[ratelimits] Remarks regarding the Knot DNS 1.2.0 RRL implementation

Vernon Schryver vjs at rhyolite.com
Fri Mar 1 17:31:44 UTC 2013

> From: =?UTF-8?Q?Marek_Vavru=C5=A1a?= <marek.vavrusa at nic.cz>

> Second thing is, how are the buckets stored. We chose a fixed-size
> hashtable as in the NSD with no chaining,

It's good to hear about another implementation, but I do have a
question.  What led to not using chaining in this implementation?
Was it onlyh it the significantly simpler code?

I obviously think the costs of chaining are worth the benefit of no
false positives.  I have the impression that chaining might be added
to the NSD code in a future version after private discussions about
the Birthday Paradox and the probability of false positives due to
hash collisions.

Please understand that I'm not trying to attack anyone or anything,
but discover if I'm wrong.

>                                               We introduced a
> randomized seed in a hash 

That's a good idea, but I would change the seed occassionally to
thwart attacks by bad guys, unless except when using a cryptographic
hash function, which sounds too expensive.
Changing the hash function should only leak a small burst, which
shouldn't matter if it happens only no more than once per 10s or
100s of minutes.

Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list