From peter.van.dijk at powerdns.com Fri May 1 09:39:45 2015 From: peter.van.dijk at powerdns.com (Peter van Dijk) Date: Fri, 01 May 2015 11:39:45 +0200 Subject: [Pdns-announce] PowerDNS Security Advisory 2015-01 In-Reply-To: References: Message-ID: <3CAC50C1-98F4-461A-8AA9-BFFA65497CC3@powerdns.com> Hi everybody, Last week, we released Security Advisory 2015-01 (https://doc.powerdns.com/md/security/powerdns-advisory-2015-01/), with text suggesting that only specific platforms were seriously affected. We must now report that this was incorrect: all platforms are impacted. The advisory has been updated to that effect. Furthermore, by popular demand, we have released Authoritative Server 3.3.2, an update to version 3.3.1 which includes DNSSEC improvements and of course a patch for the security issue. Please see http://blog.powerdns.com/2015/05/01/important-update-for-security-advisory-2015-01/ for links. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ On 23 Apr 2015, at 13:05, Peter van Dijk wrote: > Hi everybody, > > Please be aware of PowerDNS Security Advisory 2015-01 > (http://doc.powerdns.com/md/security/powerdns-advisory-2015-01/), which you > can also find below. The good news is that as far as we have seen, only > specific builds for RHEL5 are affected, but just to be sure we are doing > full releases of all recent versions of our products. > > Packages and distribution tar balls of Recursor 3.6.3, Recursor 3.7.2 and Auth > 3.4.4 are available in the usual places, and release announcements will be sent > out right after this email. > > If you prefer a minimal patch, please go to > https://downloads.powerdns.com/patches/2015-01/ and see README.txt there. > > If you have problems upgrading, please either contact us on our mailing lists, > or privately via powerdns.support at powerdns.com (should you wish to make use of > our SLA-backed support program). > > We want to thank Aki Tuomi for finding this issue, and really digging into it. > We also want to thank Kees Monshouwer for assisting in debugging and fixing > the offending code. Finally we want to thank Kai Storbeck for putting an > earlier, broken version of the patch into production and being understanding > about the names that broke because of it. > > > PowerDNS Security Advisory 2015-01: Label decompression bug can cause crashes > on specific platforms > > * CVE: CVE-2015-1868 > * Date: 23rd of April 2015 > * Credit: Aki Tuomi > * Affects: PowerDNS Recursor versions 3.5 and up; Authoritative > Server 3.2 and up > * Not affected: Recursor 3.6.3; Recursor 3.7.2; Auth 3.4.4 > * Severity: High > * Impact: Degraded service > * Exploit: This problem can be triggered by sending queries for > specifically configured domains > * Risk of system compromise: No > * Solution: Upgrade to any of the non-affected versions > * Workaround: Run your Recursor under a supervisor. Exposure can be > limited by configuring the allow-from setting so only trusted > users can query your nameserver. > > A bug was discovered in our label decompression code, making it > possible for names to refer to themselves, thus causing a loop during > decompression. This loop is capped at a 1000 iterations by a failsafe, > making the issue harmless on most platforms. > > However, on specific platforms (so far, we are only aware of this > happening on RHEL5/CentOS5), the recursion involved in these 1000 steps > causes memory corruption leading to a quick crash, presumably because > the default stack is too small. > > We recommend that all users upgrade to a corrected version if at all > possible. Alternatively, if you want to apply a minimal fix to your own > tree, please find patches here: https://downloads.powerdns.com/patches/2015-01/ > > These should be trivial to backport to older versions by hand. > > As for workarounds, only clients in allow-from are able to trigger the > degraded service, so this should be limited to your userbase; further, > we recommend running your critical services under supervision such as > systemd, supervisord, daemontools, etc. > > We want to thank Aki Tuomi for noticing this in production, and then > digging until he got to the absolute bottom of what at the time > appeared to be a random and spurious failure. > > _______________________________________________ > Pdns-announce mailing list > Pdns-announce at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-announce -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 881 bytes Desc: OpenPGP digital signature URL: From bert.hubert at powerdns.com Mon May 25 12:34:38 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Mon, 25 May 2015 14:34:38 +0200 Subject: [Pdns-announce] PowerDNS needs your help: what are we missing? Message-ID: <20150525123438.GB30588@xs.powerdns.com> Hi everybody, As we're working on PowerDNS 4.x, we are wondering: what are we missing? The somewhat longer story is that as a software developer, a sort of feature-blindness appears. We try to make the software better, faster etc, but by focusing so much on the technology, one can lose sight of the use case. In this way it is possible that a software vendor neglects to implement something, even though many users desperately want it. If so, please speak up! The short version: please mail powerdns.ideas at powerdns.com your ideas! As concrete examples, PowerDNS took its time to add an API, and once we had it, people immediately started using it, even before we had documented the API. Similarly, for many years, we did not deliver a proper graphing solution, and now that it is there it is highly popular. But what more are we missing? Should we expand into IPAM and do DHCP and IP address management? Should we make an out of the box NAT64/DNS64 solution? Do we need to improve replication beyond "database native" and "AXFR-based" (so 'super-duper-slave'?)? Should we start doing versioned databases so people can roll back changes? IXFR? Should we add a built-in DNS based load balancer where we poll if your IP addresses are up? Or would it be wise to move on beyond the geographical versatile backends, and simply add 'US' and 'Europe', 'Oceania', 'Asia' IP address profiles? Should the recursor gain cache sharing abilities? Or pre-fetching? Or even TTL-faking in case auths are down? The list above is just to prime your imagination: if you have any ideas on what you are missing, please reach out to powerdns.ideas at powerdns.com! Bert From bert.hubert at powerdns.com Tue May 26 09:17:11 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Tue, 26 May 2015 11:17:11 +0200 Subject: [Pdns-announce] dnsdist too! Re: [Pdns-users] PowerDNS needs your help: what are we missing? In-Reply-To: <20150525123438.GB30588@xs.powerdns.com> References: <20150525123438.GB30588@xs.powerdns.com> Message-ID: <20150526091711.GB25751@xs.powerdns.com> Hi everybody, We're already getting decent amounts of feedback, please keep it up. We also got a question if we are looking for suggestions on dnsdist: yes, very much so! http://blog.powerdns.com/2015/03/11/introducing-dnsdist-dns-abuse-and-dos-aware-query-distribution-for-optimal-performance/ and http://dnsdist.org/ A version of the email below with clickable links is on http://blog.powerdns.com/2015/05/26/powerdns-needs-your-help-what-are-we-missing/ Thanks! Bert On Mon, May 25, 2015 at 02:34:38PM +0200, bert hubert wrote: > Hi everybody, > > As we're working on PowerDNS 4.x, we are wondering: what are we missing? > > The somewhat longer story is that as a software developer, a sort of > feature-blindness appears. We try to make the software better, faster etc, > but by focusing so much on the technology, one can lose sight of the use > case. > > In this way it is possible that a software vendor neglects to implement > something, even though many users desperately want it. If so, please speak > up! The short version: please mail powerdns.ideas at powerdns.com your ideas! > > As concrete examples, PowerDNS took its time to add an API, and once we had > it, people immediately started using it, even before we had documented the > API. Similarly, for many years, we did not deliver a proper graphing > solution, and now that it is there it is highly popular. > > But what more are we missing? Should we expand into IPAM and do DHCP and IP > address management? Should we make an out of the box NAT64/DNS64 solution? > Do we need to improve replication beyond "database native" and "AXFR-based" > (so 'super-duper-slave'?)? > > Should we start doing versioned databases so people can roll back changes? > IXFR? > > Should we add a built-in DNS based load balancer where we poll if your IP > addresses are up? > > Or would it be wise to move on beyond the geographical versatile backends, > and simply add 'US' and 'Europe', 'Oceania', 'Asia' IP address profiles? > > Should the recursor gain cache sharing abilities? Or pre-fetching? Or even > TTL-faking in case auths are down? > > The list above is just to prime your imagination: if you have any ideas on > what you are missing, please reach out to powerdns.ideas at powerdns.com! > > Bert > > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > From peter.van.dijk at powerdns.com Fri May 1 09:39:45 2015 From: peter.van.dijk at powerdns.com (Peter van Dijk) Date: Fri, 01 May 2015 11:39:45 +0200 Subject: [Pdns-announce] PowerDNS Security Advisory 2015-01 In-Reply-To: References: Message-ID: <3CAC50C1-98F4-461A-8AA9-BFFA65497CC3@powerdns.com> Hi everybody, Last week, we released Security Advisory 2015-01 (https://doc.powerdns.com/md/security/powerdns-advisory-2015-01/), with text suggesting that only specific platforms were seriously affected. We must now report that this was incorrect: all platforms are impacted. The advisory has been updated to that effect. Furthermore, by popular demand, we have released Authoritative Server 3.3.2, an update to version 3.3.1 which includes DNSSEC improvements and of course a patch for the security issue. Please see http://blog.powerdns.com/2015/05/01/important-update-for-security-advisory-2015-01/ for links. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ On 23 Apr 2015, at 13:05, Peter van Dijk wrote: > Hi everybody, > > Please be aware of PowerDNS Security Advisory 2015-01 > (http://doc.powerdns.com/md/security/powerdns-advisory-2015-01/), which you > can also find below. The good news is that as far as we have seen, only > specific builds for RHEL5 are affected, but just to be sure we are doing > full releases of all recent versions of our products. > > Packages and distribution tar balls of Recursor 3.6.3, Recursor 3.7.2 and Auth > 3.4.4 are available in the usual places, and release announcements will be sent > out right after this email. > > If you prefer a minimal patch, please go to > https://downloads.powerdns.com/patches/2015-01/ and see README.txt there. > > If you have problems upgrading, please either contact us on our mailing lists, > or privately via powerdns.support at powerdns.com (should you wish to make use of > our SLA-backed support program). > > We want to thank Aki Tuomi for finding this issue, and really digging into it. > We also want to thank Kees Monshouwer for assisting in debugging and fixing > the offending code. Finally we want to thank Kai Storbeck for putting an > earlier, broken version of the patch into production and being understanding > about the names that broke because of it. > > > PowerDNS Security Advisory 2015-01: Label decompression bug can cause crashes > on specific platforms > > * CVE: CVE-2015-1868 > * Date: 23rd of April 2015 > * Credit: Aki Tuomi > * Affects: PowerDNS Recursor versions 3.5 and up; Authoritative > Server 3.2 and up > * Not affected: Recursor 3.6.3; Recursor 3.7.2; Auth 3.4.4 > * Severity: High > * Impact: Degraded service > * Exploit: This problem can be triggered by sending queries for > specifically configured domains > * Risk of system compromise: No > * Solution: Upgrade to any of the non-affected versions > * Workaround: Run your Recursor under a supervisor. Exposure can be > limited by configuring the allow-from setting so only trusted > users can query your nameserver. > > A bug was discovered in our label decompression code, making it > possible for names to refer to themselves, thus causing a loop during > decompression. This loop is capped at a 1000 iterations by a failsafe, > making the issue harmless on most platforms. > > However, on specific platforms (so far, we are only aware of this > happening on RHEL5/CentOS5), the recursion involved in these 1000 steps > causes memory corruption leading to a quick crash, presumably because > the default stack is too small. > > We recommend that all users upgrade to a corrected version if at all > possible. Alternatively, if you want to apply a minimal fix to your own > tree, please find patches here: https://downloads.powerdns.com/patches/2015-01/ > > These should be trivial to backport to older versions by hand. > > As for workarounds, only clients in allow-from are able to trigger the > degraded service, so this should be limited to your userbase; further, > we recommend running your critical services under supervision such as > systemd, supervisord, daemontools, etc. > > We want to thank Aki Tuomi for noticing this in production, and then > digging until he got to the absolute bottom of what at the time > appeared to be a random and spurious failure. > > _______________________________________________ > Pdns-announce mailing list > Pdns-announce at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-announce -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 881 bytes Desc: OpenPGP digital signature URL: From bert.hubert at powerdns.com Mon May 25 12:34:38 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Mon, 