Florian Weimer wrote:
I can't sign a thousand million RRsets and serve it in a DoS-resilient
manner, even with John's partitioning idea (which is rather neat,
thanks!).
I may have to keep that in mind if I ever DNSSEC our internal composite
DNSBL zone, which has probably near 500M IPs listed (both "bad" and "good").
[The zone file is > 500Mbytes]
Macro expansion in the client brings down the number of RRsets to a
challenging, but manageable level. Chris says there's precedent for
that, so I think we can end this subthread (or move the discussion to
some place where the topic of DNSSEC scalability would be more
on-topic).
Even more for a client-supplied string being macro-expanded in the
client. Eg: no TXT query at all.
If I had to guess, I suspect that more than half of clients don't issue
a TXT query and synthesize their own error message instead. The vast
majority of DNSBLs are arranged so that a single message with macro
substitution of IP is sufficient to produce a useful error message, so
why wait for a TXT query if you can configure the client to generate its
own?
Even tho I publish TXT records in our internal DNSBL zone, the filters
themselves don't query them. The TXT records are used by administrative
tools as part of the FP process because they contain diagnostic
information on the entries.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf