[ratelimits] Remarks regarding the Knot DNS 1.2.0 RRL implementation

Vernon Schryver vjs at rhyolite.com
Wed Mar 6 15:43:30 UTC 2013

> From: Matthijs Mekking <matthijs at nlnetlabs.nl>

> >> But only after you see a certain amount of similar responses. Speaking=
> >> for myself, I said we could consider adding weights to classification.=

> > If you block X DNSSEC responses/second but you do not block X
> > non-DNSSEC responses/second, then you are blocking DNSSEC responses
> > and you *will* have false positives among blocked DNSSEC responses.
> Not what I am saying

You have made clear that you do not want false positive blocking of
DNSSEC.  However, false positive blocking of DNSSEC is an inevitable
implication of "adding weights to classification."

If you do not block X 100 byte responses/second,
then blocking X 100 byte responses/second must be a false positive.
That implies that blocking the exact same rdatasets of A, AAAA, and
NS records but with 1500 bytes or RRSIGs added must also be a false

In version 9.9.0, `dig rhyolite.com @ns.rhyolite.com` reports 296 bytes.
and `dig +dnssec rhyolite.com @ns.rhyolite.com` reports 1892 bytes.
If you would not block 10 of those 296 byte responses/second,
then blocking 10 of those 1892 responses/second is a false positive.

Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list