[ratelimits] Referrals incorrectly limited.
Joe Abley
jabley at hopcount.ca
Wed Jan 9 18:45:09 UTC 2013
On 2013-01-09, at 13:43, Joe Abley <jabley at hopcount.ca> wrote:
> On 2013-01-09, at 13:38, john <jbond at ripe.net> wrote:
>
>> On 1/9/13 6:18 PM, Vernon Schryver wrote:
>>>> From: john <jbond at ripe.net>
>>>
>>>>> I do not understand "not under that attack at the moment" reasoning.
>>>
>>>> The point is more that enabling the patch will block legitimate traffic.
>>>
>>> Do you disagree with my claim that in almost all legitimate cases not
>>> in the middle of an attack, RRL does not *block* DNS traffic but only
>>> slows it down by forcing legitimate DNS clients to retry or switch to TCP?
>> No I agree admittedly I do keep forgetting that fact; however the first
>> concern I have is that if we force a lot of this traffic over to TCP we
>> could start to exhaust TCP resources.
>
> I like this approach (forcing TC=1 so that clients are forced to handshake) but I do worry slightly that enough brain-dead middleware exists in the world that tcp/53 is unavailable sufficiently that "almost hall" might need to be degraded to "some".
"almost all". Also, "sufficiently unavailable". Words are hard.
Joe
More information about the ratelimits
mailing list