ietf-asrg
[Top] [All Lists]

Re: [Asrg] cache blasting, was Implementing IPv6 DNSBLs

2010-11-28 17:19:38
In case it's not clear, my related goals here are to limit the number
of entries in the DNS cache, and the number of queries to the DNSBL's
authoritative server.

My way, it never asks for granularity.  When it asks for X, it gets a
return code that says "the surrounding /Y is listed" (Y in binary).
It can then cache one entry for the /Y, just as if granularity were
previously given as /Y; this requires no extra lookups, and allows
granularity to be specified by the DNSBL on a per-entry basis.

I have to ask, what's "it".  On my Unix-ish system, the only common
point for DNSBL queries is the local DNS cache.  If the cache is going
to implement ad-hoc wildcard expansion of your flavor, why not just
do DNSSEC based expansion of real wildcards?

With my scheme, since every DNSBL lookup needs the _granularity
record, it is likely cached locally, so that lookup is approximately
free.  Once you have that, then the client truncates its query to the
/64 or whatever the granularity is, so if someone's made another query
in the same /64, which would be likely if the bad guy is cycling
through addresses on small network, that's free, too.

This does require somewhat more work at the client, but has the advantage
that the DNS cache doesn't have to do anything special.

To whoever said you wanted each entry to have its own granularity,
that would be swell if you can figure out a way to do it within the
constraints of the way the DNS works now.  If you have to do major surgery
to the DNS cache, you might as well take Steve's advice and come up with
a new custom protocol.

R's,
John
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg