[ratelimits] Remarks regarding the Knot DNS 1.2.0 RRL implementation
Paul Vixie
paul at redbarn.org
Tue Mar 5 11:11:35 UTC 2013
Matthijs Mekking wrote:
> I think we are implementing the same idea right now. I disagree just
> because we don't use bucket chains, we don't implement rrl.
if you are sharing a set of counters between several tuples, you'll be
dropping responses that aren't above-threshold. note that it makes no
difference whether you're using hash tables or some other kind of data
structure to select a bucket; sharing a bucket is the problem.
>
> We have implemented randomized seed so that collisions are not
> predictable.
i heard that and i'm glad that you can't be induced by an attacker to
increment a chosen bucket. but that's not the problem.
> Current implementation does not see many collisions occur.
unless you have tested with the real workload of several large authority
servers then your collision measurements are not dispositive.
> If we would see more collisions, we could implement bucket chains or
> some other collision avoid mechanism in NSD.
how will you know?
paul
More information about the ratelimits
mailing list