Bug#869255: [Letsencrypt-devel] Bug#869255: DNS: wait a bit longer when NXDOMAIN returned in response to challenges

2017-07-29 Thread zebian 


Zitat von Paul Wise :


Source: dehydrated
Version: 0.3.1-3
Severity: wishlist
X-Debbugs-Cc: debian-ad...@lists.debian.org
User: debian-ad...@lists.debian.org
Usertags: needed-by-DSA-Team

DSA are using dehydrated and the DNS mode of it, via a cron job run
under chronic. Occasionally we get mails containing failures like the
one below. I suspect this is because the DNS update for the challenge
hasn't synced to Debian's DNS providers by the time the LE servers do
the request. It would be nice if the NXDOMAIN could trigger a retry
after a certain amount of time, maybe 5 minutes. This would avoid us
getting non-actionable mails for slight delays in DNS synchronisation.



ouch, are you suggesting to fix a race condition by adding longer timeouts?

anyhow, i've a hook-script for dehydrated in the NEW queue since about  
1.5 months [1] that seems to fix this issue, by polling all DNS  
servers that are authoritative for the given NS entry *until* the  
relevant records show up.


gmsdr
IOhannes

[1] https://ftp-master.debian.org/new/dehydrated-hook-ddns-tsig_0.1.1-1.html

Bug#869255: [Letsencrypt-devel] Bug#869255: DNS: wait a bit longer when NXDOMAIN returned in response to challenges

2017-07-22 Thread Paul Wise 
On Sat, 2017-07-22 at 16:33 +0200, Mattia Rizzolo wrote:

> Forwarded the proposal upstream.

Upstream suggests it is a bug in our hook script,
so I guess this bug can be closed.

https://github.com/lukas2511/dehydrated/issues/415#issuecomment-317188484
https://anonscm.debian.org/cgit/mirror/letsencrypt-domains.git/tree/bin/le-hook

-- 
bye,
pabs

https://wiki.debian.org/PaulWise


signature.asc
Description: This is a digitally signed message part

Bug#869255: [Letsencrypt-devel] Bug#869255: DNS: wait a bit longer when NXDOMAIN returned in response to challenges

2017-07-22 Thread Mattia Rizzolo 
Control: forwarded -1 https://github.com/lukas2511/dehydrated/issues/415

On Sat, Jul 22, 2017 at 02:09:38PM +1000, Paul Wise wrote:
> It would be nice if the NXDOMAIN could trigger a retry
> after a certain amount of time, maybe 5 minutes.

Forwarded the proposal upstream.

-- 
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540  .''`.
more about me:  https://mapreri.org : :'  :
Launchpad user: https://launchpad.net/~mapreri  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-


signature.asc
Description: PGP signature