Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blacklists and Whitelists)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blacklists and Whitelists)
* Mark Andrews:
>> I didn't say it was a DNSSEC problem. I just wanted to note it's
>> impossible to secure some existing DNSBL zones using DNSSEC without
>> sacrificing some of the functionality which is mentioned in section
>> 2.1 in the draft.
>
> I still don't believe your claim.
I can't sign a thousand million RRsets and serve it in a DoS-resilient
manner, even with John's partitioning idea (which is rather neat,
thanks!).
Macro expansion in the client brings down the number of RRsets to a
challenging, but manageable level. Chris says there's precedent for
that, so I think we can end this subthread (or move the discussion to
some place where the topic of DNSSEC scalability would be more
on-topic).
_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www.ietf.org/mailman/listinfo/ietf
Note Well: Messages sent to this mailing list are the opinions
of the senders and do not imply endorsement by the IETF.
Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.
