New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

www.paypal.com validates first time as Insecure #7158

Closed
nberlee opened this Issue Nov 7, 2018 · 3 comments

Comments

Projects
None yet
2 participants
@nberlee

nberlee commented Nov 7, 2018

  • Program: Recursor
  • Issue type: Bug report

Short description

Non-additional record for glb.paypal.com (CNAME of www.paypal.com) is being validated the first time as Bogus, but second try works...

Environment

  • Operating system: Debian Stretch in Docker
  • Software version: Recursor 4.1.5
  • Software source: PowerDNS debian repo

Steps to reproduce

  1. recursor.conf with:
local-address=0.0.0.0
dnssec=validate
trace=yes
  1. dig www.paypal.com
  2. dig www.paypal.com

Expected behaviour

Both times should complete ok as dnsviz does not indicate DNSSEC issues (only warnings). In any case DNSSEC validation should be consistent over retries.

Actual behaviour

First try fails, second time succeeds (caching/timing issue?)

Other information

See attached logs with tracing on
dig www.paypal.com first try.log
dig www.paypal.com second try.log

@pieterlexis

This comment has been minimized.

Member

pieterlexis commented Nov 7, 2018

Hi, we've traced this issue to the fix in #6979. We're reverting it and releasing 4.1.6 later today.

@nberlee

This comment has been minimized.

nberlee commented Nov 7, 2018

Wow that is fast. thank you!

@nberlee

This comment has been minimized.

nberlee commented Nov 7, 2018

Tested it in 4.1.6 and now works as expected. Thanks again!

@nberlee nberlee closed this Nov 7, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment