On 9/11/2017 4:19 PM, Viktor Dukhovni wrote:
> On Sep 11, 2017, at 3:52 PM, Rob McEwen <rob@???> wrote:
>>
>> Again, if this feature were implemented - as described - it would be
completely innocuous to those didn't go out of their way to implement
this. Of course, I would want the implementation by the end user to be
very very simple too - but it wouldn't be something that someone could
easily mistakenly do, either.
>
> The problem is that with resolver bypass you lose caching, even
> when receiving multiple concurrent or closely spaced in time
> messages from a legitimate high-volume sender.
>
> The performance impact of this is considerable and undesirable.
>
> As you may know, I am not an Exim developer, so take my opinion for
> what it is worth, but IMHO implementing a DNS cache in Exim would not
> be a good architectural choice, and without caching the feature is too
> costly.
>
> If the incentives on your end are compelling, provide your customers with
> a software package that installs a properly configured local resolver for
> their use. This will also work with other MTAs and unpatched versions of
> Exim.
>
> Your problem seems real enough, and yet your proposed solution may not be
> the way forward.
Adding an internal caching features for internal-only DNSBL lookups in
Exim... isn't trivial. However, generally speaking, *all* DNSBL caching
is ONLY valuable for a few minutes, at most. Caching for more time
causes unnecessary False Positives for DNSBL lookups. Also, as I had
mentioned, this would be limited in scope to ONLY for the particular
DNSBL(s) for which the Exim admin had explicitly implemented this
feature, and only caching results for up to a few minutes (or the
DNSBL's ttl)
NOTE: For perspective, Spamhaus's Zen list has a 10 second TTL. This
means that a DNS server is ONLY suppose to cache ONLY the last 10
seconds worth of Spamhaus lookups! Therefore, it would be quite
reasonable to limit the TTL of such an internal Exim DNS cache... to
ONLY what was queried in the last 10 seconds!
Given such a tiny amount of time of the caching, and the fact that this
would be limited in scope to only DNSBLs for which the exim admin goes
out of their way to implement this feature - I highly doubt that there
would be that much added memory or CPU overhead resulting from such a
feature - and it would be totally innocuous to everyone else who didn't
choose to use this feature.
If you don't particularly care for this feature (should it ever be
implemented) simply don't go out of your way to use it!
--
Rob McEwen
http://www.invaluement.com
+1 (478) 475-9032
