[ratelimits] Remarks regarding the Knot DNS 1.2.0 RRL implementation

Vernon Schryver vjs at rhyolite.com
Mon Mar 4 14:59:08 UTC 2013

> From: Matthijs Mekking <matthijs at nlnetlabs.nl>

> I like the idea of having a classification of large responses. It seems
> that the current RRL algorithm does not perform well if an attack is
> able to trigger various positive responses[1]. 

I think that is a misleading charactacterization of 
Instead, I read that paper as saying that RRL does not detect all
attacks.  That characterization also fails by omitting the quantitative
aspects of the study's conclusions.

>                                                I agree that such
> performing such an attack is more complex than an ANY or NXDOMAIN
> attack, but it is certainly feasible (especially with NSEC).
> What do you consider large?
> Adding weight to the classes is a direction that we should definitely
> can look into. I guess the "penalty points" used in the Dampening
> proposal can form a good base for that.

That reasoning is based on the assumption that some DNS responses are
of little value and that the bad guys must use those less valuable
response.  It is a version of the idea that reflection attacks can be
mitigated by blocking ANY requests.  That reasoning will have you
Dampening DNSSEC signed NS, SOA, A, and AAAA responses.

Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list