BIND9 acting as DNScache failure

[Roman M. Parparov]

Greetings,

We're running a set of BIND9 9.7.1p2 servers as a set of dnscaches.
Last night the servers underwent a DDOS attack and they didn't survive. For 
some reason reload was triggered:

--- excerpt from the logs

received control channel command 'reload'
loading configuration from '/etc/named.conf'
reading built-in trusted keys from file '/etc/named.iscdlv.key'
using default UDP/IPv4 port range: [1024, 65535]
using default UDP/IPv6 port range: [1024, 65535]
using built-in trusted-keys for view _default
set up managed keys zone for view _default, file 
'/var/named/dynamic/managed-keys.bind'
the working directory is not writable
reloading configuration succeeded
managed-keys-zone ./IN: loaded serial 277
reloading zones succeeded
managed-keys-zone ./IN: Unable to fetch DNSKEY set 'dlv.isc.org': out of memory
malformed transaction: /var/named/dynamic/managed-keys.bind.jnl last serial 
278 != transaction first serial 277
managed-keys-zone ./IN: keyfetch_done:dns_journal_write_transaction -> 
unexpected error

--- end of excerpt

 From then the server was returning SERVFAIL to all queries.
Also, sending stop failed:

--- excerpt from logs

received control channel command 'stop'
shutting down: flushing changes
stopping command channel on 127.0.0.1#953
no longer listening on 127.0.0.1#53
no longer listening on 192.114.75.45#53
no longer listening on ::1#53
no longer listening on fe80::dad3:85ff:fee1:a498%5#53

--- end of excerpt

but the process did not terminate and had to receive a kill -9 .

The DDOS was massively concentrated with:
* ACL (most of the requests were denied)
* "RFC 1918 response" - i.e. were targeted at 10.0.0 PTR entries.

Thanks in advance,
Roman.