From logs after D3766 update:
Oct 18 20:54:37 dns-001 knot[24217]: warning: [nasqueron.org.] notify, outgoing, remote 216.218.130.2@53 TCP, server responded with error 'REFUSED'
It's totally unclear which DNS server to notify: HE documentation states two different information at different places:
From the log message, ns1.he.net is refusing the update.
I think configuration could actually be nice but I forgot in D3766 to bump the serial. Let's check (and do a test to detect that).
So it's definitely ns1.he.net, because if I put slave.dns.he.net the TCP connection isn't established:
Oct 18 21:50:47 dns-001 knot[24217]: warning: [nasqueron.org.] notify, outgoing, remote 216.218.133.2@53 TCP, failed (connection reset)
Oct 18 21:50:47 dns-001 knot[24217]: warning: [nasqueron.org.] notify, outgoing, remote 2001:470:600::2@53 TCP, failed (connection reset)
Oct 18 21:50:47 dns-001 knot[24217]: error: [nasqueron.org.] zone event 'notify' failed (failed)
Dorian and me retested the configuration this Monday evening, with the same findings.
Mitigation
We reviewed several recommendations for SOA record.
Decrease the refresh delay for more frequent AXFR could mitigate pending notify correct configuration.
| Field | Delay | Delay (s) | Comments |
|---|---|---|---|
| refresh | 20m | 1200s | Minimal value according RFC |
| expire | 1m | 2 592 000s | Recommended value is 2-4w |
| retry | 2m | 120 | Minimal value |
Resolution
Opened a topic on HE to check with HE, https://forums.he.net/?topic=4371