[ratelimits] Remarks regarding the Knot DNS 1.2.0 RRL implementation
matthijs at nlnetlabs.nl
Wed Mar 6 15:19:55 UTC 2013
On 03/06/2013 04:00 PM, Vernon Schryver wrote:
>> From: Matthijs Mekking <matthijs at nlnetlabs.nl>
>>> block or dampen based on response size. Blocking or dampening based
>>> on response size implies blocking or dampening of DNSSEC, because
>>> DNSSEC responses are 5 to 30 times larger.
>> But only after you see a certain amount of similar responses. Speaking
>> for myself, I said we could consider adding weights to classification.
>> You interpret that as if I was saying we should block DNSSEC responses.
>> No, that is not what I said.
> If you block X DNSSEC responses/second but you do not block X
> non-DNSSEC responses/second, then you are blocking DNSSEC responses
> and you *will* have false positives among blocked DNSSEC responses.
Not what I am saying
> This is not spam filtering where users have been taught to tolerate
> losing legitimate, private, non-bulk, wanted mail because their lovers
> address them as "Dear Beloved."
> Because of DNSSEC, false positives in DNS rate limiting have worse
> security implecations than false negatives. For example, if you falsely
> block TLSA responses because a browser repeatedly fetches the same TLS
> certificate, then you will cause significant security harm.
>> ANY queries will still trigger the largest responses, while they should
>> not occur frequently. It is much clearer to determine that a flood of
>> ANY queries is an attack than a flood of "various queries that trigger
>> reasonable amplification". Therefore, I can relate to the idea of adding
>> weights to the rrl classifications.
> I strongly disagree. It makes sense to block ANY more readily than
> A only if you accept the premise that ANY is unnecessary, that a
> false positive on ANY is less harmful than a false positive on A.
Operators have been blocking ANY queries because they were plagued by
that. I assume that when they made that decision they were thinking that
a false positive on ANY is less harmful than a false positive on A: they
accepted that premise. Adding which weights to which classification
would thus be a local policy decision, it seems to me.
> Vernon Schryver vjs at rhyolite.com
> ratelimits mailing list
> ratelimits at lists.redbarn.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 553 bytes
Desc: OpenPGP digital signature
More information about the ratelimits