Good evening, Jeff, all,
On Tue, 20 Apr 2004, Jeff Chan wrote:
Here are some good comments from Dave Funk about the handling/creation of the SURBLs. Please comment on his suggestions, several of which we may want to implement as time permits.
A few comments.
- It is possible to set a TTL in a DNS zone on a per-record basis. (at least with BIND). So you could combine the two zones and have the 'sc' records flagged with a short TTL, and 'ws' with longer.
Agreed, just placed the TTL on the individual record line.
- Newer versions of BIND support incremental zone-transfer, and so will just push changes.
Ah, cool, didn't know about that.
- We also secondary MAPS RBL+ zone, that's a 54Mbyte zone that updates every 3 hours. (IE 18Mbyte/hour). A 1Mbyte x 10 minutes would be only 6Mbytes/hour, chicken feed. ;)
It all comes down to the bandwidth available Jeff at the primary.
- Over half the size of those zones is in the TXT records. Just changing 'Message body contains domain in sa-blacklist. See: http://www.stearns.org/sa-blacklist/' to 'Blocked, See: http://www.stearns.org/sa-blacklist/' reduced the 'ws' zone size by 33%
Works for me! Jeff, feel free to make that change anytime. Would it even make sense to have a single .txt record with the full notice, and have all the rest be cnames to it? It'll be rarely used, so it's hardly a performance problem to have to go back and get the cname data.
- It's possible to combine the zones but keep the data logically seperate so people can differentiate and adjust scores/policys accordingly. Check out how MAPS does RBL+, the A record returns an "IP address" that is effectivly a bit-mask flag to indicate which MAPS zone the original hit was from (DUL, RSS, RBL, OPS, etc). Look at how the 'check_rbl' and 'check_rbl_sub' routines are used inside SA to pull apart a single DNS query against RBL+ (at least in SA 2.6*, havn't looked at 3.0 yet ;)
No experience with this, so no opinion. Thanks for the ideas, Dave. Jeff, enough people have asked for the combined list that I'm game to set up an "all.surbl.org" combined list if you are. It really sounds like the technical concerns are all handleable. We can still keep the sc and ws subdomains for those that think my taste in domains is questionable... :-) Cheers, - Bill
--------------------------------------------------------------------------- "Not only is UNIX dead, it's starting to smell bad." -- Rob Pike (?) (Courtesy of Mike Castle dalgoda@ix.netcom.com) -------------------------------------------------------------------------- William Stearns (wstearns@pobox.com). Mason, Buildkernel, freedups, p0f, rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org --------------------------------------------------------------------------