[ratelimits] new RRL patches with small bug fix

Vernon Schryver vjs at rhyolite.com
Thu Apr 4 23:42:45 UTC 2013

New versions of the RRL patches can be found by following the link
labeled "Patch files for BIND9" on http://www.redbarn.org/dns/ratelimits.
Two of the patch files are named 9.8.4-rpz+rl.094.21-P2.patch and
9.9.2-rpz+rl.094.21-P2.patch for the FreeBSD port.

The change makes "slip 1;" send only truncated (TC=1) responses.
Without the change, "slip 1;" is the same as the default of "slip 2;".
That default, which alternates truncated with dropped responses
when the rate limit is exceeded, is better for authoritative DNS
servers, because it further reduces the amplification of an attack
from about 1X to about 0.5X.

DNS RRL is not recommended for recursive servers, because DNS clients
can send bursts of identical, legitimate requests.  "slip 1;" might
reduce the side effects on stub resolvers of RRL on open recursive
servers that cannot be closed.  It is best to close open recursive
servers whenever possible, but a open recursive server with RRL is
less bad than an unprotected open recursive server.

Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list