[Bug 1312127] Re: wget tries to get certificate from wrong server

psl 1312127 at bugs.launchpad.net
Fri Apr 25 01:20:23 UTC 2014 

OpenDNS support reported that problem was fixed. From my point of view
it was really fixed...

Technical details:

The redirection problem should now be fixed.

Some technical detail: Computers that are configured to use both IPv6
and IPv4 will perform a DNS query for both the A and AAAA records for a
given domain. Our resolvers will properly return a NODATA response for
the AAAA record, but we are seeing the client then perform another query
for the AAAA record with the local search suffix attached. This
subsequent query will result in an NXDOMAIN response, and thus customers
with NXDOMAIN redirection enabled will be redirected to our NXDOMAIN
page. The A record query will properly return the IP address, but some
clients may have a preference for AAAA records, or may choose one of the
two responses at random, and thus get redirected to our NXDOMAIN page.

This extra AAAA query is unusual behaviour for a client, but we were
able to mitigate it by removing the redirection for the AAAA record
requests from our DNS servers.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to wget in Ubuntu.
https://bugs.launchpad.net/bugs/1312127

Title:
  wget tries to get certificate from wrong server

Status in “wget” package in Ubuntu:
  Invalid

Bug description:
  This report is for Ubuntu 12.04.4. I observe the problem with wget,
  git and maybe other utilities.  wget helped me to understand this
  problem. I guess wget is not troublemaker, but there is a problem in
  somepart related to DNS.

  There is some problem (or change) with OpenDNS that I use and that
  change has impact to SSL related services. Lets, try to download a
  certificate with wget:

  $ wget -d
  https://www.digicert.com/CACerts/DigiCertSHA2ExtendedValidationServerCA.crt

  DEBUG output created by Wget 1.13.4 on linux-gnu.

  URI encoding = `UTF-8'
  --2014-04-24 13:26:04--  https://www.digicert.com/CACerts/DigiCertSHA2ExtendedValidationServerCA.crt
  Resolving www.digicert.com (www.digicert.com)... ::ffff:67.215.65.132, 64.78.193.234
  Caching www.digicert.com => ::ffff:67.215.65.132 64.78.193.234
  Connecting to www.digicert.com (www.digicert.com)|::ffff:67.215.65.132|:443... connected.
  Created socket 3.
  Releasing 0x08ca17d8 (new refcount 1).
  Initiating SSL handshake.
  Handshake successful; connected socket 3 to SSL handle 0x08ca1968
  certificate:
    subject: /C=US/ST=California/L=San Francisco/O=OpenDNS, Inc./CN=*.opendns.com
    issuer:  /C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
  ERROR: no certificate subject alternative name matches
   requested host name `www.digicert.com'.
  To connect to www.digicert.com insecurely, use `--no-check-certificate'.
  Closed 3/SSL 0x08ca1968

  Notice, that wget tries to download certificate from IPv6 address
  ::ffff:67.215.65.132; I don't have IPv6 connectivity...

  Let's try to get DNS details about www.digicert.com, I use OpenDNS
  server:

  $ host -a www.digicert.com 208.67.222.222
  Trying "www.digicert.com"
  Using domain server:
  Name: 208.67.222.222
  Address: 208.67.222.222#53
  Aliases:

  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17002
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

  ;; QUESTION SECTION:
  ;www.digicert.com.		IN	ANY

  ;; ANSWER SECTION:
  www.digicert.com.	95	IN	A	64.78.193.234
  www.digicert.com.	0	IN	AAAA	::ffff:67.215.65.132

  Received 78 bytes from 208.67.222.222#53 in 62 ms

  $ host -t A www.digicert.com 208.67.222.222
  Using domain server:
  Name: 208.67.222.222
  Address: 208.67.222.222#53
  Aliases:

  www.digicert.com has address 64.78.193.234

  $ host -t AAAA www.digicert.com 208.67.222.222
  Using domain server:
  Name: 208.67.222.222
  Address: 208.67.222.222#53
  Aliases:

  www.digicert.com has no AAAA record

  From these examples, I assume that record 0 IN AAAA returned by
  OpenDNS server is not valid and should be ignored. For some reason,
  wget (and git) tries to use AAAA record to download certificate...

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/wget/+bug/1312127/+subscriptions

More information about the foundations-bugs mailing list