Advance notice - H-root address change on December 1, 2015
Bjørn Mork
bjorn at mork.no
Tue Nov 17 09:28:40 UTC 2015
Mark Andrews <marka at isc.org> writes:
> The [func] below are bug fixes / security fixes.
Umh, using a very relaxed definition maybe...
I was very happy to see this feature added in 9.9.8, and I can certainly
agree that it is security related. But I hardly think it is suitable
for the strict "no new features" policy that many stable distros
enforce:
> +3938. [func] Added quotas to be used in recursive resolvers
> + that are under high query load for names in zones
> + whose authoritative servers are nonresponsive or
> + are experiencing a denial of service attack.
> +
> + - "fetches-per-server" limits the number of
> + simultaneous queries that can be sent to any
> + single authoritative server. The configured
> + value is a starting point; it is automatically
> + adjusted downward if the server is partially or
> + completely non-responsive. The algorithm used to
> + adjust the quota can be configured via the
> + "fetch-quota-params" option.
> + - "fetches-per-zone" limits the number of
> + simultaneous queries that can be sent for names
> + within a single domain. (Note: Unlike
> + "fetches-per-server", this value is not
> + self-tuning.)
> + - New stats counters have been added to count
> + queries spilled due to these quotas.
> +
> + These options are not available by default;
> + use "configure --enable-fetchlimit" (or
> + --enable-developer) to include them in the build.
> +
> + See the ARM for details of these options. [RT #37125]
Yes, I know they could still upgrade to 9.9.8 without this particular
feature, by simply not enabling it in the build. But the restricted
feature set policy tends to be applied on a source level.
Playing the devil's advocate here... As I said, I was really happy to see
this feature in 9.9.8 myself.
Bjørn
More information about the NANOG
mailing list