Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blacklists and Whitelists)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



* Chris Lewis:

> Florian Weimer wrote:
>
>> The expectation is that error messages generated from TXT records
>> contain the actual IP addresses which triggered the DNSBL lookups.  As
>> a result, if you list a /16 (say), you need publish 65,536 different
>> TXT records.
>> 
>> Currently, these records are synthesized using a macro capability in
>> the DNS server.
>
> How does that break DNSSEC?

You'd need online signature generation (which implies sharing the key
with all mirrors), or hundreds of millions of precomputed signatures
for some existing zones.  (Due to the prevalent attack scenario, more
frequent than usual key rollovers are needed, so this really hurts.)

> A number of DNSBLs merely suggest an error message in their usage
> instructions, and leave it up to the client to synthesize a
> combination of the suggested error message and the IP address.
> Macro expansion in the client (either of supplied TXT or
> client-configured string) seems common.

I've been told that this approach would not be acceptable.  But my
source probably lacked your insight into the field.

With macro expansion in the client, signing and serving typical DNSBLs
is still somewhat of a challenge, but doable.
_______________________________________________

Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]