> From: Tony Finch <d...@dotat.at> > > As a matter of interest, if one had a DNSBL with 5.5 million entries > > (i.e. 5.5 million IPs): > > > > 1) What needs to be done to rewrite that to a BIND zone? > > 2) What sort of machine would be required to load that zone? > > 3) How long would it take to load into BIND? > > I did a quick test. Generating and parsing the zone in text format took > about 80s wall time; loading the raw zone file took 30s. In both cases > named-checkzone used about 1.25GB RAM. > > I don't have enough RAM on this machine to run dnssec-signzone in a > reasonable length of time - it goes into swap death after 3GB.
It's convenient that with binary zone files and the dynamic update protocol, loading from text (or signing a whole zone) is not something you need to do every hour on the hour. I assume you'd use NSEC instead of NSEC3 when signing, since protecting a DNSBL from zone walking makes little more sense than protecting a reverse zone. By the way, how much smaller would that DNSBL be if it could use wildcards? I suspect a real (as opposed to synthetic) DNSBL has a lot of repetition in all except the last labels. Vernon Schryver v...@rhyolite.com _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users