[ratelimits] Remarks regarding the Knot DNS 1.2.0 RRL implementation
Matthijs Mekking
matthijs at nlnetlabs.nl
Wed Mar 6 18:34:10 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Joe,
On 03/06/2013 04:35 PM, Joe Abley wrote:
>
> On 2013-03-06, at 10:19, Matthijs Mekking <matthijs at nlnetlabs.nl>
> wrote:
>
>> Operators have been blocking ANY queries because they were
>> plagued by that.
>
> I heard of NeuStar/Ultra dropping ANY queries, but now that I look
> for an example I can't seem to find one, e.g. see failed attempt
> below with one of the nameservers Ultra is providing for NZ. I am
> very aware that this is not an exhaustive test regime :-)
>
> Who is actually dropping ANY? Is this actually happening, or is it
> fiction?
Sorry, I should explain more explicit what I mean with 'blocking ANY
queries' (the terms were being used quite loosely in this thread).
I meant to say rate limiting ANY queries. As an example, I know SIDN
has done that initially[1] (they switched to RRL by now). I am not
sure about NeuStar, but I believe they have been returning REFUSED on
UDP ANY queries, but they turned it off because they received complaints.
So, I think everyone will respond to a single ANY query (whether with
a positive or negative respond), but there were/are cases where ANY
queries were being limited.
Best regards,
Matthijs
[1]
http://www.sidnlabs.nl/laatste-berichten/nieuwsdetail/article/de-dns-any-plaag/
(in Dutch)
>
>
> Joe
>
> [krill:~]% dig nz. ns +short ns3.dns.net.nz. ns7.dns.net.nz.
> ns4.dns.net.nz. ns6.dns.net.nz. ns5.dns.net.nz. ns1.dns.net.nz.
> ns2.dns.net.nz. [krill:~]% host ns5.dns.net.nz ns5.dns.net.nz has
> address 156.154.100.14 ns5.dns.net.nz has IPv6 address
> 2001:502:ad09::14 [krill:~]% whois -h whois.cymru.com
> 156.154.100.14 AS | IP | AS Name 12008 |
> 156.154.100.14 | ULTRADNS - NeuStar, Inc. [krill:~]% dig
> @156.154.100.14 nz. any +bufsize=4000
>
> ; <<>> DiG 9.8.3-P1 <<>> @156.154.100.14 nz. any +bufsize=4000 ; (1
> server found) ;; global options: +cmd ;; Got answer: ;;
> ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17725 ;; flags: qr
> aa rd; QUERY: 1, ANSWER: 16, AUTHORITY: 0, ADDITIONAL: 13 ;;
> WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;;
> QUESTION SECTION: ;nz. IN ANY
>
> ;; ANSWER SECTION: nz. 86400 IN SOA loopback.dns.net.nz.
> soa.nzrs.net.nz. 2013030716 900 300 604800 3600 nz. 3600 IN RRSIG
> NSEC 8 1 3600 20130310035034 20130302124443 31023 nz.
> hzRanuL6R0N9Cj97XZeRtEo5YH/1/mTnoS7py2FTne2niCrw9qhnOYYs
> 4jAgyhbU/yI0sxyq37qdgEkWMypUQymOiypuqc4W/Qo6aCBen7UdZM2q
> tr6xAagBJKfeM0y7Y1yfMvfzDSUVOa+o1Yu8yCnrZK2VpGZEn7gKyHhb xIw= nz.
> 3600 IN NSEC _nicname._tcp.nz. NS SOA RRSIG NSEC DNSKEY nz. 3600
> IN RRSIG DNSKEY 8 1 3600 20130314232158 20130302124443 19889 nz.
> wYxfWlQvNYOZn6NXuCGEnDi2BMM6RtXWqyTvKS5GIWVAXpjPcU0vjpvU
> 7xfliVxlg2+EVhdL4XOmOKJIR7Yloi+e7asWQSrUxcKhFZ4l6YxIe7h5
> War5bKK0lDqRhdzHdpSSH6irjwtRTkG8/KZbCeCdJpa64NtyxcUA+ZFG
> zC/viKNwdv0itieSQ6M0itEL+TF0guTr0EUWoXHD+4wELyA5OmuHOVhi
> vsA9ZoJdSaMxvA8zT1zpvplawDJY+/3MhQ1vptmuRURllrYe2HRqG8ak
> g6HiSKba4hRsIY17F6sL0nlrxU6P6Dw43ADR4iei+sJSjCbUumVo1l12 kcVyHQ==
> nz. 3600 IN DNSKEY 256 3 8
> AwEAAbj7t4eUG47vWdncvEGgZo5hhlxXY/cnDiwJ1LxmyFl61Glxp59K
> faqgKvpuJxmPQwYHZb26OW9Q0b07HMfBlfZaEzAJSckR9DSmWWdmmEJk
> bru7spHkfd6Gp0kpjlYkhDtvccXAU9B49cSJT7Z4DWigb42WWV9oAR5D 1G03Hc4b
> nz. 3600 IN DNSKEY 256 3 8
> AwEAAc4De/qpQw+88eGOXJk/ceR65uBmRftDczbe3PsL2+X0f+3DYrCG
> ddlYhIQdAmOuThlwwXz9JTZbOVG0B8qLYmBTp0Q2KC1cFYSx2zG+XzVY
> z/h9+p/JlWg1g95CtW7W5zGLvX4zYakXtyZu0u3MqfEO7QS/GOpyZ5JH rb6/IwcB
> nz. 3600 IN DNSKEY 257 3 8
> AwEAAcmrzZIh9JYcdpN/7g/UZZN4rhX5LCulV8fcre8J7dxTLkSP49Nd
> 38wunY4s05oeJqBNkVPGWV36KoSJ+2XIcac6uwXKdoagMBHswMnSo2Fu
> Jl6GYqNZKAJlP7D7FbtcOpCLvJjgOeBAB6MenyfTeyfNfB+Orki2nADr
> +zAsagjTlLjEIfQ+foWTymCiLc7Tcv3Vac+XvwZhRPaCE+psnZAkyR4r
> +akaiRkoFtpK/13lBxQYF3fVYfccPEKhuBLY7FLlQ3HtXCEOEgCSbnRH
> gVNTXmD15QdkUOysKIfRZaA+KqUutV6XX9il2KDP7yEzx/XRR2xmIzbc
> H8++09O+FLU= nz. 86400 IN RRSIG NS 8 1 86400 20130318121757
> 20130302124443 31023 nz.
