2018-03-27 - News - Tony Finch
Edited to add:
A few hours after the item below, we disabled the new serve-stale
feature following problems on one of our recursive DNS servers. We are
working with ISC.org to get
serve-stale working better.
Original item follows:
The DNS servers are now running BIND 9.12.1. This version fixes an interoperability regression that affected resolution of bad domains with a forbidden CNAME at the zone apex.
We have also enabled the new serve-stale feature, so that
when a remote DNS server is not available, our resolvers will return
old answers instead of a failure. The max-stale-ttl is set to
one hour, which should be long enough to cover short network problems,
but not too long to make malicious domains hang around long after they
are taken down.
In other news, the DNS rebuild scripts (that run at 53 minutes past each hour) have been amended to handle power outages and server maintenance more gracefully. This should avoid most of the cases where the DNS build has stopped running due to excessive caution.