25 May 2015 14:34:38 +0200 Subject: [Pdns-announce] PowerDNS needs your help: what are we missing? Message-ID: <20150525123438.GB30588@xs.powerdns.com> Hi everybody, As we're working on PowerDNS 4.x, we are wondering: what are we missing? The somewhat longer story is that as a software developer, a sort of feature-blindness appears. We try to make the software better, faster etc, but by focusing so much on the technology, one can lose sight of the use case. In this way it is possible that a software vendor neglects to implement something, even though many users desperately want it. If so, please speak up! The short version: please mail powerdns.ideas at powerdns.com your ideas! As concrete examples, PowerDNS took its time to add an API, and once we had it, people immediately started using it, even before we had documented the API. Similarly, for many years, we did not deliver a proper graphing solution, and now that it is there it is highly popular. But what more are we missing? Should we expand into IPAM and do DHCP and IP address management? Should we make an out of the box NAT64/DNS64 solution? Do we need to improve replication beyond "database native" and "AXFR-based" (so 'super-duper-slave'?)? Should we start doing versioned databases so people can roll back changes? IXFR? Should we add a built-in DNS based load balancer where we poll if your IP addresses are up? Or would it be wise to move on beyond the geographical versatile backends, and simply add 'US' and 'Europe', 'Oceania', 'Asia' IP address profiles? Should the recursor gain cache sharing abilities? Or pre-fetching? Or even TTL-faking in case auths are down? The list above is just to prime your imagination: if you have any ideas on what you are missing, please reach out to powerdns.ideas at powerdns.com! Bert From bert.hubert at powerdns.com Tue May 26 09:17:11 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Tue, 26 May 2015 11:17:11 +0200 Subject: [Pdns-announce] dnsdist too! Re: [Pdns-users] PowerDNS needs your help: what are we missing? In-Reply-To: <20150525123438.GB30588@xs.powerdns.com> References: <20150525123438.GB30588@xs.powerdns.com> Message-ID: <20150526091711.GB25751@xs.powerdns.com> Hi everybody, We're already getting decent amounts of feedback, please keep it up. We also got a question if we are looking for suggestions on dnsdist: yes, very much so! http://blog.powerdns.com/2015/03/11/introducing-dnsdist-dns-abuse-and-dos-aware-query-distribution-for-optimal-performance/ and http://dnsdist.org/ A version of the email below with clickable links is on http://blog.powerdns.com/2015/05/26/powerdns-needs-your-help-what-are-we-missing/ Thanks! Bert On Mon, May 25, 2015 at 02:34:38PM +0200, bert hubert wrote: > Hi everybody, > > As we're working on PowerDNS 4.x, we are wondering: what are we missing? > > The somewhat longer story is that as a software developer, a sort of > feature-blindness appears. We try to make the software better, faster etc, > but by focusing so much on the technology, one can lose sight of the use > case. > > In this way it is possible that a software vendor neglects to implement > something, even though many users desperately want it. If so, please speak > up! The short version: please mail powerdns.ideas at powerdns.com your ideas! > > As concrete examples, PowerDNS took its time to add an API, and once we had > it, people immediately started using it, even before we had documented the > API. Similarly, for many years, we did not deliver a proper graphing > solution, and now that it is there it is highly popular. > > But what more are we missing? Should we expand into IPAM and do DHCP and IP > address management? Should we make an out of the box NAT64/DNS64 solution? > Do we need to improve replication beyond "database native" and "AXFR-based" > (so 'super-duper-slave'?)? > > Should we start doing versioned databases so people can roll back changes? > IXFR? > > Should we add a built-in DNS based load balancer where we poll if your IP > addresses are up? > > Or would it be wise to move on beyond the geographical versatile backends, > and simply add 'US' and 'Europe', 'Oceania', 'Asia' IP address profiles? > > Should the recursor gain cache sharing abilities? Or pre-fetching? Or even > TTL-faking in case auths are down? > > The list above is just to prime your imagination: if you have any ideas on > what you are missing, please reach out to powerdns.ideas at powerdns.com! > > Bert > > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > From peter.van.dijk at powerdns.com Fri May 1 09:39:45 2015 From: peter.van.dijk at powerdns.com (Peter van Dijk) Date: Fri, 01 May 2015 11:39:45 +0200 Subject: [Pdns-announce] PowerDNS Security Advisory 2015-01 In-Reply-To: References: Message-ID: <3CAC50C1-98F4-461A-8AA9-BFFA65497CC3@powerdns.com> Hi everybody, Last week, we released Security Advisory 2015-01 (https://doc.powerdns.com/md/security/powerdns-advisory-2015-01/), with text suggesting that only specific platforms were seriously affected. We must now report that this was incorrect: all platforms are impacted. The advisory has been updated to that effect. Furthermore, by popular demand, we have released Authoritative Server 3.3.2, an update to version 3.3.1 which includes DNSSEC improvements and of course a patch for the security issue. Please see http://blog.powerdns.com/2015/05/01/important-update-for-security-advisory-2015-01/ for links. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ On 23 Apr 2015, at 13:05, Peter van Dijk wrote: > Hi everybody, > > Please be aware of PowerDNS Security Advisory 2015-01 > (http://doc.powerdns.com/md/security/powerdns-advisory-2015-01/), which you > can also find below. The good news is that as far as we have seen, only > specific builds for RHEL5 are affected, but just to be sure we are doing > full releases of all recent versions of our products. > > Packages and distribution tar balls of Recursor 3.6.3, Recursor 3.7.2 and Auth > 3.4.4 are available in the usual places, and release announcements will be sent > out right after this email. > > If you prefer a minimal patch, please go to > https://downloads.powerdns.com/patches/2015-01/ and see README.txt there. > > If you have problems upgrading, please either contact us on our mailing lists, > or privately via powerdns.support at powerdns.com (should you wish to make use of > our SLA-backed support program). > > We want to thank Aki Tuomi for finding this issue, and really digging into it. > We also want to thank Kees Monshouwer for assisting in debugging and fixing > the offending code. Finally we want to thank Kai Storbeck for putting an > earlier, broken version of the patch into production and being understanding > about the names that broke because of it. > > > PowerDNS Security Advisory 2015-01: Label decompression bug can cause crashes > on specific platforms > > * CVE: CVE-2015-1868 > * Date: 23rd of April 2015 > * Credit: Aki Tuomi > * Affects: PowerDNS Recursor versions 3.5 and up; Authoritative > Server 3.2 and up > * Not affected: Recursor 3.6.3; Recursor 3.7.2; Auth 3.4.4 > * Severity: High > * Impact: Degraded service > * Exploit: This problem can be triggered by sending queries for > specifically configured domains > * Risk of system compromise: No > * Solution: Upgrade to any of the non-affected versions > * Workaround: Run your Recursor under a supervisor. Exposure can be > limited by configuring the allow-from setting so only trusted > users can query your nameserver. > > A bug was discovered in our label decompression code, making it > possible for names to refer to themselves, thus causing a loop during > decompression. This loop is capped at a 1000 iterations by a failsafe, > making the issue harmless on most platforms. > > However, on specific platforms (so far, we are only aware of this > happening on RHEL5/CentOS5), the recursion involved in these 1000 steps > causes memory corruption leading to a quick crash, presumably because > the default stack is too small. > > We recommend that all users upgrade to a corrected version if at all > possible. Alternatively, if you want to apply a minimal fix to your own > tree, please find patches here: https://downloads.powerdns.com/patches/2015-01/ > > These should be trivial to backport to older versions by hand. > > As for workarounds, only clients in allow-from are able to trigger the > degraded service, so this should be limited to your userbase; further, > we recommend running your critical services under supervision such as > systemd, supervisord, daemontools, etc. > > We want to thank Aki Tuomi for noticing this in production, and then > digging until he got to the absolute bottom of what at the time > appeared to be a random and spurious failure. > > _______________________________________________ > Pdns-announce mailing list > Pdns-announce at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-announce -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 881 bytes Desc: OpenPGP digital signature URL: From bert.hubert at powerdns.com Mon May 25 12:34:38 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Mon, 25 May 2015 