]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
clarify slip doc
authorEvan Hunt <each@isc.org>
Wed, 4 Sep 2013 04:20:47 +0000 (21:20 -0700)
committerEvan Hunt <each@isc.org>
Wed, 4 Sep 2013 04:20:47 +0000 (21:20 -0700)
3643. [doc] Clarify RRL "slip" documentation.

CHANGES
doc/arm/Bv9ARM-book.xml

diff --git a/CHANGES b/CHANGES
index 12199574b3057f7de6f0fc35202266e31bb9cabc..731c5efdd444ccc33a680b9238503bb35fe41221 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+3643.  [doc]           Clarify RRL "slip" documentation.
+
 3642.  [func]          Allow externally generated DNSKEY to be imported
                        into the DNSKEY management framework.  A new tool
                        dnssec-importkey is used to do this. [RT #34698]
index 56679291229e1ade6463647bd01a0eea0cbac9f6..52f562775b8d4d9a739e235298ef25362dc19d7d 100644 (file)
@@ -9818,13 +9818,30 @@ example.com                 CNAME   rpz-tcp-only.
            amplification, of "slipped" responses make them unattractive
            for reflection DoS attacks.
            <command>slip</command> must be between 0 and 10.
-           A value of 0 does not "slip";
-           no truncated responses are sent due to rate limiting.
+           A value of 0 does not "slip":
+           no truncated responses are sent due to rate limiting,
+           all responses are dropped.
+           A value of 1 causes every response to slip;
+           values between 2 and 10 cause every n'th response to slip.
            Some error responses including REFUSED and SERVFAIL
            cannot be replaced with truncated responses and are instead
            leaked at the <command>slip</command> rate.
          </para>
 
+         <para>
+           (NOTE: Dropped responses from an authoritative server may
+           reduce the difficulty of a third party successfully forging
+           a response to a recursive resolver. The best security
+           against forged responses is for authoritative operators
+           to sign their zones using DNSSEC and for resolver operators
+           to validate the responses. When this is not an option,
+           operators who are more concerned with response integrity
+           than with flood mitigation may consider setting
+           <command>slip</command> to 1, causing all rate-limited
+           responses to be truncated rather than dropped.  This reduces
+           the effectiveness of rate-limiting against reflection attacks.)
+         </para>
+
          <para>
            When the approximate query per second rate exceeds
            the <command>qps-scale</command> value,