> On 15 Aug 2024, at 10:39 PM, Florian Obser <flor...@narrans.de> wrote: > > On 2024-08-15 11:25 +02, Ralf Weber <d...@fl1ger.de> wrote: >> I just logged in to a random server that is doing tens of thousands of >> requests per second and it had 15% NXDomain queries 1% SERVFAIL and REFUSED >> and 0.1% FORMERR and that is a typical RCODE distribution, and it would >> be impossible to follow and investigate all of them. > > It's not a competition but... we are answering 50% NXDOMAIN and that's > considered normal... It's also sad, but what can you do... > > https://www.ripe.net/analyse/dns/k-root/statistics/root/daily/#return-codes >
Yes, has been considered "normal" for many years now - all this scaling of the response capacity of the root server system could be characterised as "say "no" faster and in greater volume! As to "what can you do"? there have been a couple of responses to this: One is RFC8198, "Aggressive Use of DNSSEC-Validated Cache", which allows recursive resolvers to "learn" the contents of the root zone from NXDOMAIN responses and allows the recrusive resolver to answer NXDOMAIN from its local cache. The other response is to have the local recursive resolver maintain a local copy of the current root zone - RFC 8806, "Running a Root Server Local to a Resolver". I particularly like Roy Arends and Nicolas Antoniello's 2021 technical analysis ot this approach (https://www.icann.org/en/system/files/files/octo-027-25aug21-en.pdf) regards, Geoff
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
