Am 2017-07-05 00:18, schrieb Rick Moen:
> On a quick, broad check, dyne.org DNS seems robust.
>
> There are three network-diverse authoritative nameservers (refreshing
> to
> see after observing far too many domains attempting to get by with two,
> when RFCs require 3-7 auth nameservers[1]), all returning correct
> responses on both UDP and TCP. The SOA EXPIRE value (86400 seconds) is
> too short. RFC 1912 section 2.2 suggests a value between 1209600 and
> 2419200.

You are right, the configuration seems ok. A good checking tool is
IntoDNS:
https://intodns.com/dyne.org
They mention the same, SOA EXPIRE value is too low.

By now it comes apparent that timeouts from the dns servers are the
problem:

------------------------------
$ dig tupac2.dyne.org

; <<>> DiG 9.9.5-9+deb8u11-Debian <<>> tupac2.dyne.org
;; global options: +cmd
;; connection timed out; no servers could be reached

$ dig tupac2.dyne.org

; <<>> DiG 9.9.5-9+deb8u11-Debian <<>> tupac2.dyne.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37556
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;tupac2.dyne.org.        IN    A

;; ANSWER SECTION:
tupac2.dyne.org.    300    IN    A    178.62.188.7

;; AUTHORITY SECTION:
dyne.org.        900    IN    NS    ns.dyne.org.
dyne.org.        900    IN    NS    ns2.dyne.org.
dyne.org.        900    IN    NS    ns3.dyne.org.

;; ADDITIONAL SECTION:
ns.dyne.org.        300    IN    A    188.166.98.127
ns2.dyne.org.        300    IN    A    198.199.70.248
ns3.dyne.org.        300    IN    A    178.21.114.142

;; Query time: 657 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jul 04 17:22:16 CEST 2017
;; MSG SIZE rcvd: 161
------------------------------

Can the short SOA EXPIRE be the cause?

Jochen