[ratelimits] one more on FreeBSD and new RRL patch
michael+lists at burnttofu.net
Tue Jan 8 19:46:29 UTC 2013
On 1/8/13 11:05 AM, Paul Vixie wrote:
> as vernon writes, the rpz fixes ought not worry anybody. if you're
> clicking the "i want rrl" button then you're asking for code that's not
> supported yet as part of ISC BIND itself. you might as well get other
> rpz-related fixes with that, since they have the same status.
That makes sense, but keep in mind that for those of use who are forced
(by the bad guys) to use RRL, and are already making good use of RPZ,
that it's still desirable to add experimental features/patches one at a
time. Just because we need to use one experimental feature doesn't mean
we don't incur additional potential risk by installing more experimental
code than we need. I don't mean to downplay the headaches of multiple
patch-sets, just to note that there is reasonable demand for separate
patches, knowing that that demand may not be able to be feasibly met.
That said, it sounds like the smaller patch is relatively low-risk and I
will test that one first. I am also happy to test the larger patch-set,
but that will take me longer, as I need to have a good feel for when I
can put this into production.
(I also see that a patch-set that only fixes the "Irwin Tillman bug"
(sorry Irwin!) is on the site. Thanks for doing that.)
> i urge that package maintainers and rrl users make use of the smaller of
> the two rpz-inclusive rrl patches.
Sounds good. Thus far, these patches have worked extremely well, with
the desired and necessary results. The whole community has benefited
from this and I want to thank Vernon and Paul for designing and
implementing these features.
I also want to thank Erwin Lansing for taking the reins on the FreeBSD
BIND ports. As most of us know, there's a huge install base of FreeBSD
systems running as DNS servers and having a robust port system is
critical to managing such services. FreeBSD has the best "vendor
support" of BIND of any F/OSS OS distribution, IMO. FreeBSD sysadmins
have significant flexibility as to whether they run the latest
cutting-edge versions of BIND (even with experimental features) or the
rock-solid ESV versions. Having a option to include RRL on the options
screen of the port build process (properly labeling it 'EXPERIMENTAL')
is a good idea all around. It will make it easier for more people to
test RRL without having to go through the gyrations of manually
patching--but they'll be aware of what they're getting into.
More information about the ratelimits