From: Evan Hunt Date: Wed, 4 Sep 2013 04:25:13 +0000 (-0700) Subject: clarify slip doc X-Git-Tag: v9.9.4~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e60e43568833c1c327a78d0eccb2454b266b72ab;p=thirdparty%2Fbind9.git clarify slip doc 3643. [doc] Clarify RRL "slip" documentation. (cherry picked from commit 2bae76022cbdf8a207d4c3982b589156e1a09e09) --- diff --git a/CHANGES b/CHANGES index 448c57ad8f4..45582730ce5 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +3643. [doc] Clarify RRL "slip" documentation. + 3638. [cleanup] Add the ability to handle ENOPROTOOPT in case it is encountered. [RT #34668] diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 219c505025c..7a9619b26c8 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -9535,13 +9535,30 @@ ns.domain.com.rpz-nsdname CNAME . amplification, of "slipped" responses make them unattractive for reflection DoS attacks. slip must be between 0 and 10. - A value of 0 does not "slip"; - no truncated responses are sent due to rate limiting. + A value of 0 does not "slip": + no truncated responses are sent due to rate limiting, + all responses are dropped. + A value of 1 causes every response to slip; + values between 2 and 10 cause every n'th response to slip. Some error responses including REFUSED and SERVFAIL cannot be replaced with truncated responses and are instead leaked at the slip rate. + + (NOTE: Dropped responses from an authoritative server may + reduce the difficulty of a third party successfully forging + a response to a recursive resolver. The best security + against forged responses is for authoritative operators + to sign their zones using DNSSEC and for resolver operators + to validate the responses. When this is not an option, + operators who are more concerned with response integrity + than with flood mitigation may consider setting + slip to 1, causing all rate-limited + responses to be truncated rather than dropped. This reduces + the effectiveness of rate-limiting against reflection attacks.) + + When the approximate query per second rate exceeds the qps-scale value,