In message <87skprnyml.fsf@xxxxxxxxxxxxxxxxx>, Florian Weimer writes: > * Mark Andrews: > > >> >> The lack of a macro capability also means that it's basically > >> >> impossible to secure DNSBL zones with DNSSEC when they contain larger > >> >> chunks of address space; see the example in section 2.1. > >> > > >> > How so? > >> > >> The expectation is that error messages generated from TXT records > >> contain the actual IP addresses which triggered the DNSBL lookups. As > >> a result, if you list a /16 (say), you need publish 65,536 different > >> TXT records. > >> > >> Currently, these records are synthesized using a macro capability in > >> the DNS server. > > > > Which is independent of DNSSEC. I ask again how this a > > DNSSEC problem. > > I didn't say it was a DNSSEC problem. I just wanted to note it's > impossible to secure some existing DNSBL zones using DNSSEC without > sacrificing some of the functionality which is mentioned in section > 2.1 in the draft. I still don't believe your claim. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@xxxxxxx _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf