>The expectation is that error messages generated from TXT records >contain the actual IP addresses which triggered the DNSBL lookups. As >a result, if you list a /16 (say), you need publish 65,536 different >TXT records. Some do, some don't. In any event I agree that DNSSEC is not ideally suited to signing DNSBLs, but I would think that with some judicious partitioning into subzones the problem wouldn't be intractable. R's, John _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf