[ratelimits] ratelimiting /24 for <tld>

Vernon Schryver vjs at rhyolite.com
Sun Jul 8 20:24:19 UTC 2012

> From: Tony Finch <dot at dotat.at>

> dns_rrl() to see the value of fname that was being passed in. This showed
> that it was usually being called twice per recursive query - see the log
> extract below. The two fnames are usually the TLD and the qname (in that
> order), except when the response is not already cached.
> This would explain why my recursive queries are triggering the rate
> limiter for TLDs even when I am not querying for TLDs.
> dns_rrl() is only being called once for authoritative responses.

Tests using a gdb breakpoint at the call to dns_rrl() confirm my
expectation that dns_rrl() is called only once when the answer is
already in the cache and no CNAMEs are involved.

I think that the extra rate limiting applied to recursion when the
cache has no current answer is required, because until the authoritative
server answers, the local recursive server cannot know with what or
even whether the authoritative server will answer.

Whether the extra rate limiting on CNAME chains is a bug might depend on
how hard it would be to fix.  I need to think about it.
Somethink like what I did to make response policy rewriting (RPZ)
be applied only once might be effective, but it must not affect
recursion--which it did for RPZ.

thanks for looking at it,

Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list