* Paul Vixie: >> a) Secure configuration guidelines (RRL you can't make part of that, because >> it requires too much tuning IMHO). > > rrl's defaults work fine on every authority server i've tried.
That's probably because those servers don't see traffic from resolvers which in turn have clients that send queries which are a little bit creative. ISC-TN-2012-1 is unfortunately not very clear about the actual key used to determine the bucket to account against. Section 2.2.1 claims that "many possible questions can yield the same answer" and suggests that the rate limit applies to those "same answers" (which apparently do not include the transaction ID or question section), but section 3.1 talks about the QNAME. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
