The easier way to mitigation is to enable dnssec validation on the resolver (which is a good thing anyway). From my tests this changes the behaviour of bind in so far that it respects the TTL of the NS set rather strictly, and returns to the parent on expiry.
Looks like the most efficient long-term fix to me... Best, Gilles -- Fondation RESTENA - DNS-LU 6, rue Coudenhove-Kalergi L-1359 Luxembourg tel: (+352) 424409 fax: (+352) 422473 _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users