[ratelimits] Remarks regarding the Knot DNS 1.2.0 RRL implementation
jabley at hopcount.ca
Tue Mar 5 19:03:30 UTC 2013
On 2013-03-05, at 13:42, Paul Vixie <paul at redbarn.org> wrote:
> i just want RRL to work the same on all the servers that folks might be running, assuming a mix of BIND9 and non-BIND9.
Me too. As various vendors have heard me say directly, what we need is a common facility across all our servers from which we can gain operational experience.
Having slightly different implementations across different vendors is better than having no implementations, but it makes comparisons between configuration and behaviour in the face of specific attack traffic unnecessarily difficult.
I wish there was an option to have
- exactly Vixie/Schryver RRL on NSD
- exactly Vixie/Schryver RRL on knot
to the closest extent possible given the differences in approach between BIND9, NSD and knot, so that we have the best possible chance of sharing a unified operational experience.
I have no problem with other RRL-like approaches also being provided as alternatives. The more the merrier.
(Note that I am grateful that NSD-RRL exists, don't get me wrong. We've used it in production on L-Root to deal with spot events in particular nodes, raw data relating to which we could share via DNS-OARC if there is interest.)
More information about the ratelimits