Side effects of a DNS whitelist?

[Barry Margolin]

In article <ei2edo$qc5$1 at sf1.isc.org>,
 Matthias Leisi <matthias at leisi.net> wrote:

> [I'm aware of the fact that the questions below are, strictly speaking,
> not Bind-related but of a more general nature. If you know of a more
> appropriate list/newsgroup, please let me know.]

The more general DNS-related newsgorup is comp.protocols.tcp-ip.domains.  
But that doesn't seem to stop others from posting here instead.

> When a mailserver queries the whitelist via DNS for each incoming
> connection, this will lead to a considerable amount of NXDOMAIN
> responses (let's assume that 10% of all connections come from
> whitelisted servers, ie we have 90% of NXDOMAIN responses). Would this
> negatively affect a typical resolving nameserver's cache? How could this
> negative impact be limited?

You can set the negative cache TTL lower than the TTLs for whitelist 
responses, so they won't hang around in the cache for as long.

> Are DNS queries really the most efficient method of distribution
> (zone-transfers are a different question)? Current blacklists work by
> asking for individual addresses, but most whitelisting occurs through a
> range of IP addresses (as much as a /16). Would it be more efficient for
> caching etc to do something similar in style to classless IN-ADDR.ARPA
> delegation (RFC 2317)?

Even when this is done, it's essentially transparent to the applications 
that use it.  All the queries are actually for full IP addresses, and 
the breaking up into ranges is just a management issue.

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***