even /64 DNSxLs will be expensive ! /64 lists will have 2^32 times more entries than IPv4 lists.
2014-11-26 15:45 GMT-03:00 Franck Martin <fmar...@linkedin.com>: > > On Nov 26, 2014, at 10:19 AM, Matthias Leisi <matth...@leisi.net> wrote: > > > > On Wed, Nov 26, 2014 at 6:05 PM, Franck Martin <fmar...@linkedin.com> > wrote: > > >> As for /64, yes there are hosting providers that have all their customers >> in the same /64 and other cases like this where infrastructure is not >> separated by /64 boundaries. I think IPv6 blocking list will be more last >> resort, than first line of defense (but that’s just me). Note rbldnsd works >> at /64 by default, with /128 exceptions. >> > > DNSxLs are still the "cheapest" way to determine reputation because it > can happen at connection stage (or as a computationally cheap input to a > scoring mechanism such as SpamAssassin) - so I believe there is still value > in it, and it is important to get it as efficient as possible. > > > Agreed, it is cheap in resources. However, it will be easier to add to a > domain blocking list than to add to an IPv6 blocking list. May be first > line of defense is the wrong naming. IPv6 blocking lists will be to remove > the extreme badness of the Internet. > >
