[dns-operations] Root-servers returning TC=1 after 5 NXDOMAINS

Paul Hoffman paul.hoffman at vpnc.org
Wed Feb 11 15:45:28 UTC 2015


On Feb 10, 2015, at 1:44 PM, Jim Martin <jrmii at isc.org> wrote:
> 	This is certainly not our intention for legitimate queries, but as others have stated, very likely a side effect of running RRL. Are you seeing this anytime you get 5 NXDOMAINs/s (on any query), or anytime you get 5 NXDOMAINs/s for the same query? If it’s only when you’re asking the exact same question over and over (as your example code indicates), it may not be easily distinguishable from attack behaviour.
> 
> 	I’ll have some of my team look into it and get back to you. Thanks for bringing this up!

It sounds like a bad configuration for RRL at f-root, given the replies below that they are unique queries (which would make sense from a caching resolver). If it is that easy to make a bad RRL configuration by (highly) experienced operators, it suggests that the configuration names and documentation are inadequate. Please strongly consider having ISC-f talk to ISC-BIND about the admin interface for RRL, including possible warnings for clearly bad configurations.

--Paul Hoffman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150211/38a95ee7/attachment.sig>


More information about the dns-operations mailing list