Quick poll: Cache poison vs site problems vs BIND bug vs Windows neg caching

[Wiley Sanders]

Howdy all, we're running 9.5.0-P2 (fairly recent) on two servers that
are recursive DNS sources for a medium sized college. This week, we
had more than a few users complaining about craigslist.org and
www.chase.com not resolving, and sure enough when I checked with dig
one of Craigslist's NS servers was not working right (sending SERVFAIL
replies).

An "rndc flush" did not seem to get things working again immediately,
so I stopped and restarted named. I don't know what was up with Chase,
I didn't hear about that problem with that until after I fixed it.

I am tempted to chalk this up to negative caching, but the default is
only a few hours and by the time I was notified, the users were
complaining they had been having problems with Craigslist for 2 weeks.
Just out of curiosity, I tuned max-ncache-ttl down to 10 min, but
max-ncache-ttl only affects caching of NXDOMAIN replies as I
understand it.

Is BIND negative caching on SERVFAIL responses as well as NXDOMAIN
responses? (Unlikely.)

What's the behavior of a recursive lookup when one NS host is dead and
the others are working? Does BIND try all of them or give up after the
first?

Our setup is pretty generic, except that  we allow the whole world
access for authoritative responses but allow recursive access only to
"inside" addresses with an "allow-recursion" statement. I suppose this
allows the rest of the world to try their hand at messing up our
cache.  Chase and Craigslist being high-profile targets ...

I searched around and Craigslist did have some DNS problems last
month, but mostly it was just people whining about it being their
carrier's fault somehow.

Well, I'll stop my rambling on about this and if anyone has any
thoughts on the matter, thanks in advance,

-W Sanders
 http://wsanders.net