Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blacklists and Whitelists)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Florian Weimer wrote:

> I can't sign a thousand million RRsets and serve it in a DoS-resilient
> manner, even with John's partitioning idea (which is rather neat,
> thanks!).

I may have to keep that in mind if I ever DNSSEC our internal composite
DNSBL zone, which has probably near 500M IPs listed (both "bad" and "good").

[The zone file is > 500Mbytes]

> Macro expansion in the client brings down the number of RRsets to a
> challenging, but manageable level.  Chris says there's precedent for
> that, so I think we can end this subthread (or move the discussion to
> some place where the topic of DNSSEC scalability would be more
> on-topic).

Even more for a client-supplied string being macro-expanded in the
client.  Eg: no TXT query at all.

If I had to guess, I suspect that more than half of clients don't issue
a TXT query and synthesize their own error message instead.  The vast
majority of DNSBLs are arranged so that a single message with macro
substitution of IP is sufficient to produce a useful error message, so
why wait for a TXT query if you can configure the client to generate its
own?

Even tho I publish TXT records in our internal DNSBL zone, the filters
themselves don't query them.  The TXT records are used by administrative
tools as part of the FP process because they contain diagnostic
information on the entries.
_______________________________________________

Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]