31 Kvě
2016
31 Kvě
'16
10:26
Hi Matthijs,
I generally like the idea, and we will discuss it in the team. Could you create and issue
in our gitlab for that, so the message doesn't get eaten by our every-hungry INBOXes,
please?
Cheers,
Ondrej
--
Ondřej Surý -- Technical Fellow
--------------------------------------------
CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC
Milesovska 5, 130 00 Praha 3, Czech Republic
mailto:ondrej.sury@nic.cz https://nic.cz/
--------------------------------------------
----- Original Message -----
From: "Matthijs Mekking"
<matthijs(a)pletterpet.nl>
To: knot-dns-users(a)lists.nic.cz
Sent: Tuesday, May 31, 2016 10:23:17 AM
Subject: [knot-dns-users] RRL and dnsproxy
Hi,
I recently started trying out Knot DNS and it has been a pleasure so
far. I like the query modules and how easy it is to construct a query plan.
I am thinking of putting knot as the public-facing server and enable RRl
on it. However, I noticed that rate limiting comes *before* forwarding
the unsatisfied query to the remote backend. This means effectively that
all the queries will be rate limited by error classification.
Wouldn't it be better to apply ratelimits after all stages of the query
plan have been processed? In other words, rate limit based on the final
response, rather than an intermediate state. This way you can truly use
knot as a rate-limiting, public-facing server protecting your backend
name server.
Thoughts?
Best regards,
Matthijs
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users