+5560. [func] The default value of "max-stale-ttl" has been changed
+ from 12 hours to 1 day and the default value of
+ "stale-answer-ttl" has been changed from 1 second to
+ 30 seconds, following RFC 8767 recommendations.
+ [GL #2248]
+
5559. [bug] The --with-maxminddb=PATH form of the build-time option
enabling support for libmaxminddb was not working
correctly. This has been fixed. [GL #2366]
max-ncache-ttl 10800; /* 3 hours */\n\
max-recursion-depth 7;\n\
max-recursion-queries 100;\n\
- max-stale-ttl 43200; /* 12 hours */\n\
+ max-stale-ttl 86400; /* 1 day */\n\
message-compression yes;\n\
min-ncache-ttl 0; /* 0 hours */\n\
min-cache-ttl 0; /* 0 seconds */\n\
# sortlist <none>\n\
stale-answer-enable false;\n\
stale-refresh-time 30; /* 30 seconds */\n\
- stale-answer-ttl 1; /* 1 second */\n\
+ stale-answer-ttl 30; /* 30 seconds */\n\
stale-cache-enable false;\n\
synth-from-dnssec no;\n\
# topology <none>\n\
treated as ``unlimited``.
``stale-answer-ttl``
- This specifies the TTL to be returned on stale answers. The default is 1
- second. The minimum allowed is also 1 second; a value of 0 is
- updated silently to 1 second.
+ This specifies the TTL to be returned on stale answers. The default is 30
+ seconds. The minimum allowed is 1 second; a value of 0 is updated silently
+ to 1 second.
For stale answers to be returned, they must be enabled, either in the
configuration file using ``stale-answer-enable`` or via
``max-stale-ttl``
If retaining stale RRsets in cache is enabled, and returning of stale cached
- answers is also enabled, ``max-stale-ttl`` sets the maximum time
- for which the server retains records past their normal expiry to
- return them as stale records, when the servers for those records are
- not reachable. The default is 12 hours. The minimum allowed is 1
- second; a value of 0 is updated silently to 1 second.
+ answers is also enabled, ``max-stale-ttl`` sets the maximum time for which
+ the server retains records past their normal expiry to return them as stale
+ records, when the servers for those records are not reachable. The default
+ is 1 day. The minimum allowed is 1 second; a value of 0 is updated silently
+ to 1 second.
For stale answers to be returned, the retaining of them in cache must be
enabled via the configuration option ``stale-cache-enable``, and returning
signal that the entire DS RRset at the parent must be removed, as
described in RFC 8078. [GL #1750]
+- The default value of ``max-stale-ttl`` has been changed from 12 hours to 1
+ day and the default value of ``stale-answer-ttl`` has been changed from 1
+ second to 30 seconds, following RFC 8767 recommendations. [GL #2248]
+
+- Adjust the ``max-recursion-queries`` default from 75 to 100. Since the
+ queries sent towards root and TLD servers are now included in the
+ count (as a result of the fix for CVE-2020-8616), ``max-recursion-queries``
+ has a higher chance of being exceeded by non-attack queries, which is the
+ main reason for increasing its default value. [GL #2305]
+
- When using the ``unixtime`` or ``date`` method to update the SOA
serial number, ``named`` and ``dnssec-signzone`` silently fell back to
the ``increment`` method to prevent the new serial number from being
projects / thirdparty / bind9.git / commitdiff
