diff --git a/bin/named/config.c b/bin/named/config.c
index fa8473db7c..b6453b814e 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -151,7 +151,7 @@ options {\n\
 	fetches-per-server 0;\n\
 	fetches-per-zone 0;\n\
 	glue-cache yes;\n\
-	lame-ttl 600;\n"
+	lame-ttl 0;\n"
 #ifdef HAVE_LMDB
 			    "	lmdb-mapsize 32M;\n"
 #endif /* ifdef HAVE_LMDB */
diff --git a/bin/named/server.c b/bin/named/server.c
index 638703e8c2..35ad6a0b7f 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -4806,8 +4806,11 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
 	result = named_config_get(maps, "lame-ttl", &obj);
 	INSIST(result == ISC_R_SUCCESS);
 	lame_ttl = cfg_obj_asduration(obj);
-	if (lame_ttl > 1800) {
-		lame_ttl = 1800;
+	if (lame_ttl > 0) {
+		cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
+			    "disabling lame cache despite lame-ttl > 0 as it "
+			    "may cause performance issues");
+		lame_ttl = 0;
 	}
 	dns_resolver_setlamettl(view->resolver, lame_ttl);
 
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 3bc4439745..fea854f3d1 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -3358,9 +3358,9 @@ Tuning
 ^^^^^^
 
 ``lame-ttl``
-   This sets the number of seconds to cache a lame server indication. 0
-   disables caching. (This is **NOT** recommended.) The default is
-   ``600`` (10 minutes) and the maximum value is ``1800`` (30 minutes).
+   This is always set to 0. More information is available in the
+   `security advisory for CVE-2021-25219
+   <https://kb.isc.org/docs/cve-2021-25219>`_.
 
 ``servfail-ttl``
    This sets the number of seconds to cache a SERVFAIL response due to DNSSEC