On 23 Sep 2013, at 20:21, Vernon Schryver <v...@rhyolite.com> wrote:

>> From: Tony Finch <d...@dotat.at>
> 
>>> As a matter of interest, if one had a DNSBL with 5.5 million entries
>>> (i.e. 5.5 million IPs):
>>> 
>>> 1) What needs to be done to rewrite that to a BIND zone?
>>> 2) What sort of machine would be required to load that zone?
>>> 3) How long would it take to load into BIND?
>> 
>> I did a quick test. Generating and parsing the zone in text format took
>> about 80s wall time; loading the raw zone file took 30s. In both cases
>> named-checkzone used about 1.25GB RAM.
>> 
>> I don't have enough RAM on this machine to run dnssec-signzone in a
>> reasonable length of time - it goes into swap death after 3GB.
> 
> It's convenient that with binary zone files and the dynamic update
> protocol, loading from text (or signing a whole zone) is not something
> you need to do every hour on the hour.
> 
> I assume you'd use NSEC instead of NSEC3 when signing, since
> protecting a DNSBL from zone walking makes little more sense than
> protecting a reverse zone.
> 
> By the way, how much smaller would that DNSBL be if it could use
> wildcards?

For the DNSBL in question, probably no smaller - unless you're willing to lose 
considerable amounts of precision (read false positives).

(As a slightly ironic twist here, my replies to you get rejected as the mail 
server I'm sending from is in your DCC database.)

> I suspect a real (as opposed to synthetic) DNSBL has
> a lot of repetition in all except the last labels.

Yeah. Depends on the DNSBL. But not in this case.

Nonetheless, Tony's stats were interesting.

ATB

Simon

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to