[ratelimits] Remarks regarding the Knot DNS 1.2.0 RRL implementation

Matthijs Mekking matthijs at nlnetlabs.nl
Thu Mar 7 13:27:29 UTC 2013

Hash: SHA1

On 03/06/2013 04:43 PM, Vernon Schryver wrote:
>> From: Matthijs Mekking <matthijs at nlnetlabs.nl>
>>>> But only after you see a certain amount of similar responses.
>>>> Speaking=
>>>> for myself, I said we could consider adding weights to
>>>> classification.=
>>> If you block X DNSSEC responses/second but you do not block X 
>>> non-DNSSEC responses/second, then you are blocking DNSSEC
>>> responses and you *will* have false positives among blocked
>>> DNSSEC responses.
>> Not what I am saying
> You have made clear that you do not want false positive blocking
> of DNSSEC.  However, false positive blocking of DNSSEC is an
> inevitable implication of "adding weights to classification."
> If you do not block X 100 byte responses/second, then blocking X
> 100 byte responses/second must be a false positive. That implies
> that blocking the exact same rdatasets of A, AAAA, and NS records
> but with 1500 bytes or RRSIGs added must also be a false positive.

It seems that we have been talking past each other. I am talking about
adding weights to classification in general. So when I say weights,
they are not a function of response packet size.

> In version 9.9.0, `dig rhyolite.com @ns.rhyolite.com` reports 296
> bytes. and `dig +dnssec rhyolite.com @ns.rhyolite.com` reports 1892
> bytes. If you would not block 10 of those 296 byte
> responses/second, then blocking 10 of those 1892 responses/second
> is a false positive.
> Vernon Schryver    vjs at rhyolite.com 
> _______________________________________________ ratelimits mailing
> list ratelimits at lists.redbarn.org 
> http://lists.redbarn.org/mailman/listinfo/ratelimits

Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/


More information about the ratelimits mailing list