[ratelimits] Remarks regarding the Knot DNS 1.2.0 RRL implementation

Matthijs Mekking matthijs at nlnetlabs.nl
Tue Mar 5 12:48:35 UTC 2013

On 03/05/2013 12:11 PM, Paul Vixie wrote:
> Matthijs Mekking wrote:
>> I think we are implementing the same idea right now. I disagree just
>> because we don't use bucket chains, we don't implement rrl.
> if you are sharing a set of counters between several tuples, you'll be
> dropping responses that aren't above-threshold. note that it makes no
> difference whether you're using hash tables or some other kind of data
> structure to select a bucket; sharing a bucket is the problem.

But that is not what we are doing. If there is a collision, we reset the
counter, we don't group them together.

>> We have implemented randomized seed so that collisions are not
>> predictable.
> i heard that and i'm glad that you can't be induced by an attacker to
> increment a chosen bucket. but that's not the problem.
>>  Current implementation does not see many collisions occur.
> unless you have tested with the real workload of several large authority
> servers then your collision measurements are not dispositive.
>> If we would see more collisions, we could implement bucket chains or
>> some other collision avoid mechanism in NSD.
> how will you know?

I hope our users will give us that feedback (we ourselves are a user
too). If collisions occur, they should see frequent unblock/block log
messages, and an increase in outbound traffic because of the flapping.

Best regards,

> paul

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20130305/bb22e98e/attachment.pgp>

More information about the ratelimits mailing list