On Fri, 2013-09-20 at 14:12 +0000, Vernon Schryver wrote: > > From: Shane Kerr <sh...@isc.org> > > > With a 50% packet loss and 3 retries you'll have about 1 in 16 lookups > > fail, right? If you've got enough legitimate lookups going on to > > trigger RRL then you're going to get lots of failures. > > If 6% is "lots", then yes. >
it certainly is, I accept 1% error margins, anything more, then its too high. If I was still managing public ISP DNS, then 0.01% error margin would be even a bit high, but then again, their I wouldnt be running views :) > > > > limit NXDOMAIN responses to xxxxxxxx/24 for zen.spamhaus.org ,=20 > > > This doesn't indicate that anything actually failing for the querying > > hosts, just that they are issuing a lot of queries. > > indeed. > > but the end result was, that RRL filtering was filytering, as per my other message, however, ns0 is now using RRL in a view and has thus far (just over 24 hours) not given us any problems, NS 1 and 2 have always been pure authoritative, so never effected. > > The potential RRL problem is when you provide high volume DNSBL service that problem is removed now since the internal view for caching wont be filtered when querying them, and our internal dnsbl has never needed to be RL'd since although public access is allowed, its volume is too low to be measurable compared to the well known ones :) Thanks for clearing up hte options, seems it should all be good now.
<<attachment: face-smile.png>>
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
