[ratelimits] new RRL patch

Feng He fenghe at nsbeta.info
Sun Jan 6 06:23:11 UTC 2013

   from: http://ss.vix.su/~vixie/isc-tn-2012-1.txt

2.2.4. WINDOW (15). Rate limiting uses a "credit" or "token bucket"
    scheme.  Each identical response has a conceptual account that is given
    RESPONSES-PER- SECOND and ERRORS-PER-SECOND credits every second. A DNS
    request triggering some desired response debits the account by one.
    Responses are not sent while the account is negative. The account cannot
    become more positive than the per-second limit or more negative than
    window times the per-second limit. A DNS client that sends requests that
    are not answered can therefore penalized for up to window seconds even
    after the abusive query flow stops.

Paul, this is hard to understand for due to my poor english.
Can you describe it more clearly, or with an example?


于 2013-1-6 11:39, Paul Vixie 写道:
> Feng He wrote:
>> I could open a ssh account for you and you could login directly to the
>> nameserver host to watch the result, is it right?
> i think that i would not enjoy such great responsibility for keeping
> your system safe.
> perhaps you would be willing to share your named.conf file here, and
> explain the change in behaviour you saw when you first began to use RRL?

More information about the ratelimits mailing list