Roots Discourse

Ocsp.int-x3.letsencrypt.org could not be resolved (2)

Had this errors in nginx log again:

ocsp.int-x3.letsencrypt.org could not be resolved

Related: Ocsp.int-x3.letsencrypt.org could not be resolved

nginx uses the nameserver from /etc/resolv.conf.
The /etc/resov.conf of that Trellis server:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 127.0.0.53

That is indeed a functioning DNS server, a systemd DNS resolver (I know, I know…):
dig @127.0.0.53 google.com for example works fine.
However, when I do a DNS lookup for ocsp.int-x3.letsencrypt.org I get a response with “akamai”.
Which is a CDN that apparently uses some optimizations that cause issues with nginx OCSP (according to some related forum discussions).

dig @127.0.0.53 ocsp.int-x3.letsencrypt.org
[redacted]
;; ANSWER SECTION:
ocsp.int-x3.letsencrypt.org. 3079 IN    CNAME   ocsp.int-x3.letsencrypt.org.edgesuite.net.
ocsp.int-x3.letsencrypt.org.edgesuite.net. 1614 IN CNAME a771.dscq.akamai.net.
a771.dscq.akamai.net.   2       IN      A       2.16.107.43
a771.dscq.akamai.net.   2       IN      A       2.16.107.114

As a general question: What DNS servers are good for web sites? Google Public DNS? Open DNS?