-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jeff Chan writes:
Here are some good comments from Dave Funk about the handling/creation of the SURBLs. Please comment on his suggestions, several of which we may want to implement as time permits.
FWIW, we support multi-meaning DNSBL results with TXT records as well as A records; just ensure that the TXT result includes a short string we can match on (e.g. "ws" results contain the string "/sa-blacklist" and "sc" results contain something else similarly well-defined.)
- --j.
Jeff C. __
On Tue, 20 Apr 2004, Jeff Chan wrote:
On Tuesday, April 20, 2004, 1:20:05 PM, Charles Gregory wrote:
Would it be possible to have 'surbl.org' run a *combined* blacklist, so that people who want to check both 'ws.surbl.org' *and* 'sc.surbl.org' can do it with ONE dns lookup request, instead of two?
Good question, which Matt asks also. Here's my response :-)
[snip..]
Because ws is larger and more stable, the zone files for it gets a six hour TTL compared to 10 minutes for sc. Due to the differences between the time scales, sizes, and data sources of ws and sc, we probably won't be offering a combined ws plus sc list. For example it would be difficult to say what TTL a merged list should get, and you probably would not want a megabyte plus BIND zone file refreshing every 10 minutes. For those using rsynced zone files that would probably not be an issue, but for those using BIND, the DNS traffic quite well could be.
So the quick answer is they'll probably not be combined.
However we probably will offer a combined version of Bill's list and Chris' BigEvil list since they are more similar in character.
A few comments.
- It is possible to set a TTL in a DNS zone on a per-record basis.
(at least with BIND). So you could combine the two zones and have the 'sc' records flagged with a short TTL, and 'ws' with longer. 2) Newer versions of BIND support incremental zone-transfer, and so will just push changes. 3) We also secondary MAPS RBL+ zone, that's a 54Mbyte zone that updates every 3 hours. (IE 18Mbyte/hour). A 1Mbyte x 10 minutes would be only 6Mbytes/hour, chicken feed. ;) 4) Over half the size of those zones is in the TXT records. Just changing 'Message body contains domain in sa-blacklist. See: http://www.stearns.org/sa-blacklist/' to 'Blocked, See: http://www.stearns.org/sa-blacklist/' reduced the 'ws' zone size by 33% 5) It's possible to combine the zones but keep the data logically seperate so people can differentiate and adjust scores/policys accordingly. Check out how MAPS does RBL+, the A record returns an "IP address" that is effectivly a bit-mask flag to indicate which MAPS zone the original hit was from (DUL, RSS, RBL, OPS, etc). Look at how the 'check_rbl' and 'check_rbl_sub' routines are used inside SA to pull apart a single DNS query against RBL+ (at least in SA 2.6*, havn't looked at 3.0 yet ;)
This is not to imply criticism if your response, just some tech info to show alternatives.
Regardless, I would recommend using 5) when you combine Bill's list and Chris' BigEvil so that people can differentiate in case they have score/policy concerns regarding the two. People who just look for the existence of the A record won't notice the difference but people who know and care can utilize the additional info.
Dave
Dave Funk University of Iowa <dbfunk (at) engineering.uiowa.edu> College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include <std_disclaimer.h> Better is not better, 'standard' is better. B{ -- Jeff Chan mailto:jeffc@surbl.org-nospam http://www.surbl.org/
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss