Am 2017-07-05 00:18, schrieb Rick Moen:
On a quick, broad check, dyne.org DNS seems robust.
There are three network-diverse authoritative nameservers (refreshing
to
see after observing far too many domains attempting to get by with two,
when RFCs require 3-7 auth nameservers[1]), all returning correct
responses on both UDP and TCP. The SOA EXPIRE value (86400 seconds) is
too short. RFC 1912 section 2.2 suggests a value between 1209600 and
2419200.
You are right, the configuration seems ok. A good checking tool is
IntoDNS:
https://intodns.com/dyne.org
They mention the same, SOA EXPIRE value is too low.
By now it comes apparent that timeouts from the dns servers are the
problem:
------------------------------
$ dig tupac2.dyne.org
; <<>> DiG 9.9.5-9+deb8u11-Debian <<>> tupac2.dyne.org
;; global options: +cmd
;; connection timed out; no servers could be reached
$ dig tupac2.dyne.org
; <<>> DiG 9.9.5-9+deb8u11-Debian <<>> tupac2.dyne.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37556
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;tupac2.dyne.org. IN A
;; ANSWER SECTION:
tupac2.dyne.org. 300 IN A 178.62.188.7
;; AUTHORITY SECTION:
dyne.org. 900 IN NS ns.dyne.org.
dyne.org. 900 IN NS ns2.dyne.org.
dyne.org. 900 IN NS ns3.dyne.org.
;; ADDITIONAL SECTION:
ns.dyne.org. 300 IN A 188.166.98.127
ns2.dyne.org. 300 IN A 198.199.70.248
ns3.dyne.org. 300 IN A 178.21.114.142
;; Query time: 657 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jul 04 17:22:16 CEST 2017
;; MSG SIZE rcvd: 161
------------------------------
Can the short SOA EXPIRE be the cause?
Jochen
_______________________________________________
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
