@tetech said:
I use HE.net and find it to be very good. I run a hidden master, so no need to worry about HE API or web interface, just change on the master and do a notify for AXFR.
How do you find the AXFR response times, i.e. update delay, these days?
When I looked at HE a few years back the AXFR timing seemed very erratic, changes could take ages (10's of minutes) to propagate, making it problematic for DNS based authorisation, e.g. Letsencrypt.
I did a quick look at the last week of logs and their response to a NOTIFY seemed to be around 1-1.5 minutes behind the other slaves. Nothing drastic. Personally I am making a CNAME for LetsEncrypt records and pointing it to a subdomain at a different DNS provider which I use for that and nothing else.
I did a quick look at the last week of logs and their response to a NOTIFY seemed to be around 1-1.5 minutes behind the other slaves.
Thanks, just realised @Brueggus had actually answered my query higher up but I didn't spot it. Might give HE another try as a backup, always heard good things about their reliability.
Good suggestion on doing LE on another platform altogether.
How do you find the AXFR response times, i.e. update delay, these days?
When I looked at HE a few years back the AXFR timing seemed very erratic, changes could take ages (10's of minutes) to propagate, making it problematic for DNS based authorisation, e.g. Letsencrypt.
I'm using certbot and have configured dns-rfc2136-propagation-seconds=120 which works for me. The propagation delay was about 90 seconds last time I checked. And that's the total delay from my master via my opendnssec live signer, and a slave of mine.
Comments
I did a quick look at the last week of logs and their response to a NOTIFY seemed to be around 1-1.5 minutes behind the other slaves. Nothing drastic. Personally I am making a CNAME for LetsEncrypt records and pointing it to a subdomain at a different DNS provider which I use for that and nothing else.
Thanks, just realised @Brueggus had actually answered my query higher up but I didn't spot it. Might give HE another try as a backup, always heard good things about their reliability.
Good suggestion on doing LE on another platform altogether.
Another HE limitation is they do not support numeric-only domains like:
1234.comOpenVPN installer | WireGuard installer
^this
I'm using certbot and have configured dns-rfc2136-propagation-seconds=120 which works for me. The propagation delay was about 90 seconds last time I checked. And that's the total delay from my master via my opendnssec live signer, and a slave of mine.
HE DNS is like, first it's free and then why fix something that isn't broken...
Then, almost no body complaints to them, they simply switch over to something else...