[rbldnsd] Feature request: DNSSEC
Florian Weimer
fw at deneb.enyo.de
Fri Jul 11 00:41:37 MSD 2008
* Victor Duchovni:
> The SpamHaus PBL contains ~420 million logical RRsets. Each would have
> to be individually signed. All the individual IPs in the zone (instead
> of rather large efficiently stored CIDR blocks) would need a separate
> record in the RBL zone file.
Could you provide a number for prefixes aggregated on byte boundaries?
For instance, to blacklist a /15, you would sign just two records:
*.2.1.example
*.3.1.example
If this doesn't work because it doesn't provide enough savings, we could
change the format and store label-expaneded bit strings. What's the
total CIDR prefix count?
> Rsync feeds of PBL would become essentially impossible.
We should try. Just create two traditional zone files, sign them, and
transfer them using rsync. Let's see if it works.
> I don't think this proposal is realistic.
The flipside is that if we can demonstrate we can make it fly, nobody
has any execuse anymore not to deploy DNSSEC. 8-)
More information about the rbldnsd
mailing list