Advance notice - H-root address change on December 1, 2015

[bjorn at mork.no (Bjørn Mork)]

Mark Andrews <marka at isc.org> writes:

> The [func] below are bug fixes / security fixes.

Umh, using a very relaxed definition maybe...

I was very happy to see this feature added in 9.9.8, and I can certainly
agree that it is security related.  But I hardly think it is suitable
for the strict "no new features" policy that many stable distros
enforce:


> +3938.	[func]		Added quotas to be used in recursive resolvers
> +			that are under high query load for names in zones
> +			whose authoritative servers are nonresponsive or
> +			are experiencing a denial of service attack.
> +
> +			- "fetches-per-server" limits the number of
> +			  simultaneous queries that can be sent to any
> +			  single authoritative server.  The configured
> +			  value is a starting point; it is automatically
> +			  adjusted downward if the server is partially or
> +			  completely non-responsive. The algorithm used to
> +			  adjust the quota can be configured via the
> +			  "fetch-quota-params" option.
> +			- "fetches-per-zone" limits the number of
> +			  simultaneous queries that can be sent for names
> +			  within a single domain.  (Note: Unlike
> +			  "fetches-per-server", this value is not
> +			  self-tuning.)
> +			- New stats counters have been added to count
> +			  queries spilled due to these quotas.
> +
> +			These options are not available by default;
> +			use "configure --enable-fetchlimit" (or
> +			--enable-developer) to include them in the build.
> +
> +			See the ARM for details of these options. [RT #37125]



Yes, I know they could still upgrade to 9.9.8 without this particular
feature, by simply not enabling it in the build.  But the restricted
feature set policy tends to be applied on a source level.

Playing the devil's advocate here... As I said, I was really happy to see
this feature in 9.9.8 myself.


Bj?rn