[ratelimits] Remarks regarding the Knot DNS 1.2.0 RRL implementation
matthijs at nlnetlabs.nl
Tue Mar 5 13:46:59 UTC 2013
On 03/05/2013 02:06 PM, Paul Vixie wrote:
> Matthijs Mekking wrote:
>> On 03/05/2013 12:11 PM, Paul Vixie wrote:
>> But that is not what we are doing. If there is a collision, we reset the
>> counter, we don't group them together.
> ah ok. that, combined with your random initial seed, is good enough for
> me. thanks for explaining.
>>>> If we would see more collisions, we could implement bucket chains or
>>>> some other collision avoid mechanism in NSD.
>>> how will you know?
>> I hope our users will give us that feedback (we ourselves are a user
>> too). If collisions occur, they should see frequent unblock/block log
>> messages, and an increase in outbound traffic because of the flapping.
> would you find it burdensome to keep a 4-byte H(full tuple) in the
> bucket so that you can detect a collision and log it explicitly?
Not at all.
We already do some sort of collision detection by checking whether the
classification and the address range match. We also log this, although
from the logs it is not really clear that it was due to a collision.
We could add the full hash to the bucket and detect whether the
collision was due to a hash collision or "bucket collision". In our
default configuration that would add a little less than 4 MB in memory.
That seems acceptable to me.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 553 bytes
Desc: OpenPGP digital signature
More information about the ratelimits