[ratelimits] bind force qtype=ANY to TCP
Jared Mauch
jared at puck.nether.net
Wed May 15 22:55:24 UTC 2013
On May 15, 2013, at 6:42 PM, Vernon Schryver <vjs at rhyolite.com> wrote:
> It would still encounter objections from ISC's style police,
> Never mind that, because ISC's style differs from my own as well as
> classic kernel normal form. I frequently forget to override my
> habits in favor of ISC's and so get style violation tickets.
I didn't read their style police stuff, this was a hack :)
> Is it intentional that the patch does not affect authoritative ANY
> responses? I think the patch would fail to stop the authorities for
> isc.org from answering `dig +dnssec isc.org any @ams.sns-pb.isc.org'
> with almost 4 Kbytes.
It's somewhat accidental, but I think OK.
> (My first second thought was that the goto would prevent responding
> with REFUSED to requests that need recurssion and so make closed
> resolvers look open. When I tested that thought and then looked closer,
> I saw that the patch is in the path after a first attempt to recurse,
> and so never encountered by an query that is answered authoritatively.)
Yeah, I think it is fine as it primes the cache if it's a real query, but if it's
fake then it just keeps sending TC=1 until the TTL expires. It could be optimized
but see above re: hack. same goes for any config directive.
- Jared
More information about the ratelimits
mailing list