From 5c111c8d7864360bd2f94d786717f787d1c92564 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= <torjus@usit.uio.no>
Date: Thu, 12 Mar 2026 01:53:11 +0100
Subject: [PATCH] unbound: tune timeouts for faster recovery after network
 outages
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Lower infra-host-ttl (900s → 120s) and tcp-reuse-timeout (60s → 15s)
so unbound recovers faster from upstream TLS forwarder failures
instead of staying stuck after ISP outages.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 services/ns/resolver.nix | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/services/ns/resolver.nix b/services/ns/resolver.nix
index 4c17e6d..08c0341 100644
--- a/services/ns/resolver.nix
+++ b/services/ns/resolver.nix
@@ -38,6 +38,12 @@
         do-udp = "yes";
         do-tcp = "yes";
         extended-statistics = true;
+
+        # Recover faster from upstream failures (e.g. ISP outage)
+        # Default 900s is too long - keeps marking servers as bad
+        infra-host-ttl = 120;
+        # Clean up stale TLS connections faster (default 60s)
+        tcp-reuse-timeout = 15;
       };
       remote-control = {
         control-enable = true;