<html><head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head><body bgcolor="#FFFFFF" text="#000000"><br>
<br>
<blockquote style="border: 0px none;"
cite="mid:20150210110208.GB11960@xs.powerdns.com" type="cite">
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div
style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px"> <div
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
photoaddress="bert.hubert@netherlabs.nl" photoname="bert hubert"
src="cid:part1.02060202.00050801@redbarn.org" name="postbox-contact.jpg"
height="25px" width="25px"></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true" href="mailto:bert.hubert@netherlabs.nl"
style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">bert hubert</a></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">Tuesday, February
10, 2015 3:02 AM</span></font></div></div></div>
<div style="color: rgb(136, 136, 136); margin-left: 24px;
margin-right: 24px;" __pbrmquotes="true" class="__pbConvBody"><div>Hi
everybody,<br><br>Recently at a large deployment, we ran into
f.root-servers.net returning<br>TC=1 to all our queries. We took this up
with ISC who quickly informed us<br>that this is a setting they run
with if you exceed more than 5 NXDOMAIN<br>responses/s. <br></div></div>
</blockquote>
<br>
have you looked at <a class="moz-txt-link-freetext" href="http://www.redbarn.org/dns/ratelimits">http://www.redbarn.org/dns/ratelimits</a> (DNS RRL)?<br>
<blockquote style="border: 0px none;"
cite="mid:20150210110208.GB11960@xs.powerdns.com" type="cite">
<div style="color: rgb(136, 136, 136); margin-left: 24px;
margin-right: 24px;" __pbrmquotes="true" class="__pbConvBody">
<div><br>The installation in question services millions of
subscribers, and sadly<br>gets a lot of silly queries which leak to the
root. We're unsure how to <br>stay below 5 NXDOMAINs/s permanently.<br></div>
</div>
</blockquote>
<br>
nxdomains are grouped together in rrl by soa, and 5/sec is probably too
low a threshold for a root name server. (f-root's adoption of DNS RRL
post-dates my time at isc, so, i was not involved in tuning the
parameters.)<br>
<blockquote style="border: 0px none;"
cite="mid:20150210110208.GB11960@xs.powerdns.com" type="cite">
<div style="color: rgb(136, 136, 136); margin-left: 24px;
margin-right: 24px;" __pbrmquotes="true" class="__pbConvBody">
<div><br>You can reproduce this behaviour like this:<br><br>$ for a
in {1..10}; do dig <a class="moz-txt-link-abbreviated" href="http://www.no-such-tld-$a">www.no-such-tld-$a</a> -4 @f.root-servers.net ; done >
log<br>$ grep -E 'TCP|status:' l<br>;; ->>HEADER<<- opcode:
QUERY, status: NXDOMAIN, id: 54154<br>(...)<br>;;
->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4798<br>;;
Truncated, retrying in TCP mode.<br>;; ->>HEADER<<- opcode:
QUERY, status: NXDOMAIN, id: 1549<br><br>We've since tried to curtail
our queries to the root severly, but we still<br>get TC=1 responses a
lot, which slows down our resolution.<br></div>
</div>
</blockquote>
<br>
i think you'll see that it's not pure TC=1, but rather, some drops with
occasional TC=1's.<br>
<blockquote style="border: 0px none;"
cite="mid:20150210110208.GB11960@xs.powerdns.com" type="cite">
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody">
<div><br>We shared our concerns with ISC, but it might be good to
have a broader<br>discussion on if it makes sense to set the bar so very
low.<br></div>
</div>
</blockquote>
<br>
because the root is signed, and because dnssec nxdomains are so large,
it is necessary to rate limit them. however, i think 25/sec would be a
better threshold than 5/sec. above that, the value of a root name server
as a reflecting ddos amplifier is just too high.<br>
<br>
<div class="moz-signature">-- <br>Paul Vixie<br>
</div>
</body></html>