> QnUWPYK8ZEwIOQODDG89cHSSqu1jWVSP+H0cO9/LxoYoTVzotlzY9EHJ
> lCD94yzil/p77rAqtJOs12X7dOzN2T/oe1o34RnnthiTRc1+QyFmfl0E
> UdPeGafr157I1zEot9MO+XPC/mZsm11G5njAewaUnU1NVhGfkewQwTfs qZI= nz.
> 86400 IN NS ns1.dns.net.nz. nz. 86400 IN NS ns5.dns.net.nz. nz.
> 86400 IN NS ns3.dns.net.nz. nz. 86400 IN NS ns7.dns.net.nz. nz.
> 86400 IN NS ns6.dns.net.nz. nz. 86400 IN NS ns2.dns.net.nz. nz.
> 86400 IN NS ns4.dns.net.nz. nz. 86400 IN RRSIG SOA 8 1 86400
> 20130319082248 20130306144333 24808 nz.
> cW/M9TgDZda2vyzdnq7onfLxLzZ+II+YINc2NqjT1d/NQJT43owi/uow
> gkgARPRerXX9t8uwq9uVcLscaldhagVghhiwzuy2Kg60hhHCBIThijx/
> MSSsZnttfle1LhGHLxtGvMaGddYtGeKUedMYpuw23eaHsHly5AuMOXmx kXU=
>
> ;; ADDITIONAL SECTION: ns1.dns.net.nz. 86400 IN A 202.46.190.130
> ns1.dns.net.nz. 86400 IN AAAA 2001:dce:2000:2::130 ns2.dns.net.nz.
> 86400 IN A 202.46.187.130 ns2.dns.net.nz. 86400 IN AAAA
> 2001:dce:4000:2::130 ns3.dns.net.nz. 86400 IN A 202.46.188.130
> ns4.dns.net.nz. 86400 IN A 202.46.189.130 ns5.dns.net.nz. 86400
> IN A 156.154.100.14 ns5.dns.net.nz. 86400 IN AAAA
> 2001:502:ad09::14 ns6.dns.net.nz. 86400 IN A 156.154.101.14
> ns6.dns.net.nz. 86400 IN AAAA 2001:502:2eda::14 ns7.dns.net.nz.
> 86400 IN A 194.146.106.54 ns7.dns.net.nz. 86400 IN AAAA
> 2001:67c:1010:13::53
>
> ;; Query time: 104 msec ;; SERVER:
> 156.154.100.14#53(156.154.100.14) ;; WHEN: Wed Mar 6 10:33:45
> 2013 ;; MSG SIZE rcvd: 1858
>
> [krill:~]%
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iQEcBAEBAgAGBQJRN4wiAAoJEA8yVCPsQCW5VAsH+wZE9wdmlAQqT1rNSOHE3skm
WZf7BJwzD1zYOSwbzI5D25Q/bnlnlqEEvpYknGCbFgkgA428Jr0QMnxHriykSG1G
We08vRjVxmT78++l0Zsin2OE62o30Bfl821qF88lM/EQkIYMtpk606pRRJnQ/z6r
z01LVD4fg1uqxvh9Cq9mFiVfNY2cTSDcJY15zOVLN2IlEgaoK5S+LG6dmTkc6T3R
0qbbhIqmsftaol9dQn3kxU3ZwGuAyyvdLTi2mXNJt2dnQ1P+YDaXMYmWgczbaRj4
iXGm5gDomu8pX83TOq4hMpGkrffTrl6Dtmp7MKMht0sBPjAGn6nkZY6jwrm3p18=
=hPsR
-----END PGP SIGNATURE-----
More information about the ratelimits
mailing list