On 1/4/2011 9:31 AM, David F. Skoll wrote: > Right, but once your cache is blown, you're back to always querying > the authoritative server. John Levine proposes a fix with a clever way > to represent many entries with a small number of queries so you don't blow > your cache. I think making zone files available for download so you > can run your own authoritative servers is another good approach, especially > for whitelists.
What I'm about to say could have been a reply to ANY of the past few posts... if the volume of unique IPv6 sending IPs causes either (a) DNS caches to get blown, or (b) requires John Levine's solution to prevent that... then... "game over".. the spammers have already won. And they are quite amused right now reading us discuss all different ways to rearrange the deck chairs on the Titanic. For example, if this happens, then... (1) effective DNSBLs will likewise bloat to such a large size that the resource requirements for running them (and transferring their data) will be insane (2) David mentioned "zone file transfers"... but that zone file would likewise be massively large.... and any client trying to load it would also have to consume large resources trying to load it. (this would also cause problems trying to sync DNS mirrors!). Consider also those IPs which ought to be blacklisted quickly, but don't because of having to wait on the previous mirror update? (3) What do we do about spammers who send spams to 100K or even a million addresses, using a unique IP for each recipient... and then "list wash" off the addresses which match up with those IPs that get blacklisted? Sure, you could blacklist whole blocks of that spammer's IPs.. but then you have to be able to do that without causing collateral damage in other situations where spammers and legit sender share IPs. Without going into details, tactics exist to somewhat deal with this... but massive numbers of e-mail addresses would get listwashed at the beginning stages of each campaign. IOW, no matter what, large-scale and EASY listwashing would be the norm with IPv6. (4) No matter how good you deal with the previous idea, you're STILL stuck with massive numbers of never-to-be-seen-again IPs bloating IPv6 blacklists! (again, the spammers are laughing at us!) (5) If anyone thought that my proposed solution a few posts back was unrealistic... consider that the extremely inadequate "partial fix" solutions that others are proposing involve even MORE intrusive changes to the standards/behaviors of our various systems (filters, blacklists, dns servers, dns protocol, mail servers, etc) As I said earlier, ALL of these problems have the "root cause" of too large a potential pool of sending IPs. -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032
