[dns-operations] Root-servers returning TC=1 after 5 NXDOMAINS
bert.hubert at netherlabs.nl
Wed Feb 11 09:48:25 UTC 2015
On Wed, Feb 11, 2015 at 05:44:18AM +0800, Jim Martin wrote:
> This is certainly not our intention for legitimate queries, but as
> others have stated, very likely a side effect of running RRL. Are you
> seeing this anytime you get 5 NXDOMAINs/s (on any query), or anytime you
> get 5 NXDOMAINs/s for the same query? If it’s only when you’re asking the
> exact same question over and over (as your example code indicates), it may
> not be easily distinguishable from attack behaviour.
these are unique queries, the name changes for each one. But as Paul Vixie
elucidated, from the root-server perspective, these are all answers from one
zone though, the root zone. And that is where RRL kicks in.
>From the discussion, I gather multiple people think 5/s is a very low limit,
and that 25/s might work better.
> I’ll have some of my team look into it and get back to you. Thanks for bringing this up!
More information about the dns-operations