> A tentative suggestion: maybe lists of this sort ought to be distributed > via the DNS itself, with nameserver software encouraged to fetch them > dynamically and act accordingly. Something along the lines of > > local-zones.arpa. PTR 0.in-addr.arpa. > PTR 127.in-addr.arpa. > PTR 254.169.in-addr.arpa. > ... > PTR 8.e.f.ip6.arpa. > PTR 9.e.f.ip6.arpa. > ... > > Not that this would stop some implementors fetching the current value > and fixing it in their code... > > One would want local.zones.arpa (or whatever) to be signed, of course!
Which doesn't work in some of the senarios where you want this code to come into play, i.e. firewalls that let RFC 1918 reverse queries out but not let the replies come back. The idea is to prevent the queries leaving the nameservers in the first place. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop