On 23 Sep 2013, at 20:21, Vernon Schryver <v...@rhyolite.com> wrote:
>> From: Tony Finch <d...@dotat.at> > >>> As a matter of interest, if one had a DNSBL with 5.5 million entries >>> (i.e. 5.5 million IPs): >>> >>> 1) What needs to be done to rewrite that to a BIND zone? >>> 2) What sort of machine would be required to load that zone? >>> 3) How long would it take to load into BIND? >> >> I did a quick test. Generating and parsing the zone in text format took >> about 80s wall time; loading the raw zone file took 30s. In both cases >> named-checkzone used about 1.25GB RAM. >> >> I don't have enough RAM on this machine to run dnssec-signzone in a >> reasonable length of time - it goes into swap death after 3GB. > > It's convenient that with binary zone files and the dynamic update > protocol, loading from text (or signing a whole zone) is not something > you need to do every hour on the hour. > > I assume you'd use NSEC instead of NSEC3 when signing, since > protecting a DNSBL from zone walking makes little more sense than > protecting a reverse zone. > > By the way, how much smaller would that DNSBL be if it could use > wildcards? For the DNSBL in question, probably no smaller - unless you're willing to lose considerable amounts of precision (read false positives). (As a slightly ironic twist here, my replies to you get rejected as the mail server I'm sending from is in your DCC database.) > I suspect a real (as opposed to synthetic) DNSBL has > a lot of repetition in all except the last labels. Yeah. Depends on the DNSBL. But not in this case. Nonetheless, Tony's stats were interesting. ATB Simon
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
