[ratelimits] Referrals incorrectly limited.

Vernon Schryver vjs at rhyolite.com
Wed Jan 9 23:04:07 UTC 2013 

> From: Gilles Massen <gilles.massen at restena.lu>

> All this is deep in 'local policy' territory.

Everything about RRL is in local policy territory until a server sends
so many DNS responses or requests that they must be blocked or rate
limited elsewhere.


> Everything is about the definition of abusive and where you set the bar
> for taking action. Much like the RIPE NCC we are running a delegation
> centric zone, and I like to think that we are operating it for the
> benefit of the larger Internet. As such I do not want to slow down any
> traffic unless it is causing real problems either to our operations or
> someone else's. I do not want to block or even hinder queries, even if I
> disapprove of them - and I will chose 'innocent until proven guilty'
> anytime over fast action. Besides I will not be judge over the
> *intentions* of a set of queries. So for us rate limitation should only
> be a protection, not a tool for educating stupid clients.

I agree with practically all of that.  Where we disgree is in its
implications.

>                                                           As a result
> the referral limitation is also a problem for us.

I've not understood a problem greater than an inconsequential slow
down of supposed "research" that would have been slowed at its sources
if the perpetrators had good intentions and were not stupid.  I agree
that slowing even that bogus "research" might a problem for referral
servers.  We disagree about its significance compared to the significance
of DoS problem.  (Never mind that I do object to the wasted resources
at the authoritative reverse DNS servers by that endlessly repeated,
as fast as possible "research".)

Are your DNS servers open recursive servers?  Why doesn't the same
reasoning that finds too much harm in slowing repeated referrals
apply to ignoring RD=1?

Must referral rate limiting wait for a complaint about a DoS attack
reflected from your amplifying DNS servers?  If there were a separate
knob, I trust that after a complaint, you would turn it on.  Would
you ever turn it off?--I bet not, which raises questions about the
significance of the harm it does now.

Of course this is all in local policy territory, but it would be
helpful to understand the local policy territory to know which
additional RRL knobs are worthwhile.  Every additional knob and
control has significant costs.


Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list