<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 23/01/2018 21:00, Brian T wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAJwDTWJfY39y_NwG5a4oM8wkGybC86Csv-qnRdzxCcnEkvu+aA@mail.gmail.com">I've
been seeing intermittent lookup failures for '<a
href="http://nova.clouds.archive.ubuntu.com"
moz-do-not-send="true">nova.clouds.archive.ubuntu.com</a>'.</blockquote>
<p>Hmm:</p>
<p>$ dig +trace nova.clouds.archive.ubuntu.com</p>
<p>...</p>
<p>ubuntu.com. 172800 IN NS ns1.p27.dynect.net.<br>
ubuntu.com. 172800 IN NS ns3.p27.dynect.net.<br>
ubuntu.com. 172800 IN NS ns2.p27.dynect.net.<br>
ubuntu.com. 172800 IN NS ns4.p27.dynect.net.<br>
;; Received 198 bytes from 2001:501:b1f9::30#53(2001:501:b1f9::30)
in 117 ms<br>
<br>
clouds.archive.ubuntu.com. 60 IN NS piru.canonical.com.<br>
;; Received 77 bytes from 2001:500:94:1::27#53(2001:500:94:1::27)
in 46 ms</p>
<p>Ergh!<br>
</p>
<p>1. clouds.archive.ubuntu.com has only a *single* nameserver
(haven't they read RFC2182?)</p>
<p>2. the single NS record has a ridiculously low TTL of 60 seconds</p>
The A record for piru.canonical.com has a semi-reasonable TTL of 30
minutes, although the NS records for canonical.com are cranked down
to 10 minutes in the zone:<br>
<p>$ dig +trace piru.canonical.com.</p>
<p>...</p>
<p>canonical.com. 172800 IN NS ns1.p27.dynect.net.<br>
canonical.com. 172800 IN NS ns3.p27.dynect.net.<br>
canonical.com. 172800 IN NS ns2.p27.dynect.net.<br>
canonical.com. 172800 IN NS ns4.p27.dynect.net.<br>
;; Received 186 bytes from 2001:502:8cc::30#53(2001:502:8cc::30)
in 205 ms<br>
<br>
piru.canonical.com. 1800 IN A 91.189.95.68<br>
canonical.com. 600 IN NS ns3.p27.dynect.net.<br>
canonical.com. 600 IN NS ns2.p27.dynect.net.<br>
canonical.com. 600 IN NS ns1.p27.dynect.net.<br>
canonical.com. 600 IN NS ns4.p27.dynect.net.<br>
; Received 138 bytes from 208.78.70.27#53(208.78.70.27) in 12 ms<br>
</p>
<p>This is pretty badly configured, and getting some failures to
resolve is probably to be expected.<br>
</p>
What I'd like to understand though is how many times pdns-recursor
retries a query to an authoritative server, within that 5500ms
timeout you've set (or the default 1500ms timeout), given that it
has no other server to failover to.<br>
<br>
Regards,<br>
<br>
Brian Candler.<br>
</body>
</html>