Re: RRL probably not useful for DNS IP blacklists, was Re: New Versions of BIND are available (9.9.4, 9.8.6, and 9.6-ESV-R10)

Tony Finch Mon, 23 Sep 2013 11:56:22 -0700

Simon Forster <fors...@spamteq.com> wrote:
>
> As a matter of interest, if one had a DNSBL with 5.5 million entries
> (i.e. 5.5 million IPs):
>
> 1) What needs to be done to rewrite that to a BIND zone?
> 2) What sort of machine would be required to load that zone?
> 3) How long would it take to load into BIND?


I did a quick test. Generating and parsing the zone in text format took
about 80s wall time; loading the raw zone file took 30s. In both cases
named-checkzone used about 1.25GB RAM.

I don't have enough RAM on this machine to run dnssec-signzone in a
reasonable length of time - it goes into swap death after 3GB.

perl -e 'use Crypt::OpenSSL::Random;
        print "x.dotat.at. 3600 in soa black.dotat.at. dot.dotat.at. 1 1h 1h 1w 
1m\n";
        print "x.dotat.at. 3600 in ns black.dotat.at.\n";
        printf "%s.x.dotat.at 3600 IN A 127.0.0.2\n",
                join ".", unpack "C4",
                Crypt::OpenSSL::Random::random_bytes(4)
                for (1..5500000);
        ' |
named-compilezone -i local -k warn -n warn -Fraw -o x.dotat.at x.dotat.at 
/dev/stdin

named-checkzone -i local -k warn -n warn -fraw x.dotat.at x.dotat.at

Tony.
-- 
f.anthony.n.finch  <d...@dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: RRL probably not useful for DNS IP blacklists, was Re: New Versions of BIND are available (9.9.4, 9.8.6, and 9.6-ESV-R10)

Reply via email to