Irc.oftc.net takes 4-5 seconds to resolve from a cold cache


#1
$ dig @1.1.1.1 +dnssec irc.oftc.net

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @1.1.1.1 +dnssec irc.oftc.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43997
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1536
;; QUESTION SECTION:
;irc.oftc.net.                      IN      A

;; ANSWER SECTION:
irc.oftc.net.               14400   IN      CNAME   irc.geo.oftc.net.
irc.oftc.net.               14400   IN      RRSIG   CNAME 8 3 14400 20180505100453 20180405090619 2821 oftc.net. avWy8GP61aaay4M3izEv6iz9Q13otw9ZGs7B3KXNX63Wf2/iJOreOnkV oq5F7qYXEnYyO1QwmrYiT555JIp5NXgJjSAvkV+Ntka78la0UifDYcJg mLTbsqORqrpgRmSmdFe/JSRR8hAuUhwhdE7IA5fjZapwIfnDPp9Rg1ps OfdF5f+DZTeDnw8vw9iOOvRIQTClV73mKkIdLIT7DSoGypl98CUUF0OX ol62JQNivgT9yK8WnAhe/bII82sI1npX
irc.geo.oftc.net.   60      IN      A       64.62.190.36
irc.geo.oftc.net.   60      IN      A       64.86.243.183
irc.geo.oftc.net.   60      IN      A       206.12.19.242
irc.geo.oftc.net.   60      IN      A       207.192.72.99
irc.geo.oftc.net.   60      IN      RRSIG   A 8 4 60 20180506125524 20180406115524 57016 geo.oftc.net. nQV9MqzsulFrAUAKkoYhDo0/uaaYwzV7XvWo6MDIyP+1IJI7SUUKl7IR KzGRHENcZOplNhYd80LhohZ9dbmuKHxFzLF53bqo0crEsV9vDm3kqwUA 5Zp+bmOnDo5IcZhvGHj/CsMu0PjEgvIq+7GlYc2EH/QMzjUTzKEOd2wM rjuecAl9LMcV5gTDnjZIx1gZz3w3wTNC7uJA/L2hWwMAis5dXq4PTHqO XRf8ohcAYliChp1BCJYk5z4K3vn1wWI3

;; Query time: 4397 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Wed Apr 11 08:36:30 UTC 2018
;; MSG SIZE  rcvd: 603

$ dig @1.1.1.1 +dnssec irc.oftc.net

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @1.1.1.1 +dnssec irc.oftc.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3434
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1536
;; QUESTION SECTION:
;irc.oftc.net.                      IN      A

;; ANSWER SECTION:
irc.oftc.net.               3510    IN      CNAME   irc.geo.oftc.net.
irc.oftc.net.               3510    IN      RRSIG   CNAME 8 3 14400 20180505100453 20180405090619 2821 oftc.net. avWy8GP61aaay4M3izEv6iz9Q13otw9ZGs7B3KXNX63Wf2/iJOreOnkV oq5F7qYXEnYyO1QwmrYiT555JIp5NXgJjSAvkV+Ntka78la0UifDYcJg mLTbsqORqrpgRmSmdFe/JSRR8hAuUhwhdE7IA5fjZapwIfnDPp9Rg1ps OfdF5f+DZTeDnw8vw9iOOvRIQTClV73mKkIdLIT7DSoGypl98CUUF0OX ol62JQNivgT9yK8WnAhe/bII82sI1npX
irc.geo.oftc.net.   60      IN      A       64.62.190.36
irc.geo.oftc.net.   60      IN      A       64.86.243.183
irc.geo.oftc.net.   60      IN      A       206.12.19.242
irc.geo.oftc.net.   60      IN      A       207.192.72.99
irc.geo.oftc.net.   60      IN      RRSIG   A 8 4 60 20180506125524 20180406115524 57016 geo.oftc.net. nQV9MqzsulFrAUAKkoYhDo0/uaaYwzV7XvWo6MDIyP+1IJI7SUUKl7IR KzGRHENcZOplNhYd80LhohZ9dbmuKHxFzLF53bqo0crEsV9vDm3kqwUA 5Zp+bmOnDo5IcZhvGHj/CsMu0PjEgvIq+7GlYc2EH/QMzjUTzKEOd2wM rjuecAl9LMcV5gTDnjZIx1gZz3w3wTNC7uJA/L2hWwMAis5dXq4PTHqO XRf8ohcAYliChp1BCJYk5z4K3vn1wWI3

;; Query time: 65 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Wed Apr 11 08:38:00 UTC 2018
;; MSG SIZE  rcvd: 603

I’m using the ATL PoP. A cached response takes about 600 microseconds. DNSViz doesn’t see any major issues:

http://dnsviz.net/d/irc.oftc.net/dnssec/

It’s not surprising it’s a bit slow to resolve. The domain’s complicated. Most of the nameservers are in Europe. There’s DNSSEC. (The delegation from oftc.net. to geo.oftc.net. is large.)

Still, it’s about 4 seconds slower than I would have expected…