Florian Weimer wrote: > I can't sign a thousand million RRsets and serve it in a DoS-resilient > manner, even with John's partitioning idea (which is rather neat, > thanks!). I may have to keep that in mind if I ever DNSSEC our internal composite DNSBL zone, which has probably near 500M IPs listed (both "bad" and "good"). [The zone file is > 500Mbytes] > Macro expansion in the client brings down the number of RRsets to a > challenging, but manageable level. Chris says there's precedent for > that, so I think we can end this subthread (or move the discussion to > some place where the topic of DNSSEC scalability would be more > on-topic). Even more for a client-supplied string being macro-expanded in the client. Eg: no TXT query at all. If I had to guess, I suspect that more than half of clients don't issue a TXT query and synthesize their own error message instead. The vast majority of DNSBLs are arranged so that a single message with macro substitution of IP is sufficient to produce a useful error message, so why wait for a TXT query if you can configure the client to generate its own? Even tho I publish TXT records in our internal DNSBL zone, the filters themselves don't query them. The TXT records are used by administrative tools as part of the FP process because they contain diagnostic information on the entries. _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf