Hey Jake, I tried the handles tab of the debug page with my own handle, and it says DNS verification fails with a lookup timeout. I checked with dig that the NS and TXT record work. What's the best channel to pass this bug to BS?

What's the handle, I can check it from other places? Maybe it was a temporary problem with a nameserver?

My handle is : albert\.aribaud\.net If it's just a temporary issue then maybe BS could rephrase the warning to make it clear(er)?

Looks like the debug page showed success, and then reverted to failure for timeout. Is the validation mechanism using a caching nameserver, or does it query the authoritative server every time? The latter could explain timeouts if the authoritative server has any sort of DDoS protection.

Yeah, the afraid dot org service seems pretty unreliable, either because some of the NS are down/don't response, or because of anti-DDoS measures. Pretty sure that's the entire problem.

So far I haven't had issues with afraid.org except in the present case, so I'd assume DDoS limitation -- but that's also assuming BS hits the authoritative server, not a recursive server that would cache the answer and lessen the load on afraid. Would you perchance know?

We may do authoritative lookups in some cases, the debug page does. But it's very few requests (like one) so their system is pretty aggressive if that triggers a response.

In theory the authoritative server shouldn't be queried from the same source for the same record more often than the TTL; that's what the TTL is for after all. I'll try and find what DDoS limits afraid.org has.

Even in the case of an authoritative lookup, it's going to be once every 24 hour or something, well beyond the TTL because there is a different "TTL" for handle verification unrelated to DNS.

Ok so under normal conditions, only the debug page might exceed the DNS record TTL?