[dns-operations] Root-servers returning TC=1 after 5 NXDOMAINS

🔒 Roy Arends roy at dnss.ec
Tue Feb 10 11:34:35 UTC 2015


> On 10 Feb 2015, at 11:02, bert hubert <bert.hubert at netherlabs.nl> wrote:
> 
> Hi everybody,
> 
> Recently at a large deployment, we ran into f.root-servers.net returning
> TC=1 to all our queries. We took this up with ISC who quickly informed us
> that this is a setting they run with if you exceed more than 5 NXDOMAIN
> responses/s.
> 
> The installation in question services millions of subscribers, and sadly
> gets a lot of silly queries which leak to the root. We're unsure how to
> stay below 5 NXDOMAINs/s permanently.
> 
> You can reproduce this behaviour like this:
> 
> $ for a in {1..10}; do dig www.no-such-tld-$a -4 @f.root-servers.net ; done > log
> $ grep -E 'TCP|status:' l
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54154
> (...)
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4798
> ;; Truncated, retrying in TCP mode.
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1549
> 
> We've since tried to curtail our queries to the root severly, but we still
> get TC=1 responses a lot, which slows down our resolution.

Have you thought about running a local copy of the root zone?

> We shared our concerns with ISC, but it might be good to have a broader
> discussion on if it makes sense to set the bar so very low.

It doesn’t make sense to set the bar low on a single instance. What might happen is that due to some server selection algorithm, this server gets a penalty and the resolver flocks to other root-servers.

Roy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150210/49f47028/attachment.sig>


More information about the dns-operations mailing list