RRL and avoiding contributing to DDoS (Was: How to suppress ADDITIONAL SECTION per zone)

Dave Warren davew at hireahit.com
Fri Jul 5 22:29:19 UTC 2013

On 2013-07-05 07:21, John Wobus wrote:
> I endorse this suggestion: we were faced with such attacks and were
> naturally leery about issues we might run into running a patched bind
> and the additional tuning it could require.  Our experience is: the RRL
> patch, used with its default parameters, simply does the job.

I haven't been following the RRL discussions too closely, is this patch 
scheduled to be included in BIND9 proper or will it remain a patch?

We generally prefer to avoid "unsupported" (third party) patches, 
although I am working on getting an exception through for this 
particular situation, but if it's scheduled for inclusion in the nearish 
future, we may wait.

In the mean time, would it make sense to set "minimal-responses yes" 
proactively, or only if a spike of activity is detected (noting that it 
will take us 1-3 days to notice a spike unless it's disruptive to 

Dave Warren

More information about the bind-users mailing list