[SURBL-Discuss] Fwd: Re: Bill Stearns' sa-blacklist available as SURBL: ws.surbl.org

William Stearns wstearns at pobox.com
Tue Apr 20 21:51:18 CEST 2004

Good evening, Jeff, all,

On Tue, 20 Apr 2004, Jeff Chan wrote:

> Here are some good comments from Dave Funk about the
> handling/creation of the SURBLs.  Please comment on his
> suggestions, several of which we may want to implement as time
> permits.
> A few comments.
> 1) It is possible to set a TTL in a DNS zone on a per-record basis.
>    (at least with BIND). So you could combine the two zones and
>    have the 'sc' records flagged with a short TTL, and 'ws' with
>    longer.

	Agreed, just placed the TTL on the individual record line.

> 2) Newer versions of BIND support incremental zone-transfer, and
>    so will just push changes.

	Ah, cool, didn't know about that.

> 3) We also secondary MAPS RBL+ zone, that's a 54Mbyte zone that updates
>    every 3 hours. (IE 18Mbyte/hour). A 1Mbyte x 10 minutes would be
>    only 6Mbytes/hour, chicken feed. ;)

	It all comes down to the bandwidth available Jeff at the primary.

> 4) Over half the size of those zones is in the TXT records. Just
>    changing 'Message body contains domain in sa-blacklist. See:
>    http://www.stearns.org/sa-blacklist/' to 'Blocked, See:
>    http://www.stearns.org/sa-blacklist/' reduced the 'ws' zone size by 33%

	Works for me!  Jeff, feel free to make that change anytime.
	Would it even make sense to have a single .txt record with the 
full notice, and have all the rest be cnames to it?  It'll be rarely used, 
so it's hardly a performance problem to have to go back and get the cname 

> 5) It's possible to combine the zones but keep the data logically seperate
>    so people can differentiate and adjust scores/policys accordingly.
>    Check out how MAPS does RBL+, the A record returns an "IP address"
>    that is effectivly a bit-mask flag to indicate which MAPS zone
>    the original hit was from (DUL, RSS, RBL, OPS, etc).
>    Look at how the 'check_rbl' and 'check_rbl_sub' routines are
>    used inside SA to pull apart a single DNS query against RBL+
>    (at least in SA 2.6*, havn't looked at 3.0 yet ;)

	No experience with this, so no opinion.
	Thanks for the ideas, Dave.  Jeff, enough people have asked for
the combined list that I'm game to set up an "all.surbl.org" combined list
if you are.  It really sounds like the technical concerns are all 
handleable.  We can still keep the sc and ws subdomains for those that 
think my taste in domains is questionable... :-)
	- Bill

        "Not only is UNIX dead, it's starting to smell bad."
        -- Rob Pike (?)
(Courtesy of Mike Castle <dalgoda at ix.netcom.com>)
William Stearns (wstearns at pobox.com).  Mason, Buildkernel, freedups, p0f,
rsync-backup, ssh-keyinstall, dns-check, more at:   http://www.stearns.org

More information about the Discuss mailing list