[ratelimits] can't trigger rate-limit

Vernon Schryver vjs at rhyolite.com
Wed Jan 2 04:11:25 UTC 2013 

> From: Irwin Tillman <irwin at princeton.edu>

> I', able to see the same behavior (rate-limit does not seem to trigger)
> with the same minimal config you used:

I belatedly remembered the tests in bin/tests/system.  The instructions
in bin/tests/system/README should lead to configuring loopback interfaces
on net-10 and then run the rrl test:

]   10.53.0.1, ns2 on 10.53.0.2, etc.  Before running any tests, you must
]   set up these addresses by running "ifconfig.sh up" as root.

I use `sh ifconfig.sh.up` as root and then I use `sh run.sh rrl` as
an ordinary user.  Based on your tests, that should fail.  Success
looks like:

    % sh run.sh rrl
    S:rrl:Wed Jan  2 04:03:55 UTC 2013
    T:rrl:1:A
    A:System test rrl
    I:exit status: 0
    R:PASS
    E:rrl:Wed Jan  2 04:04:06 UTC 2013

When it fails then `grep ' rrl ' bin/tests/system/rrl/ns2/named.run`
and `grep 'consider limiting response' bin/tests/system/rrl/ns2/named.run`
should not(?) find the lots of stuff like

    02-Jan-2013 03:50:49.067 consider limiting response to 10.53.0.0/24 for a1.tld2 IN A  (0001daf6)

and

    02-Jan-2013 03:50:56.587 rrl age=0  responses=7
    02-Jan-2013 03:50:56.606 rrl age=16777216  responses=2
    02-Jan-2013 03:50:56.606 rrl age=0  responses=6

Failure can be ensured by adding "exit 1" before the end of rrl/tests.sh.
Something that eats lots of CPU cycles should also make the tests
fail by slowing down the test requests and so keeping them from
triggering the limiting.


> If there's other tests I should try, or more detailed logging output I should
> collect, I'll be happy to do so.

Changing "severity info" to "severity debug 10" should generate noise
in /tmp/rl-log


] From: Irwin Tillman <irwin at princeton.edu>

] script patch.out
] patch -p0 < ../bind-rl-9.9.2-P1.patch-20121231
] exit

What is the provinance of bind-rl-9.9.2-P1.patch-20121231 ?

The file linked on http://www.redbarn.org/dns/ratelimits
is http://ss.vix.com/~vixie/rl-9.9.2-P1.patch

What does `named -v` say?  If you used a true copy of the official
unofficial patch, it should say something like "BIND 9.9.2-vjs340.03"


Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list