* Mark Andrews:
The lack of a macro capability also means that it's basically
impossible to secure DNSBL zones with DNSSEC when they contain larger
chunks of address space; see the example in section 2.1.
How so?
The expectation is that error messages generated from TXT records
contain the actual IP addresses which triggered the DNSBL lookups. As
a result, if you list a /16 (say), you need publish 65,536 different
TXT records.
Currently, these records are synthesized using a macro capability in
the DNS server.
Which is independent of DNSSEC. I ask again how this a
DNSSEC problem.
I didn't say it was a DNSSEC problem. I just wanted to note it's
impossible to secure some existing DNSBL zones using DNSSEC without
sacrificing some of the functionality which is mentioned in section
2.1 in the draft.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf