From fb3f4c5b31b83a66b4723c5b37fc47d446faeeb4 Mon Sep 17 00:00:00 2001
From: Ryan Malloy <ryan@supported.systems>
Date: Mon, 18 May 2026 18:25:16 -0600
Subject: [PATCH] coredns: tighten SOA timers to nudge HE's internal sync
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Previously: refresh=3600 retry=1800 minimum=300 (RFC-conformant but
slow). With HE's free secondary service exhibiting puller→anycast
replication lag of up to ~1 hour, we want to give them every signal
to refresh faster.

New: refresh=300 retry=120 minimum=60.

  - refresh 300s: slaves poll our SOA every 5 minutes. ~91 zones polled
    by HE = ~1 query/sec to dell01:53, trivial load. If HE honors the
    master's refresh internally (some secondary providers do, some
    don't), this also nudges their puller→anycast sync.
  - retry 120s: kept < refresh per RFC 1912 §2.2.
  - minimum 60s: tightens NXDOMAIN negative-cache TTL on public
    resolvers from 5 min to 1 min. The dominant window when a newly-
    added name is briefly NX-cached on Cloudflare/Google/Quad9 before
    they re-ask HE.

expire stays at 604800 (1 week) — that's "how long HE keeps serving
stale data if we vanish," unrelated to fresh-data propagation.
---
 scripts/prepare-zones.sh | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/scripts/prepare-zones.sh b/scripts/prepare-zones.sh
index ddb2b62..7860871 100755
--- a/scripts/prepare-zones.sh
+++ b/scripts/prepare-zones.sh
@@ -76,10 +76,14 @@ for src in "$SRC_DIR"/*.zone; do
     echo "\$TTL 3600"
     echo "@ 3600 IN SOA ns1.he.net. ${ADMIN_EMAIL}.${zone}. ("
     echo "    ${SERIAL}  ; serial — bump per change (SERIAL=YYYYMMDDNN make prep)"
-    echo "    3600        ; refresh (1 hour)"
-    echo "    1800        ; retry   (30 minutes)"
+    echo "    300         ; refresh (5 min) — slaves poll us this often;"
+    echo "                ;   tightened from 3600 to nudge HE's internal"
+    echo "                ;   puller→anycast replication"
+    echo "    120         ; retry   (2 min) — kept < refresh per RFC 1912"
     echo "    604800      ; expire  (1 week)"
-    echo "    300         ; minimum (5 minutes)"
+    echo "    60          ; minimum (1 min) — negative-cache TTL on public"
+    echo "                ;   resolvers; shrinks the window when an old"
+    echo "                ;   NXDOMAIN keeps showing after we add a name"
     echo "    )"
     echo ""
     # Inject HE nameservers as the authoritative NS set.