RRL probably not useful for DNS IP blacklists,

Simon Forster forster at spamteq.com
Mon Sep 23 21:43:00 UTC 2013


On 23 Sep 2013, at 20:21, Vernon Schryver <vjs at rhyolite.com> wrote:

>> From: Tony Finch <dot at dotat.at>
> 
>>> As a matter of interest, if one had a DNSBL with 5.5 million entries
>>> (i.e. 5.5 million IPs):
>>> 
>>> 1) What needs to be done to rewrite that to a BIND zone?
>>> 2) What sort of machine would be required to load that zone?
>>> 3) How long would it take to load into BIND?
>> 
>> I did a quick test. Generating and parsing the zone in text format took
>> about 80s wall time; loading the raw zone file took 30s. In both cases
>> named-checkzone used about 1.25GB RAM.
>> 
>> I don't have enough RAM on this machine to run dnssec-signzone in a
>> reasonable length of time - it goes into swap death after 3GB.
> 
> It's convenient that with binary zone files and the dynamic update
> protocol, loading from text (or signing a whole zone) is not something
> you need to do every hour on the hour.
> 
> I assume you'd use NSEC instead of NSEC3 when signing, since
> protecting a DNSBL from zone walking makes little more sense than
> protecting a reverse zone.
> 
> By the way, how much smaller would that DNSBL be if it could use
> wildcards?

For the DNSBL in question, probably no smaller - unless you're willing to lose considerable amounts of precision (read false positives).

(As a slightly ironic twist here, my replies to you get rejected as the mail server I'm sending from is in your DCC database.)

> I suspect a real (as opposed to synthetic) DNSBL has
> a lot of repetition in all except the last labels.

Yeah. Depends on the DNSBL. But not in this case.

Nonetheless, Tony's stats were interesting.

ATB

Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130923/14407f28/attachment.bin>


More information about the bind-users mailing list