On Nov 26, 2014, at 2:15 AM, Kevin A. McGrail <kmcgr...@pccc.com<mailto:kmcgr...@pccc.com>> wrote:
On 11/26/2014 1:53 AM, Matthias Leisi wrote: On Wed, Nov 26, 2014 at 3:45 AM, Franck Martin <fmar...@linkedin.com<mailto:fmar...@linkedin.com>> wrote: You may want to read https://www.m3aawg.org/sites/maawg/files/news/M3AAWG_Inbound_IPv6_Policy_Issues-2014-09.pdf I'm well aware of the issues of cache efficiency and query volumes due to the vast address space. The solution to just cut off at /64 is nice, but there will be many legitimate cases where this is will not be "good enough". That's why I am convinced that in the end we will need something like a "tree walk" algorithm, where an "intelligent" algorithm starts at (let's say) a /32 boundary and then gets responses to the best fitting response. Yes, such an approach might initially double the amount of queries and has an increased risk of not getting DNS responses, but on the other hand such "tree information" can be nicely cached with reasonably long TTLs, even for the fast-paced DNSBLs out there. Maybe such a tree-walk algorithm is worth an experiment as a SpamAssassin plugin? I could likely ramble about why I don't think the real-world implications will be that large because patterns will emerge. As such, SA Plugins are very safe for experimental work and can be done without any impact on production systems in my experience. I'd support and love to see some experiments in this realm. I think may be you are missing the other point of this document, if there is no valid SPF or DKIM and the message was received over IPv6, then you reject it (or send it to spam). I think such rule can be easily implemented in SA. Just need to put a score of 10 on it :P As for real case scenario, Google, Microsoft and others are already doing just this. As for /64, yes there are hosting providers that have all their customers in the same /64 and other cases like this where infrastructure is not separated by /64 boundaries. I think IPv6 blocking list will be more last resort, than first line of defense (but that’s just me). Note rbldnsd works at /64 by default, with /128 exceptions.
