[ratelimits] defaults for DNS-RRL

Vernon Schryver vjs at rhyolite.com
Thu Mar 7 17:16:10 UTC 2013

> From: Daniel Stirnimann <daniel.stirnimann at switch.ch>

> The definition is for BIND9 RRL. It looks quite similar to the
> definition in the tech note (http://ss.vix.su/~vixie/isc-tn-2012-1.txt):

Oh, my mistake.  That's another thing that needs fixing in that
document, besides something about compressing qnames.

It reflects early thinking about how to get a "penalty box." We
later found that a simple token bucket scheme and allowing the token
count go negative is simpler and better.

> I suppose I should stick to the ARM version for the most current
> definitions.

The documentation for the implementation is usually closer to what the
implementation does than the offical document describing the mechanism
or protocol.  The official document might say what the implementation
should do or should be intended to do, but there are often misunderstandings
of the document, always bugs, and often disagreements or implementation
considerations.  Since all 3 currently known implementations compress
the qname (32 bits in BIND9 and 0 bits in NSD and Knot), that is
clearly an example of an implementation consideration.

Anyone who wants to know what the BIND9 RRL implementation really does
should consult the source, and feel free to question any of it that
is obscure or looks wrong.  I strongly disgree with the notion that
"code diversity" needs "cleanroom reverse engineering," unless your
lawyers are running the show.

Vernon Schryver    vjs at rhyolite.com

More information about the ratelimits mailing list