[ratelimits] Remarks regarding the Knot DNS 1.2.0 RRL implementation
Vernon Schryver
vjs at rhyolite.com
Fri Mar 1 17:31:44 UTC 2013
> From: =?UTF-8?Q?Marek_Vavru=C5=A1a?= <marek.vavrusa at nic.cz>
> Second thing is, how are the buckets stored. We chose a fixed-size
> hashtable as in the NSD with no chaining,
It's good to hear about another implementation, but I do have a
question. What led to not using chaining in this implementation?
Was it onlyh it the significantly simpler code?
I obviously think the costs of chaining are worth the benefit of no
false positives. I have the impression that chaining might be added
to the NSD code in a future version after private discussions about
the Birthday Paradox and the probability of false positives due to
hash collisions.
Please understand that I'm not trying to attack anyone or anything,
but discover if I'm wrong.
> We introduced a
> randomized seed in a hash
That's a good idea, but I would change the seed occassionally to
thwart attacks by bad guys, unless except when using a cryptographic
hash function, which sounds too expensive.
Changing the hash function should only leak a small burst, which
shouldn't matter if it happens only no more than once per 10s or
100s of minutes.
Vernon Schryver vjs at rhyolite.com
More information about the ratelimits
mailing list