[ratelimits] RRL vs other approaches

Vernon Schryver vjs at rhyolite.com
Wed Feb 20 01:26:25 UTC 2013

> From: Tony Finch <dot at dotat.at>

> There are a couple of problems with Ed's presentation:
> (1) Why not send a minimal truncated response rather than a refused
> response? It is he same size and avoids interop problems.


> (2) The only mail server that makes ANY queries is qmail, and it
> does so for address canonic

Shouldn't that be "as far as is known" instead of "only qmail"?

I'm probably being stupid.  Why wouldn't it be a good for a recursive
server to request ANY when talking to an authoritative about a client's
request for MX, A, or AAAA in the expectation that the client is
likely to eventually ask for one of the other record types?

My questions about 

 (1) What is meant by the comment about RRL on page 3:

       Effective, but an in-line activity and scales "only so much"

   Is that a claim that RRL uses too many CPU cycles?  If so, what
   are the measurements behind the claim and in RRL implementation?

   Or is it a comment about very disbursed reflection attacks in which
   any single DNS server sees too few requests to notice anything evil.

 (2) What are the "other mitigations for [DNSSEC records]" mentioned on
   page 6?  What can a gTLD server do other than RRL for the ~16X
   amplification in the NXDOMAIN response for 
     dig +dnssec asdfqwerasdf.org @a0.org.afilias-nst.info

Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list