From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Simmons To: development@lists.ipfire.org Subject: Re: [RFC] unbound: Increase timeout value for unknown dns-server Date: Fri, 15 Jan 2021 21:02:08 -0600 Message-ID: <5b144a1f-28a3-00f1-3358-26845ac7cc76@gmail.com> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6721789972381934394==" List-Id: --===============6721789972381934394== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit On 1/11/21 11:07 PM, Paul Simmons wrote: > On 1/10/21 8:07 AM, Tapani Tarvainen wrote: >> On Sat, Jan 09, 2021 at 12:57:44PM -0600, Paul Simmons >> (mbatranch(a)gmail.com) wrote: >> >>> I tested the ping (-c1) times for the first 27 IPv4 addresses in the >>> DNS >>> server list from the wiki.  I can test more, if desired. >>> >>> The fastest return was 596ms, and the slowest was 857ms.  At >>> present, I'm >>> using 9.9.9.10 (631ms ping) and 81.3.27.54 (752ms ping). >> Wow. That *is* slow. >> >>> I'm willing to test Tapani's "/etc/unbound/local.d" proposal(s), if >>> it will clarify the situation. >> I think it would be very useful if you could test if changing the >> limits actually helps in your situation. >> >> It's easy enough to do: e.g., >> >> echo 'unknown-server-time-limit: 1128' >/etc/unbound/local.d/timeouts >> >> and restart unbound and see if it makes a difference for you. >> >> You might also try if non-TLS settings (TCP or UDP) work after that. >> > Hello, I have some results. > > The /etc/unbound/local.d/timeouts (+unbound restart) did not > completely resolve NTP related lookup failures.  It "seemed" to > prevent complete failure, but the first of two lookups, to different > pool aliases, did fail. > > I retained the "timeouts" and changed from TLS to TCP, and haven't > seen any lookup failures. > > Tomorrow, I will experiment using "timeouts" and UDP.  After a day or > so, I'll try removing the "timeouts" and repeat the TCP and UDP tests. > > Thank you! > > p. > I've found that UDP doesn't work at all.  TCP with "timeout" mod never fails. Will now test TCP without "timeout" mod. Paul -- Know how to save 5 drowning lawyers? No? GOOD! --===============6721789972381934394==--