On 1/10/21 8:07 AM, Tapani Tarvainen wrote:
On Sat, Jan 09, 2021 at 12:57:44PM -0600, Paul Simmons (mbatranch@gmail.com) wrote:
I tested the ping (-c1) times for the first 27 IPv4 addresses in the DNS server list from the wiki. I can test more, if desired.
The fastest return was 596ms, and the slowest was 857ms. At present, I'm using 9.9.9.10 (631ms ping) and 81.3.27.54 (752ms ping).
Wow. That *is* slow.
I'm willing to test Tapani's "/etc/unbound/local.d" proposal(s), if it will clarify the situation.
I think it would be very useful if you could test if changing the limits actually helps in your situation.
It's easy enough to do: e.g.,
echo 'unknown-server-time-limit: 1128' >/etc/unbound/local.d/timeouts
and restart unbound and see if it makes a difference for you.
You might also try if non-TLS settings (TCP or UDP) work after that.
Hello, I have some results.
The /etc/unbound/local.d/timeouts (+unbound restart) did not completely resolve NTP related lookup failures. It "seemed" to prevent complete failure, but the first of two lookups, to different pool aliases, did fail.
I retained the "timeouts" and changed from TLS to TCP, and haven't seen any lookup failures.
Tomorrow, I will experiment using "timeouts" and UDP. After a day or so, I'll try removing the "timeouts" and repeat the TCP and UDP tests.
Thank you!
p.