[RPZ] RPZ Findings.

Paul Vixie paul at redbarn.org
Fri Dec 21 17:41:51 UTC 2012 

On 2012-12-21 10:36 AM, Simon Forster wrote:
> On 20 Dec 2012, at 20:09, Augie Schwer <augie.schwer at gmail.com> wrote:
>
>> Overall the RPZ zones have little impact on traffic.
> I would argue that this is not really the role of RPZ. ...

it's true that RPZ adds no latency. queries involving RPZ are answered
just as quickly (total transaction time from the point of view of the
end-user whose query it is) as queries not involving RPZ.

however, the throughput of the name server is lower with RPZ than
without it. this is the number of queries per second that a server can
handle. so, large network operators who are processing 50K queries per
second without RPZ would do well to learn in a lab what their throughput
will be when adding the first RPZ and also what their throughput will be
when adding each additional RPZ. it's possible that the throughput will
drop enough when adding an RPZ that you will need more name servers, and
a load balancer, in order to keep up with your transaction load.

i would like to see more real world throughput test results posted to
this mailing list. vernon is working on some speedups to RPZ,
specifically in the case of multiple RPZ subscriptions in a single
server. our own testing of RPZ's impact on throughput has been somewhat
inconclusive. if others can post their results and their methods then we
may be able to build the perfect test case for RPZ throughput, and code
against that.

> Quite a lot of benefit to share around – and all for free.

it's true that RPZ's format and method is unencumbered; no patents etc.
it's also true that the RPZ implementation in BIND9 is free, just as is
the rest of the open source version of BIND9.

it is may not true that every RPZ zone that a server operator may which
to subscribe, is free. i believe that SURBL and Spamhaus and Internet
Identity all plan to charge a fee for commercial use, for example. i
think this is great -- because when people are making money by
delivering high quality RPZ content, there will be more and higher
quality RPZ content available to all of us than would otherwise be so.

paul

More information about the DNSfirewalls mailing list