> Paul Hoffman <mailto:[email protected]> > Wednesday, February 11, 2015 3:17 PM > On Feb 11, 2015, at 1:30 PM, Paul Vixie <[email protected]> wrote: >> 25/sec will not be enough for large rdns plants. > > That sounds specific enough that you have actual data to back this up; if so, > I'm quite interested in it.
a busy RDNS that isn't doing Q-M often asks more than 25 bad-TLD queries per second. see OARC DITL data. > >> that's why the default policy for slip and drop is so important. f-root's >> team must have overridden those, probably because various people have spread >> some FUD about drops. > > You might be willing to say what the f-root team did, and why they did it, > even without being on the team, but I'm not. DNS RRL does not do 996 slips and four responses in a second under any default config. > >> this work came out of ddos work not dns work. after the tenth anniversary of >> SAC004 came and went, with more rather than fewer edges lacking SAV. 25/sec >> of signed nxdomain is enough to overload any DSL circuit. i'd be happy to >> work with you to find an upper limit. > > OK, now it sounds like you don't have actual data yet. N'r mind. 3000 bytes X 25/sec X 13 root name servers X 8 bits = 7.8Megabits/second. by the way that level of snark is unusual for you. i'm sorry for peeving you out of your comfort zone. -- Paul Vixie
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
