[dns-operations] g.root-servers.net UDP service

Jared Mauch jared at puck.nether.net
Mon Apr 18 00:25:18 UTC 2016

> On Apr 17, 2016, at 7:23 PM, Stephan Lagerholm <stlagerh at microsoft.com> wrote:
>> -----Original Message-----
>> From: dns-operations [mailto:dns-operations-bounces at dns-oarc.net] On
>> Behalf Of Jared Mauch
>> Sent: Saturday, April 16, 2016 4:49 AM
>> To: Stefan <netfortius at gmail.com>
>> Cc: dns-operations at dns-oarc.net
>> Subject: Re: [dns-operations] g.root-servers.net UDP service
>> On Fri, Apr 15, 2016 at 05:42:07AM -0500, Stefan wrote:
>>> On Apr 15, 2016 5:35 AM, "Stefan" <netfortius at gmail.com> wrote:
>>>> On Apr 15, 2016 5:05 AM, "Stephane Bortzmeyer" <bortzmeyer at nic.fr>
>> wrote:
>>>>> On Fri, Apr 15, 2016 at 04:56:12AM -0500,  Stefan
>>>>> <netfortius at gmail.com> wrote  a message of 53 lines which said:
>>>>>> Is there any way to estimate the actual impact, assuming "x"
>>>>>> hours of malfunction?
>>>>> Probably nil, since the other twelve worked fine during this time.
>>>> If it was still part of the anycast, wouldn't some systems still
>>>> continue
>>> hitting it?
>>>> Thank you,
>>>> ***Stefan
>>> Never mind me. Don't know what I was thinking. Forgot the set of
>>> systems behind "g" is actually "the" anycast.
>> 	As long as one of the 13 root servers is reachable there would be no
>> impact.
> Although I agree that there was probably no impact during the short duration that G-root was down, it is not accurate that only one of the 13 root servers have to be available for it to be no impact. Most recursive resolvers give up after 3 or 4 attempts to reach a nameserver and returns SERVFAIL after that. SERVFAILs can be cached by downstream resolvers for up to 5 minutes (RFC 2308).

If your software does not consult the other NS records for a zone when seeing no response or a SERVFAIL then your software is not RFC compliant at all.  I’ve seen many poorly behaving pieces of software and vendors that think the standards are advisory.

I for one have welcomed vendors that have recently improved upon their DNS software as microsoft has.  I don’t use it, so can’t speak for its behavior.  If you are doing a cache of a query to the root zone and one of them isn’t responding, your software or implementation requires some review.

As Geoff speculated at the most recent DNS-OARC meeting, there may be as many as 300% more queries than necessary out there due to not honoring caches or queries being replayed over a long term.

- Jared

More information about the dns-operations mailing list