[dns-operations] Root-servers returning TC=1 after 5 NXDOMAINS

Paul Vixie paul at redbarn.org
Wed Feb 11 23:41:31 UTC 2015

> Paul Hoffman <mailto:paul.hoffman at vpnc.org>
> Wednesday, February 11, 2015 3:17 PM
> On Feb 11, 2015, at 1:30 PM, Paul Vixie <paul at redbarn.org> wrote:
>> 25/sec will not be enough for large rdns plants.
> That sounds specific enough that you have actual data to back this up; if so, I'm quite interested in it.

a busy RDNS that isn't doing Q-M often asks more than 25 bad-TLD queries
per second. see OARC DITL data.
>> that's why the default policy for slip and drop is so important. f-root's team must have overridden those, probably because various people have spread some FUD about drops.
> You might be willing to say what the f-root team did, and why they did it, even without being on the team, but I'm not.

DNS RRL does not do 996 slips and four responses in a second under any
default config.

>> this work came out of ddos work not dns work. after the tenth anniversary of SAC004 came and went, with more rather than fewer edges lacking SAV. 25/sec of signed nxdomain is enough to overload any DSL circuit. i'd be happy to work with you to find an upper limit.
> OK, now it sounds like you don't have actual data yet. N'r mind.

3000 bytes X 25/sec X 13 root name servers X 8 bits = 7.8Megabits/second.

by the way that level of snark is unusual for you. i'm sorry for peeving
you out of your comfort zone.

Paul Vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150211/7b85fbe9/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compose-unknown-contact.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150211/7b85fbe9/attachment.jpg>

More information about the dns-operations mailing list