RRL probably not useful for DNS IP blacklists,
Tony Finch
dot at dotat.at
Tue Sep 24 10:02:29 UTC 2013
Vernon Schryver <vjs at rhyolite.com> wrote:
>
> It's convenient that with binary zone files and the dynamic update
> protocol, loading from text (or signing a whole zone) is not something
> you need to do every hour on the hour.
Right. Timings from named-checkzone give a rough idea of a worst-case cold
start.
I ran some numbers with a 500,000 record zone (generated with the same
script as before) which is comfortably small enough to sign. These are the
raw format zone files:
-rw-r--r-- 1 fanf2 named 31639161 Sep 24 10:32 x.dotat.at
-rw-r--r-- 1 fanf2 named 301188426 Sep 24 10:37 x.dotat.at.signed
named-checkzone unsigned:
2.73 real 2.62 user 0.10 sys
120396 maximum resident set size
named-compilezone text-to-raw:
5.82 real 5.70 user 0.06 sys
120380 maximum resident set size
named-checkzone signed:
8.32 real 7.96 user 0.35 sys
549100 maximum resident set size
dnssec-signzone:
233.97 real 391.06 user 2.44 sys
597316 maximum resident set size
> By the way, how much smaller would that DNSBL be if it could use
> wildcards? I suspect a real (as opposed to synthetic) DNSBL has
> a lot of repetition in all except the last labels.
It depends a lot on the list. If it's a DUL then wildcards will be a win;
not so much if it's listing something like compromised servers where
address ranges often have bad mixed with good. Having said that, I've
sampled a hundred random /24s from the Spamhaus Zen list and they are
mostly all full or all empty. (But I didn't check to see if the answers
all matched in the full /24s.)
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.
More information about the bind-users
mailing list