[rbldnsd] Feature request: DNSSEC
Michael Tokarev
mjt at tls.msk.ru
Thu Jul 10 22:20:17 MSD 2008
Victor Duchovni wrote:
> On Thu, Jul 10, 2008 at 09:28:40AM -0700, Jeff Chan wrote:
>
>> Hi Michael,
>> In light of the recent DNS cache poisoning exploits identified,
>> may I request DNSSEC for rbldnsd? Obviously this could add very
>> significant overhead but it could help prevent alteration of DNS
>> responses in a remote cache.
>
> The SpamHaus PBL contains ~420 million logical RRsets. Each would have
> to be individually signed. All the individual IPs in the zone (instead
> of rather large efficiently stored CIDR blocks) would need a separate
> record in the RBL zone file. Rsync feeds of PBL would become essentially
> impossible.
Or let rbldnsd to sign replies on the fly, giving it the necessary key(s).
It's a trade-off between being unrealistic and providing some protection.
After all, signing key security isn't more important than the data it
protects.
But I still don't think it's necessary to implement. All this current
fuzz about DNS insecurities, with "DNSSEC" written over everything...
There are far more important points to attack than a DNSBL. And even
if a DNSBL is being attacked, it's usually some sort of DDoS attack
against DNSBL itself.
/mjt
More information about the rbldnsd
mailing list