[ratelimits] Remarks regarding the Knot DNS 1.2.0 RRL implementation

Vernon Schryver vjs at rhyolite.com
Wed Mar 6 15:00:22 UTC 2013

> From: Matthijs Mekking <matthijs at nlnetlabs.nl>

> > block or dampen based on response size.  Blocking or dampening based
> > on response size implies blocking or dampening of DNSSEC, because
> > DNSSEC responses are 5 to 30 times larger.
> But only after you see a certain amount of similar responses. Speaking
> for myself, I said we could consider adding weights to classification.
> You interpret that as if I was saying we should block DNSSEC responses.
> No, that is not what I said.

If you block X DNSSEC responses/second but you do not block X
non-DNSSEC responses/second, then you are blocking DNSSEC responses
and you *will* have false positives among blocked DNSSEC responses.

This is not spam filtering where users have been taught to tolerate
losing legitimate, private, non-bulk, wanted mail because their lovers
address them as "Dear Beloved." 

Because of DNSSEC, false positives in DNS rate limiting have worse
security implecations than false negatives.  For example, if you falsely
block TLSA responses because a browser repeatedly fetches the same TLS
certificate, then you will cause significant security harm.  

> ANY queries will still trigger the largest responses, while they should
> not occur frequently. It is much clearer to determine that a flood of
> ANY queries is an attack than a flood of "various queries that trigger
> reasonable amplification". Therefore, I can relate to the idea of adding
> weights to the rrl classifications.

I strongly disagree.  It makes sense to block ANY more readily than
A only if you accept the premise that ANY is unnecessary, that a
false positive on ANY is less harmful than a false positive on A.

Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list