Google DNS intermittent ServFail for Disney subdomain

David Conrad drc at
Sun Oct 22 16:23:12 CST 2017


Pragmatically speaking, I strongly suspect the increase in valid queries to authoritative servers even if all “large recursive resolvers” went away would be lost in noise of the overcapacity necessary to deal with even a lower-end DDoS attack.

Perhaps more interestingly, if said recursive resolvers on home routers would implement DNSSEC with RFC 8198 (and the owners of the authoritative zones would sign those zones), an entire class of DDoS attack would be mitigated. Further, if said recursive resolvers also implemented RFC 7706, latency to the root would be reduced and the risk of to the network behind that recursive resolver of a DDoS against the root of the DNS would be removed.


On Oct 22, 2017, 12:00 AM -0700, Damian Menscher via NANOG <nanog at>, wrote:
> On Fri, Oct 20, 2017 at 6:29 AM, Filip Hruska <fhr at> wrote:
> > Would be great if makers of home routers would implement full recursive
> > DNS resolvers
> > instead of just forwards in their gear.
> Ignoring the latency impact of your proposal, I wonder what would happen to
> the world's authoritative servers if all users hit them directly rather
> than going through large recursive resolvers that do caching? I'm guessing
> it wouldn't be pretty.
> Damian

More information about the NANOG mailing list