> Matthew Pounsett <mailto:[email protected]> > Tuesday, February 10, 2015 6:26 AM > > This is Response Rate Limiting in action… they’re not explicitly > limiting NXDOMAIN responses; they’re limiting identical responses. If > Bert’s server was asking for the same A record over and over that > would get truncated and forced over to TCP as well. It’s probably not > only F, although I don’t think I’ve seen a comprehensive list of which > root instances are running RRL.
nxdomain's are grouped together by DNS RRL according to SOA, so, for all unrecognized TLD's, there's one DNS RRL bucket for nxdomains for each IPv4 /24 and each IPv6 /48. as i wrote up-thread, i think 25/sec would be a better threshold for nxdomains on a root server running DNS RRL. to all: this is not a bug; see http://www.redbarn.org/dns/ratelimits, and stop worrying about whether this "bug" means you should search for a way to add root zone content to your RDNS as a way to avoid rate limiting. rather, please throw your support behind query minimization, in which case, nonexistent TLD's would be cacheable in each RDNS (in negative form) and would prevent you from needing to forward other queries under those nonexistent TLD's to a root name server (the oft-called "random subdomain attack"). there are good reasons to add autonomous local root name servers to your host or network. but this is not one of those reasons. again, this is not a bug, just a tuning matter. -- Paul Vixie
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
