From f16bc8b5b5a941358a816647d6f4b26b76424e9e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= <torjus@usit.uio.no>
Date: Thu, 12 Mar 2026 20:04:19 +0100
Subject: [PATCH] unbound: revert timeout tuning that broke TLS forwarding

The tcp-reuse-timeout=15 and infra-host-ttl=120 changes from 5c111c8
caused unbound to fail resolving external domains via DNS-over-TLS.
Reverting to defaults (tcp-reuse-timeout=60, infra-host-ttl=900).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 services/ns/resolver.nix | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/services/ns/resolver.nix b/services/ns/resolver.nix
index 08c0341..4c17e6d 100644
--- a/services/ns/resolver.nix
+++ b/services/ns/resolver.nix
@@ -38,12 +38,6 @@
         do-udp = "yes";
         do-tcp = "yes";
         extended-statistics = true;
-
-        # Recover faster from upstream failures (e.g. ISP outage)
-        # Default 900s is too long - keeps marking servers as bad
-        infra-host-ttl = 120;
-        # Clean up stale TLS connections faster (default 60s)
-        tcp-reuse-timeout = 15;
       };
       remote-control = {
         control-enable = true;