Discuss mailing list

[Jonah Aragon <jonaharagon AT gmail.com>]

Personally, I think they should be available without registration. It's trivial to just make an account if you're a malicious actor, and I doubt you'd be able to tell the difference between someone requesting it legitimately for their DNS server vs someone requesting it for the purposes you mentioned.

On the other hand of that spectrum you could maybe only make it available to members that operate public servers, if you're that concerned about security of the information. But that would kill transparency for most other users here and I don't think that's a great idea.

Either way, I think you should add a text input for both the whitelisting and blacklisting options similar to the logging "policy" box where operators can enter information on what white/blacklists they've implemented (or just link to the lists they use) that could appear when you hover over the respective buttons on the main page like how logging functions now. That way users will be able to see exactly who/what is blocked without having to enter the servers page, and may clear up some confusion about what exactly whitelisting/blacklisting even is, which I know we get a lot of questions about on the IRC channel.

Jonah

On Thu, Aug 24, 2017, 5:11 PM Jeff Taylor <shdwdrgn AT sourpuss.net> wrote:

We should actually consider that.  Currently it requires a valid login to view the blacklist data that opennic members are using...

Requiring authentication to read the data doesn't inhibit access -- you can still write a simple script to retrieve the data.  This does prevent random unknown access to the information.  My concern with making the data fully public is that someone writes a bot which changes domains as rapidly as we post new blacklist entries.  Perhaps there is a minimal chance of this happening, but it *could*.  Or the data could be used for some other nefarious reason.

Is there any beneficial reason to make the data available without a login?  The only thing I can think of off hand is that regular users may wish to see what is being blocked, but this is what should be discussed.  There may be many pros and cons to requiring authentication to access the data, so we should decide which way we want to go with it.


There are other options as well. For example, I want to add new code to the servers page so that each admin can mark exactly which blacklists they are applying to their DNS server.  This allows visitors to quickly see if someone is using a spamhaus list or some other data, however it opens up another possibility.  The servers page already allows logins, so if an admin marks that they are using certain blacklists, I could also make the servers page show the contents of those blacklists AFTER a user has logged in.  That way all of the server information is still in one place and we still have authentication for viewing the data.

On 08/24/2017 04:30 AM, Wil wrote:

You did tell about this. And after some consideration, that’s exactly what I did. At least to remain in line with my ISP (OVH).

spamhaus is providing us with information on the .bit domains they consider 'bad'

In fact, i was wondering if those informations were public somehow ?

Thanks again for your time.

Wil.

--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org