[ratelimits] Remarks regarding the Knot DNS 1.2.0 RRL implementation
Matthijs Mekking
matthijs at nlnetlabs.nl
Wed Mar 6 09:59:51 UTC 2013
On 03/05/2013 05:33 PM, Vernon Schryver wrote:
>> From: Matthijs Mekking <matthijs at nlnetlabs.nl>
>
>> We already do some sort of collision detection by checking whether the
>> classification and the address range match. We also log this, although
>> from the logs it is not really clear that it was due to a collision.
>>
>> We could add the full hash to the bucket and detect whether the
>> collision was due to a hash collision or "bucket collision". In our
>> default configuration that would add a little less than 4 MB in memory.
>
> Oh! Now I remember the private discussions last year with Wouter,
> and that were later inaccurately summarized to this mailing list.
> (I was tired of arguing, the inaccuracies were not too bad, and so
> I did not protest the summmary.)
I agree that this can be very tiresome. But back then you publicly
raised some questions on this mailing list about our blog article[1] and
those questions were similar to which you had been discussing with
Wouter. So I try to answer the questions you have. Sorry I was tiring
you, I'll stop bothering you.
[1] http://www.nlnetlabs.nl/blog/2012/10/11/nsd-ratelimit/
> You only detect collisions between differing client IP addresses.
> As discussed, a recursive resolver or a set of resolvers behind NAT
> or load balancers at large ISPs that make many requests for different
> (qtype,qname) can have undetected collisions.
>
> I've spent time searching my mail archives, and see a possibly
> greater problem than false positives due to undetected collisions
> is false negatives due to the resetting after detected collisions.
>
> If you care, I could send out my mail archives, but it would
> probably be better for you to talk to Wouter. I think he understood
> my position. I have the impression that he was considering adding
> chaining.
>
>
> Note that the BIND9 RRL code can also have undetected collisions or
> false positives because only a 32-bit hash of the qname is saved and
> checked. However, to trigger BIND9 RRL undetected collsion with more
> than probability greater than 0.5, DNS clients must send more than
> 2000 requests/second/CIDR block (square root of 2**32).
>
>
> Vernon Schryver vjs at rhyolite.com
> _______________________________________________
> ratelimits mailing list
> ratelimits at lists.redbarn.org
> http://lists.redbarn.org/mailman/listinfo/ratelimits
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20130306/84e37642/attachment.pgp>
More information about the ratelimits
mailing list