[dns-operations] Best Practices

Florian Weimer fw at deneb.enyo.de
Sun Jun 16 12:14:30 UTC 2013


* Paul Vixie:

>> a) Secure configuration guidelines (RRL you can't make part of that, because it requires too much tuning IMHO).
>
> rrl's defaults work fine on every authority server i've tried.

That's probably because those servers don't see traffic from resolvers
which in turn have clients that send queries which are a little bit
creative.

ISC-TN-2012-1 is unfortunately not very clear about the actual key
used to determine the bucket to account against.  Section 2.2.1 claims
that "many possible questions can yield the same answer" and suggests
that the rate limit applies to those "same answers" (which apparently
do not include the transaction ID or question section), but section
3.1 talks about the QNAME.



More information about the dns-operations mailing list