On 10/09/16 09:29, Dirk Stöcker wrote: >> The >> tools which work so well in IPv4, namely DNSBL services, won't cope >> with IPv6. > > That's probably untrue. To cope with address randomization you simply > can block the whole "/64". That saves much space. Depending on provider > policy maybe even "/56". And without randomization the majority of > addresses does never appear.
The problem here is the sheer number of addresses in an IPv6 /64 block. You can quickly overwhelm a resolver by pulling DNS requests for each address in the block sequentially (or randomly). While it's easy to tweak an authoritative server to return results for the entire block without storing individual entries, a resolver cannot do that. I think the real long term solution here is to come up with a return RR type that allows a single IP to be requested and a result returned for the entire CIDR block that can be cached and stored by the resolver as a single entry in the ADDITIONAL section of the result, resolver that recognize this could just cache that single entry instead of an individual entry for each IP. Peter
