[dns-operations] Root-servers returning TC=1 after 5 NXDOMAINS

Ralf Weber dns at fl1ger.de
Tue Feb 10 15:42:37 UTC 2015


On Tue, Feb 10, 2015 at 01:40:22PM +0100, bert hubert wrote:
> On Tue, Feb 10, 2015 at 11:34:35AM +0000, ? Roy Arends wrote:
> > > We've since tried to curtail our queries to the root severly, but we still
> > > get TC=1 responses a lot, which slows down our resolution.
Which is bad and really shows that RRL on the authoritative servers (even
the root) is causing problems. 

> > Have you thought about running a local copy of the root zone?
> More frequently now, yes. But I wonder if that is the intention. Is there an
> official policy on root-servers that allow AXFR yet? Can one count on this
> working?
I get mine from k (thanks RIPE). Haven't had a problem with it so far.

> > > We shared our concerns with ISC, but it might be good to have a broader
> > > discussion on if it makes sense to set the bar so very low.
I don't think so and given that most resolvers are slower via TCP than UDP
I am not sure if switching from UDP to TCP makes sense with the attacks we
see these days. Maybe dropping, but I'm not sure of this either. The bar
seems way to low to me though.

So long

More information about the dns-operations mailing list