On 2013-03-25, at 16:51, Måns Nilsson <mansaxel@besserwisser.org> wrote:
I've successfully applied the Redbarn patches to my BIND, and I expect the NSD rate-control to be of similar quality, or better.
We've formed the opinion at ICANN that the observed reaction to reflection attacks by BIND9 + Schryver/Vixie RRL is definitely different from NSD + NSD-RRL, but we don't yet know whether either one is better. Dave Knight is busy building a test lab at DNS-OARC so he can replay identical attack traffic against BIND9, NSD and knot with equivalent RRL configurations to observe their behaviour. The source data he's using initially is from a reflection attack against L-Root that landed in Hamburg; if others here have full pcaps of similar events and are interested in comparing the reactions to it from those three nameservers, let me know and I can put you in touch. Dave plans to talk about his methodology and findings at the DNS-OARC workshop in Dublin in May (assuming his presentation proposal is accepted). (The DNS-OARC workshop is cojoined with the RIPE meeting, for those who are DNS-curious and haven't already considered a couple of extra days of DNS fun alongside the RIPE meeting they were already planning to attend.) Joe