On 1/11/21 11:07 PM, Paul Simmons wrote:
On 1/10/21 8:07 AM, Tapani Tarvainen wrote:
On Sat, Jan 09, 2021 at 12:57:44PM -0600, Paul Simmons (mbatranch@gmail.com) wrote:
I tested the ping (-c1) times for the first 27 IPv4 addresses in the DNS server list from the wiki. I can test more, if desired.
The fastest return was 596ms, and the slowest was 857ms. At present, I'm using 9.9.9.10 (631ms ping) and 81.3.27.54 (752ms ping).
Wow. That *is* slow.
I'm willing to test Tapani's "/etc/unbound/local.d" proposal(s), if it will clarify the situation.
I think it would be very useful if you could test if changing the limits actually helps in your situation.
It's easy enough to do: e.g.,
echo 'unknown-server-time-limit: 1128' >/etc/unbound/local.d/timeouts
and restart unbound and see if it makes a difference for you.
You might also try if non-TLS settings (TCP or UDP) work after that.
Hello, I have some results.
The /etc/unbound/local.d/timeouts (+unbound restart) did not completely resolve NTP related lookup failures. It "seemed" to prevent complete failure, but the first of two lookups, to different pool aliases, did fail.
I retained the "timeouts" and changed from TLS to TCP, and haven't seen any lookup failures.
Tomorrow, I will experiment using "timeouts" and UDP. After a day or so, I'll try removing the "timeouts" and repeat the TCP and UDP tests.
Thank you!
p.
I've found that UDP doesn't work at all. TCP with "timeout" mod never fails.
Will now test TCP without "timeout" mod.
Paul