This morning we successfully completed a maintenance on ns1.linode.com as a part of an ongoing effort to harden our infrastructure against future attacks. While the majority of DNS users noticed no interruptions of service, a very specific subset of users may be experiencing issues:
1. Users who utilize our name servers as DNS slaves, while privately operating their own master
2. Users who utilize our name servers for vanity DNS by pointing glue records for their domain directly to the IPs of our name servers
Users of the first group may be noticing that zone updates are not propagating in a timely manner. This problem is due to the fact that the DNS for our ns[1-5].linode.com now points to IP addresses provided by CloudFlare, who is dropping DNS NOTIFY packets. Thus users experiencing this problem most likely did not first experience it this morning. This morning's maintenance was necessary in order to implement a solution to this problem. We have updated our documentation which now instructs how BIND can be configured to utilize the solution: https://www.linode.com/docs/websites/cms/set-up-dns-services-on-cpanel#using-linodes-dns-manager-as-a-slave
Users of the second group have likely noticed that their DNS servers are no longer responding to DNS queries. This is due to the fact that ns[1-5].linode.com have not pointed to these old IP addresses since CloudFlare began proxying our DNS traffic in December of last year. As of this morning, all five of the old name server IP addresses will only respond to requests for zone transfers, and no longer answer DNS queries. We do apologize for any inconvenience this may have caused our customers; however this measure was necessary as part of our efforts to provide a more secure DNS infrastructure. This issue can be resolved by simply updating glue records to point to the new ns[1-5].linode.com IP addresses.
It is important that we take this opportunity to point out that we do not support any configurations which point DNS records directly to IP addresses held by our infrastructure. These IP addresses are always subject to change without notice, so any user who points DNS records directly to these IPs is risking availability issues in the event of an address change.
It is worth noting that this morning's maintenance marked the finalization of the architectural changes made to our DNS servers; these changes have been gradually rolled out to ns[2-5].linode.com over the past week. Customers who are listing all five of our name servers as NS records for their domains or as transfer partners for their own private name servers should have experienced negligible interruptions, as our remaining four name servers continued to function with full normality throughout the maintenance.
Though we certainly regret any problems which this morning's maintenance may have caused for our customers, we are pleased to announce that as of this morning we have completed the implementation of architectural improvements to our DNS which further insulate and protect the infrastructure against future attack attempts, allowing us to offer all of our customers a more reliable DNS service. We thank you for your understanding through this issue, and apologize to our affected customers.
Apr 20, 16:55 UTC