Ns1.desec.io replication issues

dynDNS at dedyn.io
17

I had issues with 2 minutes too, and set it to 4 minutes and didn’t had any issues since.
But one could query all instances, and see if it’s really updated:

curl -sSfL https://github.com/desec-io/desec-automation/raw/refs/heads/main/hosts/all.yml \
| yq -r '.all.children.frontends.children|map(.children|map(.hosts|keys))|flatten[]'

Prepare an update (onverwijld is a Dutch word, meaning immediately):

curl -X PATCH https://desec.io/api/v1/domains/onverwijld.nl/rrsets/test/TXT/ \
 -H "Authorization: Token $DESEC_TOKEN" --json "$(jq -n '{records:["\"bob\""]}')" \
| jq

{
  "created": "2026-06-05T12:33:23.315381Z",
  "domain": "onverwijld.nl",
  "subname": "test",
  "name": "test.onverwijld.nl.",
  "records": [
    "\"bob\""
  ],
  "ttl": 3600,
  "type": "TXT",
  "touched": "2026-06-05T12:36:57.643459Z"
}

While monitoring all servers (explicitly over IPv4 since all IPv6’s of .c.desec.io are not working for me):

while true; do
  sleep 10
  date +%T
  echo @{{ams,dfw,sao,fra,hkg,jnb,syd}-1.a,{dxb,fra,lax,sin,lga,lhr,scl,tyo}-1.c}.desec.io \
  | xargs -P15 -n1 dig -4 +short TXT test.onverwijld.nl \
  | sort \
  | uniq -c
done

14:36:48
     15 "alice"
14:36:59
     15 "alice"
14:37:09
     15 "alice"
14:37:20
      9 "alice"
      6 "bob"
14:37:30
      9 "alice"
      6 "bob"
14:37:41
      9 "alice"
      6 "bob"
14:37:52
      9 "alice"
      6 "bob"
14:38:02
      9 "alice"
      6 "bob"
14:38:13
      9 "alice"
      6 "bob"
14:38:23
      7 "alice"
      8 "bob"
14:38:34
      7 "alice"
      8 "bob"
14:38:44
      7 "alice"
      8 "bob"
14:38:55
      7 "alice"
      8 "bob"
14:39:06
      7 "alice"
      8 "bob"
14:39:16
      4 "alice"
     11 "bob"
14:39:27
     15 "bob"

So in this test case it took from 12:36:57 to somewhere between 14:39:16 and 14:39:27 for all servers to in sync, which is 139–150 seconds for this n=1 case. A second test took from 13:02:22 till 15:04:09–15:04:19, so that was 107–117 seconds, within 2 minutes.

Note: of course if draft-ietf-acme-dns-persist-01 - Automated Certificate Management Environment (ACME) Challenge for Persistent DNS TXT Record Validation is implemented (see DNS-PERSIST-01: A New Model for DNS-based Challenge Validation - Let's Encrypt), then instead of updating _acme-challenge a static record can be used:

_validation-persist.example.com. IN TXT ("authority.example;"
   " accounturi=https://ca.example/acct/123")
1 Like
Direct IPv6 addresses of c.desec.io not working
Dns01 with CNAME propagation and nginx