14:34:38 +0200 Subject: [Pdns-announce] PowerDNS needs your help: what are we missing? Message-ID: <20150525123438.GB30588@xs.powerdns.com> Hi everybody, As we're working on PowerDNS 4.x, we are wondering: what are we missing? The somewhat longer story is that as a software developer, a sort of feature-blindness appears. We try to make the software better, faster etc, but by focusing so much on the technology, one can lose sight of the use case. In this way it is possible that a software vendor neglects to implement something, even though many users desperately want it. If so, please speak up! The short version: please mail powerdns.ideas at powerdns.com your ideas! As concrete examples, PowerDNS took its time to add an API, and once we had it, people immediately started using it, even before we had documented the API. Similarly, for many years, we did not deliver a proper graphing solution, and now that it is there it is highly popular. But what more are we missing? Should we expand into IPAM and do DHCP and IP address management? Should we make an out of the box NAT64/DNS64 solution? Do we need to improve replication beyond "database native" and "AXFR-based" (so 'super-duper-slave'?)? Should we start doing versioned databases so people can roll back changes? IXFR? Should we add a built-in DNS based load balancer where we poll if your IP addresses are up? Or would it be wise to move on beyond the geographical versatile backends, and simply add 'US' and 'Europe', 'Oceania', 'Asia' IP address profiles? Should the recursor gain cache sharing abilities? Or pre-fetching? Or even TTL-faking in case auths are down? The list above is just to prime your imagination: if you have any ideas on what you are missing, please reach out to powerdns.ideas at powerdns.com! Bert From bert.hubert at powerdns.com Tue May 26 09:17:11 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Tue, 26 May 2015 11:17:11 +0200 Subject: [Pdns-announce] dnsdist too! Re: [Pdns-users] PowerDNS needs your help: what are we missing? In-Reply-To: <20150525123438.GB30588@xs.powerdns.com> References: <20150525123438.GB30588@xs.powerdns.com> Message-ID: <20150526091711.GB25751@xs.powerdns.com> Hi everybody, We're already getting decent amounts of feedback, please keep it up. We also got a question if we are looking for suggestions on dnsdist: yes, very much so! http://blog.powerdns.com/2015/03/11/introducing-dnsdist-dns-abuse-and-dos-aware-query-distribution-for-optimal-performance/ and http://dnsdist.org/ A version of the email below with clickable links is on http://blog.powerdns.com/2015/05/26/powerdns-needs-your-help-what-are-we-missing/ Thanks! Bert On Mon, May 25, 2015 at 02:34:38PM +0200, bert hubert wrote: > Hi everybody, > > As we're working on PowerDNS 4.x, we are wondering: what are we missing? > > The somewhat longer story is that as a software developer, a sort of > feature-blindness appears. We try to make the software better, faster etc, > but by focusing so much on the technology, one can lose sight of the use > case. > > In this way it is possible that a software vendor neglects to implement > something, even though many users desperately want it. If so, please speak > up! The short version: please mail powerdns.ideas at powerdns.com your ideas! > > As concrete examples, PowerDNS took its time to add an API, and once we had > it, people immediately started using it, even before we had documented the > API. Similarly, for many years, we did not deliver a proper graphing > solution, and now that it is there it is highly popular. > > But what more are we missing? Should we expand into IPAM and do DHCP and IP > address management? Should we make an out of the box NAT64/DNS64 solution? > Do we need to improve replication beyond "database native" and "AXFR-based" > (so 'super-duper-slave'?)? > > Should we start doing versioned databases so people can roll back changes? > IXFR? > > Should we add a built-in DNS based load balancer where we poll if your IP > addresses are up? > > Or would it be wise to move on beyond the geographical versatile backends, > and simply add 'US' and 'Europe', 'Oceania', 'Asia' IP address profiles? > > Should the recursor gain cache sharing abilities? Or pre-fetching? Or even > TTL-faking in case auths are down? > > The list above is just to prime your imagination: if you have any ideas on > what you are missing, please reach out to powerdns.ideas at powerdns.com! > > Bert > > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > From peter.van.dijk at powerdns.com Fri May 1 09:39:45 2015 From: peter.van.dijk