Tony Finch wrote: >Peter Coghlan <b...@beyondthepale.ie> wrote: >> Instead, isn't it the case that bind knows what domains it is authoritative >> for (or which ones it is supposed to be authoritative for) and bind is >> therefore in the ideal position to know which queries are abusive and which >> are not rather than wrapping kludgy filtering mechanisms around it? > > Not always, sadly, because of misconfigured (lame) delegations. See the > earlier messages from me and Ondřej - > > https://lists.isc.org/pipermail/bind-users/2021-April/104408.html > > https://lists.isc.org/pipermail/bind-users/2021-April/104423.html >
But I don't have any misconfigured (lame) delegations and even if I had, I think I would rather put up with the consequences of the lame delegations on rare occasions than having my nameserver foisting abuse on others all the time. Those that are more worried about having lame delegations don't have to use any option that would cause error responses to be dropped. (I've been there and done that with the lame delegations years ago. When I fouled up the master, the slaves toiled on regardless, presumably because the master returned "non-authoritative" or "refused" and nobody noticed there was any problem. Meanwhile, the slaves were unable to get zone transfers from the fouled up master and much much later, they hit whatever the relevant timeout was and the zone failed completely. There then followed lots of head scratching as to why the domain had failed when nothing had changed recently. I think I would have preferred if it had failed immediately I made the incorrect change (and I probably failed to notice bind trying to tell me about it too) because I would have known exactly where to look for the problem.) >> If there is a resistance to having bind ignore the abusive queries >> altogether, could we at least have something like "errors-per-minute 1" >> which would reduce the problem by a factor of 60 compared with >> "errors-per-second 1"? "errors-per-hour 1" would be even better still :-) > > There is probably something that might improve things, but I'm not sure > what it is. I think the minimum RRL rate of 1 per second might be intended > to work with resolver retry times. I'm wary of suppressing error responses > without thinking through the possible consequences. > But isn't this what the filtering that has been suggested is going to do? Except isn't the filtering marginally more likely to get fouled up because of the danger of not keeping the filtering configuration and the bind configuration in sync with each other? Regards, Peter Coghlan. > Tony. > -- > f.anthony.n.finch <d...@dotat.at> https://dotat.at/ > Viking, North Utsire, South Utsire, Forties: Northerly or > northwesterly 3 to 5, becoming variable 3 or less later. Moderate > becoming slight. Showers. Good. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users