[ratelimits] defaults for DNS-RRL

Paul Vixie paul at redbarn.org
Thu Mar 7 12:16:07 UTC 2013



Daniel Stirnimann wrote:
> Hi Tony
>
> Thanks for your corrections of the defaults. Seems I took up the value 5
> from somewhere else.
>
>>>   // set to max.  of query load the server can handle x WINDOW
>>>   max-table-size 1000000;
>> The documentation suggests that the table size should be about
>> the query rate per second, not per window.
>
> You are right, the documentation suggests to set it only to about the
> query rate per seconds. I got the other definition from the paper
> "Defending against DNS reflection amplification attacks",
> http://www.nlnetlabs.nl/downloads/publications/report-rrl-dekoning-rozekrans.pdf

i suggest reading the materials at
http://www.redbarn.org/dns/ratelimits, both the tech note and ARM
version, to learn the details of how RRL is supposed to work, and how it
is implemented in BIND9 and other servers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/ratelimits/attachments/20130307/27882a1c/attachment.htm>


More information about the ratelimits mailing list