nanog mailing list archives

Re: Advance notice - H-root address change on December 1, 2015

From: Bjørn Mork <bjorn () mork no>
Date: Tue, 17 Nov 2015 10:28:40 +0100

Mark Andrews <marka () isc org> writes:

The [func] below are bug fixes / security fixes.


Umh, using a very relaxed definition maybe...

I was very happy to see this feature added in 9.9.8, and I can certainly
agree that it is security related.  But I hardly think it is suitable
for the strict "no new features" policy that many stable distros
enforce:

+3938.        [func]          Added quotas to be used in recursive resolvers
+                     that are under high query load for names in zones
+                     whose authoritative servers are nonresponsive or
+                     are experiencing a denial of service attack.
+
+                     - "fetches-per-server" limits the number of
+                       simultaneous queries that can be sent to any
+                       single authoritative server.  The configured
+                       value is a starting point; it is automatically
+                       adjusted downward if the server is partially or
+                       completely non-responsive. The algorithm used to
+                       adjust the quota can be configured via the
+                       "fetch-quota-params" option.
+                     - "fetches-per-zone" limits the number of
+                       simultaneous queries that can be sent for names
+                       within a single domain.  (Note: Unlike
+                       "fetches-per-server", this value is not
+                       self-tuning.)
+                     - New stats counters have been added to count
+                       queries spilled due to these quotas.
+
+                     These options are not available by default;
+                     use "configure --enable-fetchlimit" (or
+                     --enable-developer) to include them in the build.
+
+                     See the ARM for details of these options. [RT #37125]




Yes, I know they could still upgrade to 9.9.8 without this particular
feature, by simply not enabling it in the build.  But the restricted
feature set policy tends to be applied on a source level.

Playing the devil's advocate here... As I said, I was really happy to see
this feature in 9.9.8 myself.


Bjørn

Current thread:

RE: Advance notice - H-root address change on December 1, 2015 Kash, Howard M CIV USARMY RDECOM ARL (US) (Nov 16)
- Re: Advance notice - H-root address change on December 1, 2015 Josh Luthman (Nov 16)
  - Re: Advance notice - H-root address change on December 1, 2015 A . L . M . Buxey (Nov 16)
    - Re: Advance notice - H-root address change on December 1, 2015 Mark Andrews (Nov 16)
    - Re: Advance notice - H-root address change on December 1, 2015 Alan Buxey (Nov 16)
    - Re: Advance notice - H-root address change on December 1, 2015 Mark Andrews (Nov 16)
    - Re: Advance notice - H-root address change on December 1, 2015 Jared Mauch (Nov 16)
    - Re: Advance notice - H-root address change on December 1, 2015 Harlan Stenn (Nov 16)
    - Re: Advance notice - H-root address change on December 1, 2015 Bjørn Mork (Nov 17)