[rbldnsd] Feature request: DNSSEC
Victor Duchovni
Victor.Duchovni at morganstanley.com
Fri Jul 11 03:31:31 MSD 2008
On Thu, Jul 10, 2008 at 10:41:37PM +0200, Florian Weimer wrote:
> * Victor Duchovni:
>
> > The SpamHaus PBL contains ~420 million logical RRsets. Each would have
> > to be individually signed. All the individual IPs in the zone (instead
> > of rather large efficiently stored CIDR blocks) would need a separate
> > record in the RBL zone file.
>
> Could you provide a number for prefixes aggregated on byte boundaries?
> For instance, to blacklist a /15, you would sign just two records:
>
> *.2.1.example
> *.3.1.example
This number works out to ~2.4 million records. Does signing wildcards
break punching "holes" for exceptions.
> If this doesn't work because it doesn't provide enough savings, we could
> change the format and store label-expaneded bit strings. What's the
> total CIDR prefix count?
There are ~165,000 CIDR prefixes in the PBL zone.
> > Rsync feeds of PBL would become essentially impossible.
>
> We should try. Just create two traditional zone files, sign them, and
> transfer them using rsync. Let's see if it works.
420 million signed RRsets? I have neither the bandwidth nor the disk-space
for this.
> > I don't think this proposal is realistic.
>
> The flipside is that if we can demonstrate we can make it fly, nobody
> has any execuse anymore not to deploy DNSSEC. 8-)
You can build a zone file with 420 million listed IPs for each of which
you need
1.2.0.192.dnsbl.example.com. IN A 127.0.0.2
1.2.0.192.dnsbl.example.com. IN TXT "http://www.example.com?q=192.0.2.1"
Tell us how much luck you have signing such a zone, storing it and moving
it around with rsync when you make changes...
--
/"\ ASCII RIBBON NOTICE: If received in error,
\ / CAMPAIGN Victor Duchovni please destroy and notify
X AGAINST IT Security, sender. Sender does not waive
/ \ HTML MAIL Morgan Stanley confidentiality or privilege,
and use is prohibited.
More information about the rbldnsd
mailing list