New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account validates first time as Insecure #7158

nberlee opened this Issue Nov 7, 2018 · 3 comments


None yet
2 participants

nberlee commented Nov 7, 2018

  • Program: Recursor
  • Issue type: Bug report

Short description

Non-additional record for (CNAME of is being validated the first time as Bogus, but second try works...


  • Operating system: Debian Stretch in Docker
  • Software version: Recursor 4.1.5
  • Software source: PowerDNS debian repo

Steps to reproduce

  1. recursor.conf with:
  1. dig
  2. dig

Expected behaviour

Both times should complete ok as dnsviz does not indicate DNSSEC issues (only warnings). In any case DNSSEC validation should be consistent over retries.

Actual behaviour

First try fails, second time succeeds (caching/timing issue?)

Other information

See attached logs with tracing on
dig first try.log
dig second try.log


This comment has been minimized.


pieterlexis commented Nov 7, 2018

Hi, we've traced this issue to the fix in #6979. We're reverting it and releasing 4.1.6 later today.


This comment has been minimized.

nberlee commented Nov 7, 2018

Wow that is fast. thank you!


This comment has been minimized.

nberlee commented Nov 7, 2018

Tested it in 4.1.6 and now works as expected. Thanks again!

@nberlee nberlee closed this Nov 7, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment