[185893] in North American Network Operators' Group
Re: Advance notice - H-root address change on December 1, 2015
daemon@ATHENA.MIT.EDU (=?utf-8?Q?Bj=C3=B8rn_Mork?=)
Tue Nov 17 04:29:02 2015
X-Original-To: nanog@nanog.org
From: =?utf-8?Q?Bj=C3=B8rn_Mork?= <bjorn@mork.no>
To: Mark Andrews <marka@isc.org>
Date: Tue, 17 Nov 2015 10:28:40 +0100
In-Reply-To: <20151117001626.7C9633CC5570@rock.dv.isc.org> (Mark Andrews's
message of "Tue, 17 Nov 2015 11:16:26 +1100")
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Mark Andrews <marka@isc.org> writes:
> The [func] below are bug fixes / security fixes.
Umh, using a very relaxed definition maybe...
I was very happy to see this feature added in 9.9.8, and I can certainly
agree that it is security related. But I hardly think it is suitable
for the strict "no new features" policy that many stable distros
enforce:
> +3938. [func] Added quotas to be used in recursive resolvers
> + that are under high query load for names in zones
> + whose authoritative servers are nonresponsive or
> + are experiencing a denial of service attack.
> +
> + - "fetches-per-server" limits the number of
> + simultaneous queries that can be sent to any
> + single authoritative server. The configured
> + value is a starting point; it is automatically
> + adjusted downward if the server is partially or
> + completely non-responsive. The algorithm used to
> + adjust the quota can be configured via the
> + "fetch-quota-params" option.
> + - "fetches-per-zone" limits the number of
> + simultaneous queries that can be sent for names
> + within a single domain. (Note: Unlike
> + "fetches-per-server", this value is not
> + self-tuning.)
> + - New stats counters have been added to count
> + queries spilled due to these quotas.
> +
> + These options are not available by default;
> + use "configure --enable-fetchlimit" (or
> + --enable-developer) to include them in the build.
> +
> + See the ARM for details of these options. [RT #37125]
Yes, I know they could still upgrade to 9.9.8 without this particular
feature, by simply not enabling it in the build. But the restricted
feature set policy tends to be applied on a source level.
Playing the devil's advocate here... As I said, I was really happy to see
this feature in 9.9.8 myself.
Bj=C3=B8rn
