[ratelimits] Referrals incorrectly limited.

[Gilles Massen]

On 01/10/2013 12:04 AM, Vernon Schryver wrote:
>> From: Gilles Massen <gilles.massen at restena.lu>

>> As a result
>> the referral limitation is also a problem for us.

To be a bit clearer: actually there are at this point 2 kinds of rate
limitations that I would have issues with: referrals and nxdomains. Both
can and do appear without being part of a DoS event.

> I've not understood a problem greater than an inconsequential slow
> down of supposed "research" that would have been slowed at its sources
> if the perpetrators had good intentions and were not stupid.  I agree
> that slowing even that bogus "research" might a problem for referral
> servers.  We disagree about its significance compared to the significance
> of DoS problem.  

Indeed. For me it is very difficult to accept limitations to anything
that is not directly harmful. To keep the example of that "research": I
may not agree with the aims or methods, and I would not intervene to
make their lives easier, but their traffic is correctly formatted DNS
traffic, the return traffic goes to the sender, and the volume is not
causing problems to our server. Therefore I do not want it impacted as
collateral damage. You might consider it as a commitment to a certain
form of net neutrality.

> (Never mind that I do object to the wasted resources
> at the authoritative reverse DNS servers by that endlessly repeated,
> as fast as possible "research".)

So do I, but I have strong feelings about putting the roles of judge and
executioner too close together - and being the executioner I try to stay
clear from judging, even if it itches more often than not.

Note that for leaf zones I'd apply different (weaker) criteria than for
a TLD/arpa (different local policy).


> Are your DNS servers open recursive servers?  Why doesn't the same
> reasoning that finds too much harm in slowing repeated referrals
> apply to ignoring RD=1?

No open recursive servers. Honoring RD=1 would be a different service,
clearly announced with RA=1. Our mission however is only the TLD, and
with RA=0 we don't raise any different expectations.


> Must referral rate limiting wait for a complaint about a DoS attack
> reflected from your amplifying DNS servers?  

To me: yes. Exactly as we started to limit very specific responses only
as needed. You can look at it this way: every collateral damage/false
positive has a cost. As long as answering queries has a lower cost, I
will provide answers (for a very fuzzy definition of 'cost').

> If there were a separate
> knob, I trust that after a complaint, you would turn it on.  

It depends. For a 'intelligent' attack with many destinations: probably
yes. If a stupid packet filter could do the job: probably not.


> Would
> you ever turn it off?--I bet not, which raises questions about the
> significance of the harm it does now.

Sincerely: I hope very much I would turn it off. Certainly yes if the
attacks ceased. If they wouldn't, the call would be harder to make and
result is comparing uncomparable costs (and being judge again...).

> Of course this is all in local policy territory, but it would be
> helpful to understand the local policy territory to know which
> additional RRL knobs are worthwhile.  Every additional knob and
> control has significant costs.

I appreciate that. I try very hard to suppress the engineers urge to
have as many knobs as possible :).

I wouldn't be surprised if our needs are those of a minority, and it is
not my intend to push you some way or the other. I hope though that I
succeeded in explaining our situation.

Best,
Gilles


-- 
Fondation RESTENA - DNS-LU
6, rue Coudenhove-Kalergi
L-1359 Luxembourg
tel: (+352) 424409
fax: (+352) 422473