> On 10 Feb 2015, at 11:02, bert hubert <[email protected]> wrote: > > Hi everybody, > > Recently at a large deployment, we ran into f.root-servers.net returning > TC=1 to all our queries. We took this up with ISC who quickly informed us > that this is a setting they run with if you exceed more than 5 NXDOMAIN > responses/s. > > The installation in question services millions of subscribers, and sadly > gets a lot of silly queries which leak to the root. We're unsure how to > stay below 5 NXDOMAINs/s permanently. > > You can reproduce this behaviour like this: > > $ for a in {1..10}; do dig www.no-such-tld-$a -4 @f.root-servers.net ; done > > log > $ grep -E 'TCP|status:' l > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54154 > (...) > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4798 > ;; Truncated, retrying in TCP mode. > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1549 > > We've since tried to curtail our queries to the root severly, but we still > get TC=1 responses a lot, which slows down our resolution.
Have you thought about running a local copy of the root zone? > We shared our concerns with ISC, but it might be good to have a broader > discussion on if it makes sense to set the bar so very low. It doesnβt make sense to set the bar low on a single instance. What might happen is that due to some server selection algorithm, this server gets a penalty and the resolver flocks to other root-servers. Roy
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
