[ratelimits] Remarks regarding the Knot DNS 1.2.0 RRL implementation

Matthijs Mekking matthijs at nlnetlabs.nl
Thu Mar 7 13:27:29 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/06/2013 04:43 PM, Vernon Schryver wrote:
>> From: Matthijs Mekking <matthijs at nlnetlabs.nl>
> 
>>>> But only after you see a certain amount of similar responses.
>>>> Speaking=
>> 
>>>> for myself, I said we could consider adding weights to
>>>> classification.=
>> 
> 
>>> If you block X DNSSEC responses/second but you do not block X 
>>> non-DNSSEC responses/second, then you are blocking DNSSEC
>>> responses and you *will* have false positives among blocked
>>> DNSSEC responses.
>> 
>> Not what I am saying
> 
> You have made clear that you do not want false positive blocking
> of DNSSEC.  However, false positive blocking of DNSSEC is an
> inevitable implication of "adding weights to classification."
> 
> If you do not block X 100 byte responses/second, then blocking X
> 100 byte responses/second must be a false positive. That implies
> that blocking the exact same rdatasets of A, AAAA, and NS records
> but with 1500 bytes or RRSIGs added must also be a false positive.

It seems that we have been talking past each other. I am talking about
adding weights to classification in general. So when I say weights,
they are not a function of response packet size.

> 
> In version 9.9.0, `dig rhyolite.com @ns.rhyolite.com` reports 296
> bytes. and `dig +dnssec rhyolite.com @ns.rhyolite.com` reports 1892
> bytes. If you would not block 10 of those 296 byte
> responses/second, then blocking 10 of those 1892 responses/second
> is a false positive.
> 
> 
> Vernon Schryver    vjs at rhyolite.com 
> _______________________________________________ ratelimits mailing
> list ratelimits at lists.redbarn.org 
> http://lists.redbarn.org/mailman/listinfo/ratelimits
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQEcBAEBAgAGBQJROJXAAAoJEA8yVCPsQCW5iOgIAM+3zEkjXungV8DAc7SjK0Uh
7JVATy8d+LNzD4zJUks3iPdpdzkRCLbkuQSllDXIoIRcvTET8RIf1EcPcJl7T6pH
5bl/yAkoVjljkG6+2OexbEnXAmWtOJXdn2Pe1y81ErGXIbVpZvQv2QXQOC3RF52R
YbDi1gNdR2z1zgMsXu8NJEJz19YKDXgLMM0+SVmrcBBfTvTVDtS+hchWezB6ta28
YpO5zKfo8sfVANqn0e958Q3Hq0X4B5jv0yN9Z4opsVSqycRiQJqBYuO3ql3ESLBA
H3cvvRh1pAM917K65rd2fgUumBoSpg1S/OA2D0qVcEcc3w6lpGVjpd54eIA5ySE=
=QJjv
-----END PGP SIGNATURE-----

More information about the ratelimits mailing list