diff --git a/CHANGES b/CHANGES index 1f80b1e6fd..97ebc9f6c8 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,9 @@ +5560. [func] The default value of "max-stale-ttl" has been changed + from 12 hours to 1 day and the default value of + "stale-answer-ttl" has been changed from 1 second to + 30 seconds, following RFC 8767 recommendations. + [GL #2248] + 5559. [bug] The --with-maxminddb=PATH form of the build-time option enabling support for libmaxminddb was not working correctly. This has been fixed. [GL #2366] diff --git a/bin/named/config.c b/bin/named/config.c index cda5776357..ccea2dbf4d 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -171,7 +171,7 @@ options {\n\ max-ncache-ttl 10800; /* 3 hours */\n\ max-recursion-depth 7;\n\ max-recursion-queries 100;\n\ - max-stale-ttl 43200; /* 12 hours */\n\ + max-stale-ttl 86400; /* 1 day */\n\ message-compression yes;\n\ min-ncache-ttl 0; /* 0 hours */\n\ min-cache-ttl 0; /* 0 seconds */\n\ @@ -197,7 +197,7 @@ options {\n\ # sortlist \n\ stale-answer-enable false;\n\ stale-refresh-time 30; /* 30 seconds */\n\ - stale-answer-ttl 1; /* 1 second */\n\ + stale-answer-ttl 30; /* 30 seconds */\n\ stale-cache-enable false;\n\ synth-from-dnssec no;\n\ # topology \n\ diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 712f48d69f..7c22ea289d 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -1505,9 +1505,9 @@ default is used. treated as ``unlimited``. ``stale-answer-ttl`` - This specifies the TTL to be returned on stale answers. The default is 1 - second. The minimum allowed is also 1 second; a value of 0 is - updated silently to 1 second. + This specifies the TTL to be returned on stale answers. The default is 30 + seconds. The minimum allowed is 1 second; a value of 0 is updated silently + to 1 second. For stale answers to be returned, they must be enabled, either in the configuration file using ``stale-answer-enable`` or via @@ -3334,11 +3334,11 @@ Tuning ``max-stale-ttl`` If retaining stale RRsets in cache is enabled, and returning of stale cached - answers is also enabled, ``max-stale-ttl`` sets the maximum time - for which the server retains records past their normal expiry to - return them as stale records, when the servers for those records are - not reachable. The default is 12 hours. The minimum allowed is 1 - second; a value of 0 is updated silently to 1 second. + answers is also enabled, ``max-stale-ttl`` sets the maximum time for which + the server retains records past their normal expiry to return them as stale + records, when the servers for those records are not reachable. The default + is 1 day. The minimum allowed is 1 second; a value of 0 is updated silently + to 1 second. For stale answers to be returned, the retaining of them in cache must be enabled via the configuration option ``stale-cache-enable``, and returning diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 06c99da9fe..02407bc008 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -42,6 +42,16 @@ Feature Changes signal that the entire DS RRset at the parent must be removed, as described in RFC 8078. [GL #1750] +- The default value of ``max-stale-ttl`` has been changed from 12 hours to 1 + day and the default value of ``stale-answer-ttl`` has been changed from 1 + second to 30 seconds, following RFC 8767 recommendations. [GL #2248] + +- Adjust the ``max-recursion-queries`` default from 75 to 100. Since the + queries sent towards root and TLD servers are now included in the + count (as a result of the fix for CVE-2020-8616), ``max-recursion-queries`` + has a higher chance of being exceeded by non-attack queries, which is the + main reason for increasing its default value. [GL #2305] + - When using the ``unixtime`` or ``date`` method to update the SOA serial number, ``named`` and ``dnssec-signzone`` silently fell back to the ``increment`` method to prevent the new serial number from being