[ratelimits] Referrals incorrectly limited.
Jared Mauch
jared at puck.nether.net
Thu Jan 10 15:44:29 UTC 2013
On Jan 9, 2013, at 1:45 PM, Joe Abley <jabley at hopcount.ca> wrote:
>
> On 2013-01-09, at 13:43, Joe Abley <jabley at hopcount.ca> wrote:
>
>> On 2013-01-09, at 13:38, john <jbond at ripe.net> wrote:
>>
>>> On 1/9/13 6:18 PM, Vernon Schryver wrote:
>>>>> From: john <jbond at ripe.net>
>>>>
>>>>>> I do not understand "not under that attack at the moment" reasoning.
>>>>
>>>>> The point is more that enabling the patch will block legitimate traffic.
>>>>
>>>> Do you disagree with my claim that in almost all legitimate cases not
>>>> in the middle of an attack, RRL does not *block* DNS traffic but only
>>>> slows it down by forcing legitimate DNS clients to retry or switch to TCP?
>>> No I agree admittedly I do keep forgetting that fact; however the first
>>> concern I have is that if we force a lot of this traffic over to TCP we
>>> could start to exhaust TCP resources.
>>
>> I like this approach (forcing TC=1 so that clients are forced to handshake) but I do worry slightly that enough brain-dead middleware exists in the world that tcp/53 is unavailable sufficiently that "almost hall" might need to be degraded to "some".
>
> "almost all". Also, "sufficiently unavailable". Words are hard.
We can't spend all our time worrying about the uneducated masses and their improper application of "security".
They can only learn when faced with something breaking in some cases. Then the policy can be reviewed and the reasons "why" will be considered. If they're truly uneducated and incapable of this, we can't bend over backwards forever for the unenlightened masses. At some point you have to let it break, just like why I'm not using a 2500 anymore at home.
- Jared
More information about the ratelimits
mailing list