[ratelimits] Remarks regarding the Knot DNS 1.2.0 RRL implementation

Vernon Schryver vjs at rhyolite.com
Wed Mar 6 14:39:36 UTC 2013


> > I wish there was an option to have
> > 
> >  - exactly Vixie/Schryver RRL on NSD
> >  - exactly Vixie/Schryver RRL on knot

How close to the BIND9 RRL code do the other version need to be?
What kinds of variations would you tolerate?  Are you concerned
about 
   1. basic mechanisms
   2. basic mechanism control file syntax
   3. frills
   4. frill control file syntax
   5. boundary conditions and special cases

While I obviously think that tolerating false positives or negatives
due to hash table collisions is wrong and unnecessary, I must also
admit that they are neither common nor fatal.  They fit #5.

I suspect the operational concerns are mostly with #1, #2, and some
of #3 and #4 due to varying notions of whether something is a frill.

For the current BIND9 features, follow the link labeled
"Draft text for BIND9 Administrators Reference Manual (ARM) describing"
on http://www.redbarn.org/dns/ratelimits
I'm sure the other implemenations lack several of those knobs and
functions.  "log-only" and "{min,max}-table-size" are frills.
I think "exempt-clients" is also a frill, but some users strongly
disagree and I think the other implementations lack it.

I think the other implemenations either lack "windows" or do it
differently.  I have the impression that the other implementations
do not have the "penalty box" or handle negative token counts
differently.  Is that a frill?--I don't know.

The various RRL implementations will never have the same "form,
fit, and function."  You might ask for "close enough" on a subset,
but whether you can get it depends on how much you are willing to
limit your concerns.


Vernon Schryver    vjs at rhyolite.com


More information about the ratelimits mailing list