at powerdns.com (Peter van Dijk) Date: Fri, 01 May 2015 11:39:45 +0200 Subject: [Pdns-announce] PowerDNS Security Advisory 2015-01 In-Reply-To: References: Message-ID: <3CAC50C1-98F4-461A-8AA9-BFFA65497CC3@powerdns.com> Hi everybody, Last week, we released Security Advisory 2015-01 (https://doc.powerdns.com/md/security/powerdns-advisory-2015-01/), with text suggesting that only specific platforms were seriously affected. We must now report that this was incorrect: all platforms are impacted. The advisory has been updated to that effect. Furthermore, by popular demand, we have released Authoritative Server 3.3.2, an update to version 3.3.1 which includes DNSSEC improvements and of course a patch for the security issue. Please see http://blog.powerdns.com/2015/05/01/important-update-for-security-advisory-2015-01/ for links. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ On 23 Apr 2015, at 13:05, Peter van Dijk wrote: > Hi everybody, > > Please be aware of PowerDNS Security Advisory 2015-01 > (http://doc.powerdns.com/md/security/powerdns-advisory-2015-01/), which you > can also find below. The good news is that as far as we have seen, only > specific builds for RHEL5 are affected, but just to be sure we are doing > full releases of all recent versions of our products. > > Packages and distribution tar balls of Recursor 3.6.3, Recursor 3.7.2 and Auth > 3.4.4 are available in the usual places, and release announcements will be sent > out right after this email. > > If you prefer a minimal patch, please go to > https://downloads.powerdns.com/patches/2015-01/ and see README.txt there. > > If you have problems upgrading, please either contact us on our mailing lists, > or privately via powerdns.support at powerdns.com (should you wish to make use of > our SLA-backed support program). > > We want to thank Aki Tuomi for finding this issue, and really digging into it. > We also want to thank Kees Monshouwer for assisting in debugging and fixing > the offending code. Finally we want to thank Kai Storbeck for putting an > earlier, broken version of the patch into production and being understanding > about the names that broke because of it. > > > PowerDNS Security Advisory 2015-01: Label decompression bug can cause crashes > on specific platforms > > * CVE: CVE-2015-1868 > * Date: 23rd of April 2015 > * Credit: Aki Tuomi > * Affects: PowerDNS Recursor versions 3.5 and up; Authoritative > Server 3.2 and up > * Not affected: Recursor 3.6.3; Recursor 3.7.2; Auth 3.4.4 > * Severity: High > * Impact: Degraded service > * Exploit: This problem can be triggered by sending queries for > specifically configured domains > * Risk of system compromise: No > * Solution: Upgrade to any of the non-affected versions > * Workaround: Run your Recursor under a supervisor. Exposure can be > limited by configuring the allow-from setting so only trusted > users can query your nameserver. > > A bug was discovered in our label decompression code, making it > possible for names to refer to themselves, thus causing a loop during > decompression. This loop is capped at a 1000 iterations by a failsafe, > making the issue harmless on most platforms. > > However, on specific platforms (so far, we are only aware of this > happening on RHEL5/CentOS5), the recursion involved in these 1000 steps > causes memory corruption leading to a quick crash, presumably because > the default stack is too small. > > We recommend that all users upgrade to a corrected version if at all > possible. Alternatively, if you want to apply a minimal fix to your own > tree, please find patches here: https://downloads.powerdns.com/patches/2015-01/ > > These should be trivial to backport to older versions by hand. > > As for workarounds, only clients in allow-from are able to trigger the > degraded service, so this should be limited to your userbase; further, > we recommend running your critical services under supervision such as > systemd, supervisord, daemontools, etc. > > We want to thank Aki Tuomi for noticing this in production, and then > digging until he got to the absolute bottom of what at the time > appeared to be a random and spurious failure. > > _______________________________________________ > Pdns-announce mailing list > Pdns-announce at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-announce -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 881 bytes Desc: OpenPGP digital signature URL: From bert.hubert at powerdns.com Mon May 25 12:34:38 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Mon, 25 May 2015 14:34:38 +0200 Subject: [Pdns-announce] PowerDNS needs your help: what are we missing? Message-ID: <20150525123438.GB30588@xs.powerdns.com> Hi everybody, As we're working on PowerDNS 4.x, we are wondering: what are we missing? The somewhat longer story is that as a software developer, a sort of feature-blindness appears. We try to make the software better, faster etc, but by focusing so much on the technology, one can lose sight of the use case. In this way it is possible that a software vendor neglects to implement something, even though many users desperately want it. If so, please speak up! The short version: please mail powerdns.ideas at powerdns.com your ideas! As concrete examples, PowerDNS took its time to add an API, and once we had it, people immediately started using it, even before we had documented the API. Similarly, for many years, we did not deliver a proper graphing solution, and now that it is there it is highly popular. But what more are we missing? Should we expand into IPAM and do DHCP and IP address management? Should we make an out of the box NAT64/DNS64 solution? Do we need to improve replication beyond "database native" and "AXFR-based" (so 'super-duper-slave'?)? Should we start doing versioned databases so people can roll back changes? IXFR? Should we add a built-in DNS based load balancer where we poll if your IP addresses are up? Or would it be wise to move on beyond the geographical versatile backends, and simply add 'US' and 'Europe', 'Oceania', 'Asia' IP address profiles? Should the recursor gain cache sharing abilities? Or pre-fetching? Or even TTL-faking in case auths are down? The list above is just to prime your imagination: if you have any ideas on what you are missing, please reach out to powerdns.ideas at powerdns.com! Bert From bert.hubert at powerdns.com Tue May 26 09:17:11 2015 From: bert.hubert at powerdns.com (bert hubert) Date: Tue, 26 May 2015 11:17:11 +0200 Subject: [Pdns-announce] dnsdist too! Re: [Pdns-users] PowerDNS needs your help: what are we missing? In-Reply-To: <20150525123438.GB30588@xs.powerdns.com> References: <20150525123438.GB30588@xs.powerdns.com> Message-ID: <20150526091711.GB25751@xs.powerdns.com> Hi everybody, We're already getting decent amounts of feedback, please keep it up. We also got a question if we are looking for suggestions on dnsdist: yes, very much so! http://blog.powerdns.com/2015/03/11/introducing-dnsdist-dns-abuse-and-dos-aware-query-distribution-for-optimal-performance/ and http://dnsdist.org/ A version of the email below with clickable links is on http://blog.powerdns.com/2015/05/26/powerdns-needs-your-help-what-are-we-missing/ Thanks! Bert On Mon, May 25, 2015 at 02:34:38PM +0200, bert hubert wrote: > Hi everybody, > > As we're working on PowerDNS 4.x, we are wondering: what are we missing? > > The somewhat longer story is that as a software developer, a sort of > feature-blindness appears. We try to make the software better, faster etc, > but by focusing so much on the technology, one can lose sight of the use > case. > > In this way it is possible that a software vendor neglects to implement > something, even though many users desperately want it. If so, please speak > up! The short version: please mail powerdns.ideas at powerdns.com your ideas! > > As concrete examples, PowerDNS took its time to add an API, and once we had > it, people immediately started using it, even before we had documented the > API. Similarly, for many years, we did not deliver a proper graphing > solution, and now that it is there it is highly popular. > > But what more are we missing? Should we expand into IPAM and do DHCP and IP > address management? Should we make an out of the box NAT64/DNS64 solution? > Do we need to improve replication beyond "database native" and "AXFR-based" > (so 'super-duper-slave'?)? > > Should we start doing versioned databases so people can roll back changes? > IXFR? > > Should we add a built-in DNS based load balancer where we poll if your IP > addresses are up? > > Or would it be wise to move on beyond the geographical versatile backends, > and simply add 'US' and 'Europe', 'Oceania', 'Asia' IP address profiles? > > Should the recursor gain cache sharing abilities? Or pre-fetching? Or even > TTL-faking in case auths are down? > > The list above is just to prime your imagination: if you have any ideas on > what you are missing, please reach out to powerdns.ideas at powerdns.com! > > Bert > > > > _______________________________________________ > Pdns-users mailing list > Pdns-users at mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users >