[dns-operations] bind-9.9.3rc2 ANY+TCP patch

Vernon Schryver vjs at rhyolite.com
Thu May 16 12:54:18 UTC 2013


> From: Matthijs Mekking <matthijs at nlnetlabs.nl>

> >> https://indico.dns-oarc.net/indico/getFile.py/access?contribId=4&resId=0&materialId=slides&confId=0
> >>
> >> Page #12

> > I also wonder about the definition of "false positive."  There are many
> > plausible candidates.
>
> I agree. Basically it is a query from an attacker that is not being 
> dropped.

That sounds like a "false negative" instead of a "false positive."
A "false positive" would be dropping or "slipping" a legitimate or
non-attack query.
A "true positive" is correctly identifying and dealing with an
attack packet.
A "true negative" is correctly identifying and not harming a
non-attack packet.
https://www.google.com/search?q=false+positive
http://www.mathsisfun.com/data/probability-false-negatives-positives.html
https://en.wikipedia.org/wiki/Type_I_and_type_II_errors

Perhaps "Slip 1" on page #12 refers to the RRL parameter.  If I assume
"False positives" means "truncated responses" (which are true positives
instead of false positives), then all of the table except the "TCP
responses" column makes sense.  I have no idea what "TCP response"
column means.


>          I know it has more to it than that. It might be a good idea to 
> define the term in the technical note. I can write some initial text, if 
> that is appreciated.

I would a appreciate a few words here.


I don't understand the graphs and tables, but I agree with the
conclusions on page #20.


Vernon Schryver    vjs at rhyolite.com



More information about the dns-operations mailing list