Florian Weimer wrote: > The expectation is that error messages generated from TXT records > contain the actual IP addresses which triggered the DNSBL lookups. As > a result, if you list a /16 (say), you need publish 65,536 different > TXT records. > > Currently, these records are synthesized using a macro capability in > the DNS server. How does that break DNSSEC? A number of DNSBLs merely suggest an error message in their usage instructions, and leave it up to the client to synthesize a combination of the suggested error message and the IP address. Macro expansion in the client (either of supplied TXT or client-configured string) seems common. Of course, they're still only suggestions, and some DNSBL users will generate their own. The worst of all is the clients that don't tell you what the IP was and no other way to remediate issues. There are situations like this which even leave admins scratching their heads. [While the BCP isn't yet on the table w.r.t. the spec (it may be), this issue is covered in the BCP.] _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf