[ratelimits] new RRL patch
fenghe at nsbeta.info
Sun Jan 6 06:23:11 UTC 2013
2.2.4. WINDOW (15). Rate limiting uses a "credit" or "token bucket"
scheme. Each identical response has a conceptual account that is given
RESPONSES-PER- SECOND and ERRORS-PER-SECOND credits every second. A DNS
request triggering some desired response debits the account by one.
Responses are not sent while the account is negative. The account cannot
become more positive than the per-second limit or more negative than
window times the per-second limit. A DNS client that sends requests that
are not answered can therefore penalized for up to window seconds even
after the abusive query flow stops.
Paul, this is hard to understand for due to my poor english.
Can you describe it more clearly, or with an example?
于 2013-1-6 11:39, Paul Vixie 写道:
> Feng He wrote:
>> I could open a ssh account for you and you could login directly to the
>> nameserver host to watch the result, is it right?
> i think that i would not enjoy such great responsibility for keeping
> your system safe.
> perhaps you would be willing to share your named.conf file here, and
> explain the change in behaviour you saw when you first began to use RRL?
More information about the ratelimits