Quoting Joachim Fahrner (jf@???):

> By now it comes apparent that timeouts from the dns servers are the
> problem:

Well... hold that thought, please.


> Can the short SOA EXPIRE be the cause?

No. SOA EXPIRE is how long a secondary nameserver will still treat its
copy of the zone data as valid if it can't contact the primary
nameserver. It's a setting affecting zone transfers (IXFR and AXFR
protocols) only, between nameservers doing primary nameservice for a
zone. It has nothing to do with queries.


> ------------------------------
> $ dig tupac2.dyne.org
>
> ; <<>> DiG 9.9.5-9+deb8u11-Debian <<>> tupac2.dyne.org
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached

Problem: You didn't say what nameserver to query ('@' parameter).
Quoting the dig man page:

       Unless it is told to query a specific name server, dig will try each of
       the servers listed in /etc/resolv.conf.

Presumably, your /etc/resolv.conf has a list of recursive nameservers
that the local resolver library is intended to query. With the
above-cited command, dig will attempt each of those in order, and error
out if none of them replies.

Therefore, your problem is somewhere there. It has no particular
connection to the remote domain.

I believe you said that you are running an instance of Unbound as a
local recursive nameserver. If so, I hope you are listing it first in
/etc/resolv.conf (perhaps by localhost IP). Anyway, that's where you
should start looking, to find your problem.