More upgrades

2018-03-27 - News - Tony Finch

Edited to add:

A few hours after the item below, we disabled the new serve-stale feature following problems on one of our recursive DNS servers. We are working with to get serve-stale working better.

Original item follows:

The DNS servers are now running BIND 9.12.1. This version fixes an interoperability regression that affected resolution of bad domains with a forbidden CNAME at the zone apex.

We have also enabled the new serve-stale feature, so that when a remote DNS server is not available, our resolvers will return old answers instead of a failure. The max-stale-ttl is set to one hour, which should be long enough to cover short network problems, but not too long to make malicious domains hang around long after they are taken down.

In other news, the DNS rebuild scripts (that run at 53 minutes past each hour) have been amended to handle power outages and server maintenance more gracefully. This should avoid most of the cases where the DNS build has stopped running due to excessive caution.