[ratelimits] Referrals incorrectly limited.

[Gilles Massen]

On 9/1/13 20:31 , Vernon Schryver wrote:
> 
> Before starting to worry about brain-dead middleware blocking tcp/53,
> I'd think about junk blocking udp/53 and stop worrying about either.
> Being liberal in what you accept doesn't involve pandering to the
> willfully benighted.

All this is deep in 'local policy' territory.

> There are also plenty of reports of junk that ignores TC=1, but TC=1 is
> only a finally defense against false positives.  Any legitimate DNS
> client worth caring about will spread at least 3 requests over several
> seconds.  Unless there is a concurrent attack forging the client's IP
> address, the client is one of a mob behind a NAT box or in an ISP
> server farm recovering after a power failure, or other relatively
> unlikely cases, what is the false positive problem?
> 
> The case at hand involves rate limiting 66 referrals per second and
> forcing the abusive DNS client to slow down.  If those clients are 
> remotely legitimate and even if they ignore TC=1, they were not blocked
> but only forced to slow down.  Except that RIPE apparently wants to
> answer abusive traffic from universities at full speed, would there
> be any question?

Everything is about the definition of abusive and where you set the bar
for taking action. Much like the RIPE NCC we are running a delegation
centric zone, and I like to think that we are operating it for the
benefit of the larger Internet. As such I do not want to slow down any
traffic unless it is causing real problems either to our operations or
someone else's. I do not want to block or even hinder queries, even if I
disapprove of them - and I will chose 'innocent until proven guilty'
anytime over fast action. Besides I will not be judge over the
*intentions* of a set of queries. So for us rate limitation should only
be a protection, not a tool for educating stupid clients. As a result
the referral limitation is also a problem for us.

Gilles