[dns-operations] Root-servers returning TC=1 after 5 NXDOMAINS

bert hubert bert.hubert at netherlabs.nl
Wed Feb 11 10:00:10 UTC 2015


On Tue, Feb 10, 2015 at 03:28:10PM -0800, Paul Vixie wrote:
> 
> 
> > bert hubert <mailto:bert.hubert at netherlabs.nl>
> > Tuesday, February 10, 2015 3:02 AM
> > Hi everybody,
> >
> > Recently at a large deployment, we ran into f.root-servers.net returning
> > TC=1 to all our queries. We took this up with ISC who quickly informed us
> > that this is a setting they run with if you exceed more than 5 NXDOMAIN
> > responses/s.
> 
> have you looked at http://www.redbarn.org/dns/ratelimits (DNS RRL)?

We lovingly cloned it into a superset even ;-)
http://7bits.nl/tmp/unlisted/lua-policy-engine.html

> i think you'll see that it's not pure TC=1, but rather, some drops with
> occasional TC=1's.

Out of a 1000 packets, I get 994 TC=1 and 6 regular answers.

	Bert



More information about the dns-operations mailing list