[ratelimits] Remarks regarding the Knot DNS 1.2.0 RRL implementation

Paul Vixie paul at redbarn.org
Tue Mar 5 11:11:35 UTC 2013

Matthijs Mekking wrote:
> I think we are implementing the same idea right now. I disagree just
> because we don't use bucket chains, we don't implement rrl.

if you are sharing a set of counters between several tuples, you'll be
dropping responses that aren't above-threshold. note that it makes no
difference whether you're using hash tables or some other kind of data
structure to select a bucket; sharing a bucket is the problem.

> We have implemented randomized seed so that collisions are not
> predictable.

i heard that and i'm glad that you can't be induced by an attacker to
increment a chosen bucket. but that's not the problem.

>  Current implementation does not see many collisions occur.

unless you have tested with the real workload of several large authority
servers then your collision measurements are not dispositive.

> If we would see more collisions, we could implement bucket chains or
> some other collision avoid mechanism in NSD.

how will you know?


More information about the ratelimits mailing list