[ratelimits] rate limit vs querylog
jared at puck.nether.net
Fri Sep 28 17:26:47 UTC 2012
On Sep 28, 2012, at 11:29 AM, Vernon Schryver <vjs at rhyolite.com> wrote:
> } From: Tony Finch <dot at dotat.at>
> } The RRL patch uses LOGCATEGORY_QUERIES in a couple of places, in
> } client.c:ns_cient_error() and query.c:query_find(), and it does
> } not check server->log_queries before making these logging calls.
> } I think this is what Richard was complaining about.
> Oh, thanks!
I would say that should be toggled.
> My thinking was that those two places should be like QUERY_ERROR(),
> query_error(), and log_queryerror(). For example, server->log_queries
> or `rndc querylog` does not affect log messages for REFUSED responses.
> However, I didn't pay attention to the loglevel=ISC_LOG_DEBUG(3)
> statement in query_error().
> So should the per-response queries category rate limiting messages
> be at ISC_LOG_DEBUG(3) and not affected by `rndc querylog`
> or should they like the default per-query logging and at INFO severity
> and controlled by `rndc querylog`?
I have generally been one to support granular logging capabilities in many cases as long as they are not too cumbersome to implement. Perhaps there can be a 'rndc rrlog' or similar to support this easier. I run a small recursive server but it sees (ab)use from the rrl patch. Richard is a colleague and runs a larger set of infrastructure that is being actively (ab)used. Anything to ease his deployment pain will result in broader deployment of this mitigation capability.
More information about the ratelimits