative to a given IP, possibly by performing
> multiple queries.  How to check explicitly for the presence of 
> a /24 (or larger) listing?
> 
> With Bind, it can be done:
> 
> % dig txt '*.182.143.61.sbl.spamhaus.org' @204.152.184.189
> ;; ANSWER SECTION:
> *.182.143.61.sbl.spamhaus.org.  2H IN TXT  "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL12684"
> 
> but if I try to do the same with rbldnsd I get no answer.  I tried
> fooling it with '256.182.143.61.sbl.spamhaus.org' but rbldnsd is too
> smart to be tricked, and still get no response.
> 
> The question is: is there any trick to extract this information 
> (presence of /24 listing when /32 listings are present) out of rbldnsd?

There's NO WAY to perform such a lookup with rbldnsd now.
I may think about adding such functionality.  Say, by querying
something like ALL.145.182.143.61.sbl.spamhaus.org instead of
145.182.143.61.sbl.spamhaus.org, rbldnsd may be made to return
all matching entries (there's no such functionality now).  Is
it really worth the effort (changes required are relatively
small).

Note also that e.g. ip4trie will return SINGLE entry only (the
one which is most close to the IP address in question) - ip4trie
does not "group" entries by /8,/16,/24,/32 "sizes" like ip4set
does.  ip4set is somewhere in the middle of ip4trie and non-existing
"return ALL entries" mode.  Sometimes, all entries should be
returned, but sometimes, only most close entry is needed, so
some indicator (in query) telling what exactly THIS client
wants may help, but there's no general "per-zone" solution
i think (or, alternatively, one may query different subzones
too - 1.2.3.4.ALL.sbl.spamhaus.net or 1.2.3.4.ONE.sbl.spamhaus.net).

/mjt

More information about the rbldnsd mailing list