[ratelimits] new BIND9 RRL patch version

Vernon Schryver vjs at rhyolite.com
Sun Dec 9 20:08:38 UTC 2012 

New versions of the BIND9 RRL patches for BIND9 9.8.4-P1 and 9.9.2-P1
are on the BIND9 RRL web page at http://www.redbarn.org/dns/ratelimits
That page includes instructions for using the patches.

BIND9 9.8.4-P1 and 9.9.2-P1 are security fix release of BIND 9 for
versions 9.8.4 and 9.9.2.  See https://www.isc.org/downloads/current

Besides minor changes to deal with changes to the BIND9 source since
9.8.3-P1 and 9.9.1-P1, the following are the principal improvements:
   - fix the new bug in the default for responses-per-second from
      a de facto "off" something like 10,000 to a real "off" of 0.
   - reduce the default for min-table-size from 1000 to 500
   - reduce the size of database entries from ~80 to ~56 bytes on
       64-bit systems
   - increase the default for max-table-size from 10,000 to 20,000
   - change the built-in parameters for the _bind zone from
        rate-limit {
               responses-per-second 1;
               window 10;
               slip 0;
               IPv4-prefix-length 16;
               IPv6-prefix-length 32;
               min-table-size 10;
        }
     to
        rate-limit {
               responses-per-second 3;
                slip 0;
                min-table-size 10;
        }
     The built-in defaults for the window and prefix lengths are now used
     for the _bind zone.
   - more text for the BIND9 Administrators Reference Manual or ARM
      There is a link on http://www.redbarn.org/dns/ratelimits to the
      ARM text.
   - rate-limit category log messages announcing the end of limiting
      a stream of responses that have been hurried by a shortage of
      memory are flagged with an asterisk (*).


The current syntax for a rate-limit statement in the options{} or
view{} sections is:
    rate-limit {
        [ responses-per-second number ; ]
        [ errors-per-second number ; ]
        [ nxdomains-per-second number ; ]
        [ all-per-second number ; ]
        [ window number ; ]
        [ log-only yes_or_no ; ]
        [ qps-scale number ; ]
        [ IPv4-prefix-length number ; ]
        [ IPv6-prefix-length number ; ]
        [ slip number ; ]
        [ exempt-clients  { address_match_list } ; ]
        [ max-table-size number ; ]
        [ min-table-size number ; ]
      } ;


Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list