Re: Open Resolver Problems

[Joe Abley <jabley () hopcount ca>]

On 2013-03-27, at 09:47, William Herrin <bill () herrin us> wrote:

> On Tue, Mar 26, 2013 at 10:07 PM, Tom Paseka <tom () cloudflare com> wrote:
> > Authoritative DNS servers need to implement rate limiting. (a client
> > shouldn't query you twice for the same thing within its TTL).
>
> Right now that's a complaint for the mainstream software authors, not
> for the system operators. When the version of Bind in Debian Stable
> implements this feature, I'll surely turn it on.

RRL is a moving target, although a promising one.

There are currently three implementations of RRL which all behave slightly differently. There is active discussion 
between the vendors who have implemented RRL, and between early adopters and the vendors. The specification is not yet 
stable, and changes in the functionality and the rate-limiting behaviour continue to be made.

My assessment is that the implementations I have seen are ready for production use, but I think it's understandable 
given the moving goalpoasts that some vendors have not yet promoted the code to be included in stable releases.

As an operator, I understand the benefits of using packaged, stable releases of code. However, we also have a 
responsibility to deal with operational problems in a timely way. I think it's worth considering that it may well be 
worth deviating from internal policies about code deployment in this instance; the benefits of doing so can be 
substantial, and the costs of doing so (especially if we expect them to be time-limited) are not that high.


Joe