[ratelimits] Remarks regarding the Knot DNS 1.2.0 RRL implementation
matthijs at nlnetlabs.nl
Tue Mar 5 12:48:35 UTC 2013
On 03/05/2013 12:11 PM, Paul Vixie wrote:
> Matthijs Mekking wrote:
>> I think we are implementing the same idea right now. I disagree just
>> because we don't use bucket chains, we don't implement rrl.
> if you are sharing a set of counters between several tuples, you'll be
> dropping responses that aren't above-threshold. note that it makes no
> difference whether you're using hash tables or some other kind of data
> structure to select a bucket; sharing a bucket is the problem.
But that is not what we are doing. If there is a collision, we reset the
counter, we don't group them together.
>> We have implemented randomized seed so that collisions are not
> i heard that and i'm glad that you can't be induced by an attacker to
> increment a chosen bucket. but that's not the problem.
>> Current implementation does not see many collisions occur.
> unless you have tested with the real workload of several large authority
> servers then your collision measurements are not dispositive.
>> If we would see more collisions, we could implement bucket chains or
>> some other collision avoid mechanism in NSD.
> how will you know?
I hope our users will give us that feedback (we ourselves are a user
too). If collisions occur, they should see frequent unblock/block log
messages, and an increase in outbound traffic because of the flapping.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 553 bytes
Desc: OpenPGP digital signature
More information about the ratelimits