[dns-operations] dns response rate limiting (DNS RRL) patch available for testing

Vernon Schryver vjs at rhyolite.com
Tue Jun 12 15:16:59 UTC 2012

> From: Ken A <ka at pacific.net>
> To: dns-operations at mail.dns-oarc.net

> On a authoritative + recursive server, instead of a separate view, we use:
> acl "trusted" { x.x.x.x/z; };
> allow-recursion { trusted; };
> Is there any way to apply this patch so that it does not affect a 
> specific acl, such as "trusted" addresses?
> Or, is it recommended/required that we configure separate views to use this?

Separate views are required to apply rate limiting to some but not
all DNS clients, unless you are of the school that holds
authoritative+recursive servers are always utterly wrong.  In that
case separate servers are required.

Would it be easy to transform your configuration file to use views via
the include directive?  My named.conf files look something like

    view "insiders" {
	    match-clients { goodnets; };
	    recursion yes;
	    include "privatezones";
	    include "publiczones";
	    response-policy {
    view "outsiders" {
	    match-clients { any; };
	    recursion no;
	    include "publiczones";
	    rate-limit { ... };

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list