* Mark Andrews: >> >> The lack of a macro capability also means that it's basically >> >> impossible to secure DNSBL zones with DNSSEC when they contain larger >> >> chunks of address space; see the example in section 2.1. >> > >> > How so? >> >> The expectation is that error messages generated from TXT records >> contain the actual IP addresses which triggered the DNSBL lookups. As >> a result, if you list a /16 (say), you need publish 65,536 different >> TXT records. >> >> Currently, these records are synthesized using a macro capability in >> the DNS server. > > Which is independent of DNSSEC. I ask again how this a > DNSSEC problem. I didn't say it was a DNSSEC problem. I just wanted to note it's impossible to secure some existing DNSBL zones using DNSSEC without sacrificing some of the functionality which is mentioned in section 2.1 in the draft. _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf