[rbldnsd] Feature request: DNSSEC
Victor Duchovni
Victor.Duchovni at morganstanley.com
Fri Jul 11 22:14:40 MSD 2008
On Fri, Jul 11, 2008 at 08:04:30PM +0200, Florian Weimer wrote:
> * Victor Duchovni:
>
> > On Fri, Jul 11, 2008 at 09:19:08AM +0200, Florian Weimer wrote:
> >
> >> * Victor Duchovni:
> >>
> >> > This number works out to ~2.4 million records. Does signing wildcards
> >> > break punching "holes" for exceptions.
> >>
> >> This is more realistic.
> >
> > It is not, because while the A record is independent of the CIDR block
> > member address, the TXT record is not. So the TXT records need individual
> > signatures.
>
> Do you really list 420 million individual IP addresses?
Yes, using RBLDNS macro expansion:
:127.0.0.10:http://www.spamhaus.org/query/bl?ip=$
prefix1/mask1 :11
prefix2/mask2 :10
The dynamic TXT record template substitutes the actual IP address for '$'
on the fly.
> Couldn't you
> pass the CIDR range you list to the web front end?
No, because when the user later comes back with the URL in the reject
message, it needs to be for the specific IP, so it can show the *current*
status of *that* IP.
--
Viktor.
More information about the rbldnsd
mailing list