[ratelimits] Remarks regarding the Knot DNS 1.2.0 RRL implementation

Matthijs Mekking matthijs at nlnetlabs.nl
Wed Mar 6 15:19:55 UTC 2013

On 03/06/2013 04:00 PM, Vernon Schryver wrote:
>> From: Matthijs Mekking <matthijs at nlnetlabs.nl>
>>> block or dampen based on response size.  Blocking or dampening based
>>> on response size implies blocking or dampening of DNSSEC, because
>>> DNSSEC responses are 5 to 30 times larger.
>> But only after you see a certain amount of similar responses. Speaking
>> for myself, I said we could consider adding weights to classification.
>> You interpret that as if I was saying we should block DNSSEC responses.
>> No, that is not what I said.
> If you block X DNSSEC responses/second but you do not block X
> non-DNSSEC responses/second, then you are blocking DNSSEC responses
> and you *will* have false positives among blocked DNSSEC responses.

Not what I am saying

> This is not spam filtering where users have been taught to tolerate
> losing legitimate, private, non-bulk, wanted mail because their lovers
> address them as "Dear Beloved." 
> Because of DNSSEC, false positives in DNS rate limiting have worse
> security implecations than false negatives.  For example, if you falsely
> block TLSA responses because a browser repeatedly fetches the same TLS
> certificate, then you will cause significant security harm.  
>> ANY queries will still trigger the largest responses, while they should
>> not occur frequently. It is much clearer to determine that a flood of
>> ANY queries is an attack than a flood of "various queries that trigger
>> reasonable amplification". Therefore, I can relate to the idea of adding
>> weights to the rrl classifications.
> I strongly disagree.  It makes sense to block ANY more readily than
> A only if you accept the premise that ANY is unnecessary, that a
> false positive on ANY is less harmful than a false positive on A.

Operators have been blocking ANY queries because they were plagued by
that. I assume that when they made that decision they were thinking that
a false positive on ANY is less harmful than a false positive on A: they
accepted that premise. Adding which weights to which classification
would thus be a local policy decision, it seems to me.

> Vernon Schryver    vjs at rhyolite.com
> _______________________________________________
> ratelimits mailing list
> ratelimits at lists.redbarn.org
> http://lists.redbarn.org/mailman/listinfo/ratelimits

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20130306/9433b8d8/attachment-0001.pgp>

More information about the ratelimits mailing list