paul vixie (paul) writes:
>
> moreover, the definition of the word "identical" is not what one would
> expect. perhaps we should say "vastly similar" rather than "identical".
> one of the things DNS RRL counts is the number of times a negative
> answer is generated, per-client-netblock, per-SOA-apex. these responses
> are not identical but they all flow from the same SOA. another thing we
> count is the number of times a wildcard is used per-client-netblock.
Thanks for the examples. In my opinion, when one is the authority,
DNS RRL makes a lot of sense: "I've sent nearly identical answer
a statistically sufficient number of times to be certain that a
legitimate requestor should have received it" is good enough for me :)
I do wish we had similar knobs in NSD (I thought version 3 was going
to offer that) -
http://www.nlnetlabs.nl/downloads/NSD_DenicTechnical.pdf,
but that's from 2009.
> these responses are in no way identical but we treat them as such for
> the purpose of rate limiting. these are things i do not think a firewall
> can do unless it's so DNS-aware that it knows where the apex is, knows
> what names exist, and knows what wildcards exist. (more on that in my
> response to colm's thread.)
It's not really a firewall at this point, it's a distributed DNS server
with an aggressive query filter in front of it. It's part of the
application, really.
Phil
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
