RRL probably not useful for DNS IP blacklists, was Re: New Versions of BIND are available (9.9.4, 9.8.6, and 9.6-ESV-R10)
Tony Finch
dot at dotat.at
Mon Sep 23 18:24:57 UTC 2013
Simon Forster <forster at spamteq.com> wrote:
>
> As a matter of interest, if one had a DNSBL with 5.5 million entries
> (i.e. 5.5 million IPs):
>
> 1) What needs to be done to rewrite that to a BIND zone?
> 2) What sort of machine would be required to load that zone?
> 3) How long would it take to load into BIND?
I did a quick test. Generating and parsing the zone in text format took
about 80s wall time; loading the raw zone file took 30s. In both cases
named-checkzone used about 1.25GB RAM.
I don't have enough RAM on this machine to run dnssec-signzone in a
reasonable length of time - it goes into swap death after 3GB.
perl -e 'use Crypt::OpenSSL::Random;
print "x.dotat.at. 3600 in soa black.dotat.at. dot.dotat.at. 1 1h 1h 1w 1m\n";
print "x.dotat.at. 3600 in ns black.dotat.at.\n";
printf "%s.x.dotat.at 3600 IN A 127.0.0.2\n",
join ".", unpack "C4",
Crypt::OpenSSL::Random::random_bytes(4)
for (1..5500000);
' |
named-compilezone -i local -k warn -n warn -Fraw -o x.dotat.at x.dotat.at /dev/stdin
named-checkzone -i local -k warn -n warn -fraw x.dotat.at x.dotat.at
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.
More information about the bind-users
mailing list