[dns-operations] Root-servers returning TC=1 after 5 NXDOMAINS

bert hubert bert.hubert at netherlabs.nl
Wed Feb 11 09:48:25 UTC 2015

On Wed, Feb 11, 2015 at 05:44:18AM +0800, Jim Martin wrote:

> 	This is certainly not our intention for legitimate queries, but as
> others have stated, very likely a side effect of running RRL.  Are you
> seeing this anytime you get 5 NXDOMAINs/s (on any query), or anytime you
> get 5 NXDOMAINs/s for the same query?  If it’s only when you’re asking the
> exact same question over and over (as your example code indicates), it may
> not be easily distinguishable from attack behaviour.

Hi Jim,

these are unique queries, the name changes for each one. But as Paul Vixie
elucidated, from the root-server perspective, these are all answers from one
zone though, the root zone.  And that is where RRL kicks in.

>From the discussion, I gather multiple people think 5/s is a very low limit,
and that 25/s might work better.

> 	I’ll have some of my team look into it and get back to you. Thanks for bringing this up!



More information about the dns-operations mailing list