[dns-operations] rate-limiting state
Paul Vixie
paul at redbarn.org
Fri Feb 7 00:46:07 UTC 2014
Damian Menscher wrote:
> ...
> My recommendation (which Vixie and Vernon disagree with) is to use RRL
> with slip=1 -- return TC=1 responses to all queries over the limit.
my disagreement is explained in detail here:
http://www.circleid.com/posts/20130913_on_the_time_value_of_security_features_in_dns/
> This ensures your legitimate users can get through with a TCP request,
> rather than having to attempt multiple retries before learning to
> retry over TCP. Does slip=1 address your concerns?
>
> Of course TCP isn't perfect -- it has higher latency and
> per-connection costs -- but at least it ensures your legitimate users
> can't be affected by the RRL.
it does not. see [ibid].
vixie
More information about the dns-operations
mailing list