[161817] in North American Network Operators' Group
Re: Open Resolver Problems
daemon@ATHENA.MIT.EDU (Joe Abley)
Wed Mar 27 09:55:29 2013
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <CAP-guGWQjOVEJ4OCEn3sJuHLwq-hwg=g-7WdzAuhj77Uj3i4Cg@mail.gmail.com>
Date: Wed, 27 Mar 2013 09:54:57 -0400
To: William Herrin <bill@herrin.us>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 2013-03-27, at 09:47, William Herrin <bill@herrin.us> wrote:
> On Tue, Mar 26, 2013 at 10:07 PM, Tom Paseka <tom@cloudflare.com> =
wrote:
>> Authoritative DNS servers need to implement rate limiting. (a client
>> shouldn't query you twice for the same thing within its TTL).
>=20
> Right now that's a complaint for the mainstream software authors, not
> for the system operators. When the version of Bind in Debian Stable
> implements this feature, I'll surely turn it on.
RRL is a moving target, although a promising one.
There are currently three implementations of RRL which all behave =
slightly differently. There is active discussion between the vendors who =
have implemented RRL, and between early adopters and the vendors. The =
specification is not yet stable, and changes in the functionality and =
the rate-limiting behaviour continue to be made.
My assessment is that the implementations I have seen are ready for =
production use, but I think it's understandable given the moving =
goalpoasts that some vendors have not yet promoted the code to be =
included in stable releases.
As an operator, I understand the benefits of using packaged, stable =
releases of code. However, we also have a responsibility to deal with =
operational problems in a timely way. I think it's worth considering =
that it may well be worth deviating from internal policies about code =
deployment in this instance; the benefits of doing so can be =
substantial, and the costs of doing so (especially if we expect them to =
be time-limited) are not that high.
Joe
