[ratelimits] rate limit vs querylog

Jared Mauch jared at puck.nether.net
Fri Sep 28 17:26:47 UTC 2012

On Sep 28, 2012, at 11:29 AM, Vernon Schryver <vjs at rhyolite.com> wrote:

> } From: Tony Finch <dot at dotat.at>
> } The RRL patch uses LOGCATEGORY_QUERIES in a couple of places, in
> } client.c:ns_cient_error() and query.c:query_find(), and it does
> } not check server->log_queries before making these logging calls.
> } I think this is what Richard was complaining about.
> Oh, thanks!

I would say that should be toggled.

> My thinking was that those two places should be like QUERY_ERROR(),
> query_error(), and log_queryerror().  For example, server->log_queries
> or `rndc querylog` does not affect log messages for REFUSED responses.
> However, I didn't pay attention to the loglevel=ISC_LOG_DEBUG(3)
> statement in query_error().
> So should the per-response queries category rate limiting messages 
> be at ISC_LOG_DEBUG(3) and not affected by `rndc querylog`
> or should they like the default per-query logging and at INFO severity
> and controlled by `rndc querylog`?

I have generally been one to support granular logging capabilities in many cases as long as they are not too cumbersome to implement.  Perhaps there can be a 'rndc rrlog' or similar to support this easier.  I run a small recursive server but it sees (ab)use from the rrl patch.  Richard is a colleague and runs a larger set of infrastructure that is being actively (ab)used.  Anything to ease his deployment pain will result in broader deployment of this mitigation capability.

- Jared

More information about the ratelimits mailing list