RRL probably not useful for DNS IP blacklists,
Vernon Schryver
vjs at rhyolite.com
Mon Sep 23 19:21:14 UTC 2013
> From: Tony Finch <dot at dotat.at>
> > As a matter of interest, if one had a DNSBL with 5.5 million entries
> > (i.e. 5.5 million IPs):
> >
> > 1) What needs to be done to rewrite that to a BIND zone?
> > 2) What sort of machine would be required to load that zone?
> > 3) How long would it take to load into BIND?
>
> I did a quick test. Generating and parsing the zone in text format took
> about 80s wall time; loading the raw zone file took 30s. In both cases
> named-checkzone used about 1.25GB RAM.
>
> I don't have enough RAM on this machine to run dnssec-signzone in a
> reasonable length of time - it goes into swap death after 3GB.
It's convenient that with binary zone files and the dynamic update
protocol, loading from text (or signing a whole zone) is not something
you need to do every hour on the hour.
I assume you'd use NSEC instead of NSEC3 when signing, since
protecting a DNSBL from zone walking makes little more sense than
protecting a reverse zone.
By the way, how much smaller would that DNSBL be if it could use
wildcards? I suspect a real (as opposed to synthetic) DNSBL has
a lot of repetition in all except the last labels.
Vernon Schryver vjs at rhyolite.com
More information about the bind-users
mailing list