[LEDE-DEV] Lack of DNS robustness for openwrt.org
Bjørn Mork
bjorn at mork.no
Mon May 7 06:30:53 PDT 2018
Jo-Philipp Wich <jo at mein.io> writes:
> Hi Joerg, John.
>
> I created an openwrt.org zone on Digital Ocean now so you could delegate
> the name servers to ns1.digitalocean.com, ns2.digitalocean.com and
> ns3.digitalocean.com, maybe with one of the SPI machines thrown into the
> mix...
Good! I hope you implicitly fixed one important issue I missed
yesterday:
The openwrt.org SOA expire value was extremely low, greatly increasing
the risk of ending up where we are now - with all slaves failing due to
a failing master. Scrolling back in one of my terminals I found this:
openwrt.org. 14400 IN SOA arrakis.dune.hu. root.dune.hu. 2018020702 3600 600 86400 3600
I am not entirely sure what the current best practice is, but I don't
think I've ever seen anyone recommending anyting less than a week.
Using 24 hours is ehhm.... risky is the most polite I can think of.
The lede-project.org SOA looks fine, so I'd recommend you just copy
those timeouts (which you probably already did?)
Bjørn
More information about the Lede-dev
mailing list