[dns-operations] Survey of How to Solving DNS Errors
Geoff Huston
gih at apnic.net
Thu Aug 15 18:17:21 UTC 2024
> On 15 Aug 2024, at 10:39 PM, Florian Obser <florian at narrans.de> wrote:
>
> On 2024-08-15 11:25 +02, Ralf Weber <dns at fl1ger.de> wrote:
>> I just logged in to a random server that is doing tens of thousands of
>> requests per second and it had 15% NXDomain queries 1% SERVFAIL and REFUSED
>> and 0.1% FORMERR and that is a typical RCODE distribution, and it would
>> be impossible to follow and investigate all of them.
>
> It's not a competition but... we are answering 50% NXDOMAIN and that's
> considered normal... It's also sad, but what can you do...
>
> https://www.ripe.net/analyse/dns/k-root/statistics/root/daily/#return-codes
>
Yes, has been considered "normal" for many years now - all this scaling of the
response capacity of the root server system could be characterised as "say
"no" faster and in greater volume!
As to "what can you do"? there have been a couple of responses to this:
One is RFC8198, "Aggressive Use of DNSSEC-Validated Cache", which
allows recursive resolvers to "learn" the contents of the root zone from
NXDOMAIN responses and allows the recrusive resolver to answer
NXDOMAIN from its local cache.
The other response is to have the local recursive resolver maintain a
local copy of the current root zone - RFC 8806, "Running a Root Server
Local to a Resolver". I particularly like Roy Arends and Nicolas Antoniello's
2021 technical analysis ot this approach
(https://www.icann.org/en/system/files/files/octo-027-25aug21-en.pdf)
regards,
Geoff
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4162 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20240815/65bb1fb0/attachment.bin>
More information about the dns-operations
mailing list