I opined about a year ago that DNS blacklists wouldn't work for mail that runs over IPv6 rather than IPv4. The reason is that IPv6 has such a huge range of addresses that spammers can easily send every message from a unique IP address, which means that recipient systems will fire off a unique set of DNSBL queries for every message, which will swamp DNS caches, since they won't be able to reuse cached results from previous queries like they can for IPv4 mail.
Now I'm much less sure this will be a problem, because it's not clear that DNSBL results benefit from caches now.
Large and small mail systems access DNSBLs differently. Large systems make arrangements with the DNSBL operators to download their own copies of the DNSBLs they use via rsync or something similar. Then they glom all of the DNSBLs together and typically run copies of rbldnsd on the same local networks as the mail servers so for each incoming message, the mail server can send a local query to rbldnsd and get back one response with all of the DNSBL information relevant to the message. For these systems, a DNS cache provides no benefit because getting the answer from rbldnsd is just as fast if not faster than getting it from a cache. I don't know whether they currently configure their systems not to use caches, but if they don't, it would be technically straightforward. In a world with IPv6 DNSBLs, this would all work exactly the same way, download the DNSBL with rsync and serve it locally with rbldnsd.
Small systems send ordinary DNS queries to the main servers for each DNSBL they use, typically via a local DNS cache. As far as I can tell, caches don't help these systems either, because there isn't enough repeat traffic from the same IP to reuse cached results. It is surprisingly hard to find trace data to test out this theory, but it seems to be true of traffic on my small (100K connections/day) system, and on the few others I've been able to ask. (If you are willing to provide mail server connection traces of timestamps and IP addresses, so I can do more testing, please let me know. Or I can provide test scripts you can run on your own data and see how well your DNSBL queries cache.)
This suggests that DNSBL clients, which are usually mail servers, will be able to use DNSBLs largely the same way they do now, perhaps with modest cache partitioning tweaks to tell the caches not to bother caching DNSBL query results. But that doesn't mean that there's no problems with IPv6 DNSBLs. In the next message, I'll look at problems facing DNSBL operators.
|Cybersquatting||Policy & Regulation|
|DNS Security||Registry Services|
|IP Addressing||White Space|
Minds + Machines
Neustar DDoS Protection
Neustar DNS Services