[dns-operations] Root-servers returning TC=1 after 5 NXDOMAINS

Paul Vixie paul at redbarn.org
Tue Feb 10 23:32:37 UTC 2015



> Matthew Pounsett <mailto:matt at conundrum.com>
> Tuesday, February 10, 2015 6:26 AM
>
> This is Response Rate Limiting in action… they’re not explicitly
> limiting NXDOMAIN responses; they’re limiting identical responses. If
> Bert’s server was asking for the same A record over and over that
> would get truncated and forced over to TCP as well. It’s probably not
> only F, although I don’t think I’ve seen a comprehensive list of which
> root instances are running RRL.

nxdomain's are grouped together by DNS RRL according to SOA, so, for all
unrecognized TLD's, there's one DNS RRL bucket for nxdomains for each
IPv4 /24 and each IPv6 /48.

as i wrote up-thread, i think 25/sec would be a better threshold for
nxdomains on a root server running DNS RRL.

to all: this is not a bug; see http://www.redbarn.org/dns/ratelimits,
and stop worrying about whether this "bug" means you should search for a
way to add root zone content to your RDNS as a way to avoid rate
limiting. rather, please throw your support behind query minimization,
in which case, nonexistent TLD's would be cacheable in each RDNS (in
negative form) and would prevent you from needing to forward other
queries under those nonexistent TLD's to a root name server (the
oft-called "random subdomain attack").

there are good reasons to add autonomous local root name servers to your
host or network. but this is not one of those reasons. again, this is
not a bug, just a tuning matter.

-- 
Paul Vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150210/b22d9762/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compose-unknown-contact.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150210/b22d9762/attachment.jpg>


More information about the dns-operations mailing list