On 2013-03-27, at 09:47, William Herrin <bill@herrin.us> wrote:
On Tue, Mar 26, 2013 at 10:07 PM, Tom Paseka <tom@cloudflare.com> wrote:
Authoritative DNS servers need to implement rate limiting. (a client shouldn't query you twice for the same thing within its TTL).
Right now that's a complaint for the mainstream software authors, not for the system operators. When the version of Bind in Debian Stable implements this feature, I'll surely turn it on.
RRL is a moving target, although a promising one. There are currently three implementations of RRL which all behave slightly differently. There is active discussion between the vendors who have implemented RRL, and between early adopters and the vendors. The specification is not yet stable, and changes in the functionality and the rate-limiting behaviour continue to be made. My assessment is that the implementations I have seen are ready for production use, but I think it's understandable given the moving goalpoasts that some vendors have not yet promoted the code to be included in stable releases. As an operator, I understand the benefits of using packaged, stable releases of code. However, we also have a responsibility to deal with operational problems in a timely way. I think it's worth considering that it may well be worth deviating from internal policies about code deployment in this instance; the benefits of doing so can be substantial, and the costs of doing so (especially if we expect them to be time-limited) are not that high. Joe