[rbldnsd] Feature request: DNSSEC
Victor Duchovni
Victor.Duchovni at morganstanley.com
Thu Jul 10 20:37:47 MSD 2008
On Thu, Jul 10, 2008 at 09:28:40AM -0700, Jeff Chan wrote:
> Hi Michael,
> In light of the recent DNS cache poisoning exploits identified,
> may I request DNSSEC for rbldnsd? Obviously this could add very
> significant overhead but it could help prevent alteration of DNS
> responses in a remote cache.
The SpamHaus PBL contains ~420 million logical RRsets. Each would have
to be individually signed. All the individual IPs in the zone (instead
of rather large efficiently stored CIDR blocks) would need a separate
record in the RBL zone file. Rsync feeds of PBL would become essentially
impossible.
I don't think this proposal is realistic.
--
/"\ ASCII RIBBON NOTICE: If received in error,
\ / CAMPAIGN Victor Duchovni please destroy and notify
X AGAINST IT Security, sender. Sender does not waive
/ \ HTML MAIL Morgan Stanley confidentiality or privilege,
and use is prohibited.
More information about the rbldnsd
mailing list