New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dns_route53: add change-max-poll config argument. #6071
Conversation
18e6e1d
to
02807c4
Compare
Before we add a new command line flag, I'd like to try and find the root cause of why INSYNC status sometimes takes a long time. If slow syncing is caused by throttling at Route 53, instead of allowing higher poll times we should present the user with a message informing them that they may be encountering throttling and should adjust their issuance intervals. |
applicable limits documented for route53: All requests
ChangeResourceRecordSets requests
In both cases, amazon says it will return HTTP 400. I'll double-check if any of my logs show such an error. |
Reviewing the response headers logged by certbot and neither I think there are just some semi-rare occasions where synchronization is taking much longer than expected within Amazon infrastructure. |
02807c4
to
fea3e62
Compare
This allows adjustment of the formerly hardcoded 120-rounds value. To timeout more quickly, adjust down: --dns-route53-change-max-poll 100 To timeout more slowly, adjust up: --dns-route53-change-max-poll 150
fea3e62
to
a55abd8
Compare
related to #6125 |
Hey @jsha, could you take a look at this? |
We wound up working around this by reducing the number of times we update DNS. Closing since fewer options > more options. We might want to consider adding a message when polling for a change times out saying something like "If you've updated a lot of times recently, you might be getting rate limited by Amazon." But I'd want to see some more reports from other users first. |
A little more detail here: @ezekiel reminds me that we never actually found evidence that we were being rate limited, so that might not be the root cause.
It's not clear how long they are outside "normal conditions," but the current setting will wait up to 10 minutes, which seems sufficiently generous. If anyone else has this issue, however, please let us know and provide details of your setup. We'd love to know why some updates take a long time to sync. |
This allows adjustment of the formerly hardcoded 120-rounds value.
To timeout more quickly, adjust down:
--dns-route53-change-max-poll 100
To timeout more slowly, adjust up:
--dns-route53-change-max-poll 150