On Thu, May 01, 2014 at 05:10:50PM -0500, Lawrence K. Chen, P.Eng.
wrote:
> Does compiling in RRL mean its active, even without a rate-limit
> {} control block?
No, and also note the your rate-limit {} stanza could be either in
your options {} statement, or in a view {} statement. The latter
replaces rather than supplements what you have in options.
> The other day, I got reports some service is getting intermittent
> lookup failures for our ldap server.
>
> Why these appliances have to query DNS servers many times per
> second to get the address of a record with a TTL of 1 day....
Do you have them directly querying authoritative nameservers? Your
workaround, perhaps, is to have caching-only servers between your
appliances and your authoritative servers.
> In looking at the logs, I saw messages about rate-limit of various
> subnets. (but, only for the busiest 2 of 8 caching servers)
RRL should only be used on authoritative servers. Are you saying you
saw such logs from a named instance without a rate-limit stanza?
Indeed, that should not be so.
> Starting when I first updated to 9.9.4-P1. Though both had said
> they had stopped limiting responses by the time I looked.
>
> Just in case, I threw in a
>
> rate-limit {
> exempt-clients { k-state; };
> };
>
> where "k-state" is the same acl used with allow-query {} and
> allow-recursion {}.
There's also "log-only yes;" you might try.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
