[dns-operations] Root-servers returning TC=1 after 5 NXDOMAINS

Paul Hoffman paul.hoffman at vpnc.org
Wed Feb 11 15:50:51 UTC 2015

On Feb 10, 2015, at 3:32 PM, Paul Vixie <paul at redbarn.org> wrote:
> as i wrote up-thread, i think 25/sec would be a better threshold for nxdomains on a root server running DNS RRL.

"Better" for whom? If some of the root server operators run RRL, all they are doing is causing the DDoS purveyors to switch to the other root server operators. If that happens, and then all of the root server operators feel that they have to run RRL, the attackers simply add ten lines of code to spread the load across all the root server operators at just below the threshold.

This feels like another poorly-thought-out experiment on the live operating DNS with, as usual, insufficient data about the experiment being collected. If I'm wrong, and your number of "25/sec" is based on analysis and data, it would be great for you to share it here.

--Paul Hoffman

More information about the dns-operations mailing list