2018-02-20 - News - Tony Finch
The DNS servers are now running BIND 9.12.0. This version includes official versions of all the patches we needed for production, so we can now run servers built from unpatched upstream source.
First, a really nice DNSSEC-related performance enhancement is RFC 8198 negative answer synthesis: BIND can use NSEC records to generate negative responses, rather than re-querying authoritative servers. Our current configuration includes a lot of verbiage to suppress junk queries, all of which can be removed because of this new feature.
Second, a nice robustness improvement: when upstream authoritative DNS servers become unreachable, BIND will serve stale records from its cache after their time-to-live has expired. This should improve your ability to reach off-site servers when there are partial connectivity problems, such as DDoS attacks against their DNS servers.
Third, an operational simplifier: by default BIND will limit journal files to twice the zone file size, rather than letting them grow without bound. This is a patch I submitted to ISC.org about three years ago, so it has taken a very long time to get included in a release! This feature means I no longer need to run a patched BIND on our servers.
Fourth, a DNSSEC automation tool, dnssec-cds
. (I mentioned this in a
message I sent to this list back in October.) This is I think my largest
single contribution to BIND, and (in contrast to the previous patch) it
was one of the fastest to get committed! There's still some more work
needed before we can put it into production, but we're a lot closer.
There are numerous other improvements, but those are the ones I am particularly pleased by. Now, what needs doing next ...