On Thu, 30 Dec 2010 10:36:59 -0800 (PST) John Hardin <jhar...@impsec.org> wrote:
> Timeliness? How often are you going to refresh the local copy of the > entire WL/BL? Or are you assuming the WL/BL will be relatively > unchanging over time? A WL should be relatively unchanging over time. I doubt BLs will be useful in IPv6, but even assuming they are, doing an update every 10-20 minutes shouldn't be a problem. (You don't have to use rsync... it was just an example. I'm sure it's possible to come up with a protocol targeted for more efficient updates given the problem domain.) > Overall bandwidth? How big is the overall WL/BL? Can hosting of the > file be as efficiently distributed across multiple caching hosts > (e.g. via Coral) as can DNS? All of these problems seem to be managed quite nicely by projects such as ClamAV, which distributes virus signatures. (AFAIK, ClamAV does use a purpose-built update format that lets you download incremental changes quite efficiently.) [...] > Are you, essentially, proposing the replacement of DNS > with /etc/hosts? Not necessarily, but I am saying that DNS was never designed for WL/BL purposes and it may be time to replace it with something better if we're going to make major changes anyway. [Aside: while John's proposal will help prevent DNS-based blacklist lookups from blowing server caches, it doesn't prevent said caches from blowing up anyway as MTAs do reverse-lookups on inbound connections. If you do any kind of lookup at all on inbound SMTP connections, an attacker can cause trouble for you, especially if he controls the reverse DNS space for a /64. :( All of this argues that granularity for blacklists, firewall rules, etc. is going to be a /64 or bigger in reality.] Regards, David.
