[ratelimits] can't trigger rate-limit

Irwin Tillman irwin at princeton.edu
Tue Jan 1 02:33:43 UTC 2013

I'm unable to get the rate-limit to trigger.
I figure I'm missing something simple.

Platform: BIND 9.9.2-P1 with the rate limit patch on Solaris 10 SPARC.
It's an authoritative only server.

When I test with:
  repeat 10 dig @server-ip-address +short +tries=1 +time=1 my-zone.com a
or flood it with a few thousand queries per second:
    bind-9.9.2-P1/contrib/queryperf/queryperf -d  /usr/tmp/querperf-infile -s  server-ip-address  -l 30 -q 20 -t 1
...I don't see rate-limit trigger.

Packet capture shows the queries reaching the server and the server unexpectedly responding to all of them.
I don't see the server rate-limiting its responses to the queries.

After either test, syslog doesn't contain any message about rate-limiting a flow.

After the tests, the statistics-file doesn't contain any of the new categories.

syslog does mention while it's running:
  named[18244]: rate-limit: info: increase from 503 to 569 RRL bins for 500 entries; average search length 3.5
...so the rate-limit feature is alive.

My config:

options {
   rate-limit {
       responses-per-second 5;

logging {
   channel my_syslog_info {
        syslog daemon;
        severity info;
        print-category yes;
        print-severity yes;
   category rate-limit { my_syslog_info; default_debug; };

view "default" {
  # match-clients defaults to all
  ... various zones (hints, masters, slaves)

view "hide-class-chaos" CHAOS {
    # match-clients defaults to all
    allow-query { none; };

More information about the ratelimits mailing list