[ratelimits] Remarks regarding the Knot DNS 1.2.0 RRL implementation

Matthijs Mekking matthijs at nlnetlabs.nl
Tue Mar 5 13:46:59 UTC 2013

On 03/05/2013 02:06 PM, Paul Vixie wrote:
> Matthijs Mekking wrote:
>> On 03/05/2013 12:11 PM, Paul Vixie wrote:
>> But that is not what we are doing. If there is a collision, we reset the
>> counter, we don't group them together.
> (facepalm.)
> ah ok. that, combined with your random initial seed, is good enough for
> me. thanks for explaining.

You're welcome.

>>>> If we would see more collisions, we could implement bucket chains or
>>>> some other collision avoid mechanism in NSD.
>>> how will you know?
>> I hope our users will give us that feedback (we ourselves are a user
>> too). If collisions occur, they should see frequent unblock/block log
>> messages, and an increase in outbound traffic because of the flapping.
> would you find it burdensome to keep a 4-byte H(full tuple) in the
> bucket so that you can detect a collision and log it explicitly?

Not at all.

We already do some sort of collision detection by checking whether the
classification and the address range match. We also log this, although
from the logs it is not really clear that it was due to a collision.

We could add the full hash to the bucket and detect whether the
collision was due to a hash collision or "bucket collision". In our
default configuration that would add a little less than 4 MB in memory.
That seems acceptable to me.

Best regards,

> paul

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20130305/fcda7251/attachment.pgp>

More information about the ratelimits mailing list