From: Matthijs Mekking Date: Tue, 8 Dec 2020 14:58:45 +0000 (+0100) Subject: Update serve-stale config defaults X-Git-Tag: v9.16.12~30^2~1 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=4d48df7f97984b93247e7b61294418046a54c505;p=thirdparty%2Fbind9.git Update serve-stale config defaults Change the serve-stale configuration defaults so that they match the recommendations from RFC 8767. (cherry picked from commit e15a433b2317c9d69cec87cff09d9abc2dea7423) --- diff --git a/CHANGES b/CHANGES index 0a06b0c7655..ceeaa74273f 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,12 @@ of the DNSKEY signature validity. This is now fixed. [GL #2383] +5560. [func] The default value of "max-stale-ttl" has been changed + from 12 hours to 1 day and the default value of + "stale-answer-ttl" has been changed from 1 second to + 30 seconds, following RFC 8767 recommendations. + [GL #2248] + 5456. [func] Added "primaries" as a synonym for "masters" in named.conf, and "primary-only" as a synonym for "master-only" in the parameters to "notify", to bring diff --git a/bin/named/config.c b/bin/named/config.c index 85fdcb8ed38..210ac8bde67 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -169,7 +169,7 @@ options {\n\ max-ncache-ttl 10800; /* 3 hours */\n\ max-recursion-depth 7;\n\ max-recursion-queries 100;\n\ - max-stale-ttl 43200; /* 12 hours */\n\ + max-stale-ttl 86400; /* 1 day */\n\ message-compression yes;\n\ min-ncache-ttl 0; /* 0 hours */\n\ min-cache-ttl 0; /* 0 seconds */\n\ @@ -195,7 +195,7 @@ options {\n\ # sortlist \n\ stale-answer-enable false;\n\ stale-refresh-time 30; /* 30 seconds */\n\ - stale-answer-ttl 1; /* 1 second */\n\ + stale-answer-ttl 30; /* 30 seconds */\n\ stale-cache-enable true;\n\ synth-from-dnssec no;\n\ # topology \n\ diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index ece8b6367fa..8d93ef91371 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -1512,9 +1512,9 @@ default is used. treated as ``unlimited``. ``stale-answer-ttl`` - This specifies the TTL to be returned on stale answers. The default is 1 - second. The minimum allowed is also 1 second; a value of 0 is - updated silently to 1 second. + This specifies the TTL to be returned on stale answers. The default is 30 + seconds. The minimum allowed is 1 second; a value of 0 is updated silently + to 1 second. For stale answers to be returned, they must be enabled, either in the configuration file using ``stale-answer-enable`` or via @@ -3322,11 +3322,11 @@ Tuning ``max-stale-ttl`` If retaining stale RRsets in cache is enabled, and returning of stale cached - answers is also enabled, ``max-stale-ttl`` sets the maximum time - for which the server retains records past their normal expiry to - return them as stale records, when the servers for those records are - not reachable. The default is 12 hours. The minimum allowed is 1 - second; a value of 0 is updated silently to 1 second. + answers is also enabled, ``max-stale-ttl`` sets the maximum time for which + the server retains records past their normal expiry to return them as stale + records, when the servers for those records are not reachable. The default + is 1 day. The minimum allowed is 1 second; a value of 0 is updated silently + to 1 second. For stale answers to be returned, the retaining of them in cache must be enabled via the configuration option ``stale-cache-enable``, and returning diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 03077be32da..5d6403b067c 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -54,6 +54,10 @@ Feature Changes to distribute incoming queries among multiple threads on systems which lack support for load-balanced sockets (except Windows). [GL #2137] +- The default value of ``max-stale-ttl`` has been changed from 12 hours to 1 + day and the default value of ``stale-answer-ttl`` has been changed from 1 + second to 30 seconds, following RFC 8767 recommendations. [GL #2248] + - When using the ``unixtime`` or ``date`` method to update the SOA serial number, ``named`` and ``dnssec-signzone`` silently fell back to the ``increment`` method to prevent the new serial number from being