[ratelimits] Remarks regarding the Knot DNS 1.2.0 RRL implementation

Vernon Schryver vjs at rhyolite.com
Tue Mar 5 15:46:46 UTC 2013

> From: Matthijs Mekking <matthijs at nlnetlabs.nl>

> We have implemented randomized seed so that collisions are not
> predictable. 

That is irrelevant to how many collisions occur.

It sounds like the popular crypto hash function mistake.  The virtues
of cryptographic hash functions are unrelated to their collision
probabilities.  Non-crypographic hash functions have more useful
collision probabilities than cryptographic hash functions, which
is why they are used when collision probability is more important
than pre-image, 2nd pre-image, and collision resistance.
(No, collision resistance is not related to collision probability if
you've chosen a large enough range.)

>              Current implementation does not see many collisions occur.

Unless you are blocking or dropping no responses at all, how do you
know whether any collisions have happened?

If you could detect collisions by checking that the (IP,qtype,qname)
in the hash bucket matches the response, then you would surely add the
separate counters.  The IPv6 address, qtype, and qname take more space
than the necessary counters and timers.

If you are seeing no collisions (i.e. not dropping any responses),
how busy are the DNS servers where you are using your code?

Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list