[Pdns-announce] UPDATED important security information for DNSSEC users

Peter van Dijk peter.van.dijk at netherlabs.nl
Sat Apr 28 16:53:37 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear PowerDNS Authoritative Server users,

Summary: DNSSEC keys generated with 3.1-RC1, RC2 and SVN builds between 
february 14th and april 28th may be weak.

Earlier this week the PolarSSL team released version 1.1.2 of their library.
This is a security release; their advisory is at
http://polarssl.org/trac/wiki/SecurityAdvisory201201

PolarSSL 1.1.1 (which has the defects described in the advisory) was imported
into PowerDNS SVN on february 14th, in revision 2396. This means that PowerDNS
3.0 was not using the affected version. We have confirmation from the PolarSSL
team that the version of PolarSSL used in PowerDNS 3.0 is free of these issues.

For PowerDNS, the issues in this advisory impact RSA key generation, which is
the default for pdnssec secure-zone.

PowerDNS 3.1-RC1 and RC2, and any build from SVN between revision 2396 and
2585, may be affected. If you have generated keys with any of these versions,
assuming they were built with PolarSSL, we recommend replacing those keys.
Make sure to replace your keys carefully (i.e. do a correct DNSSEC key
rollover) to avoid making your domain invisible to validating resolvers.

Our official static packages are built with both Botan and PolarSSL; when
both are present, PowerDNS prefers Botan. This means our static packages
for 3.1-RC1 and RC2 are not affected.

If you have done your own built of PowerDNS in the affected revision range,
run 'pdnssec test-algorithm'. If you see 'Botan RSA' alongside 'PolarSSL RSA',
your build is not affected as Botan will have been used to generate your keys.

Please let us know if you require assistance, of have further questions.

PolarSSL has been upgraded to 1.1.2 as of PowerDNS SVN revision 2586. Releases
and release candidates *after* 3.1-RC2 will include PolarSSL 1.1.2 as well.

Our apologies for the inconvenience.

Kind regards,
- -- 
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJPnCAtAAoJENz1E/p+7RnzjbEP/2yqZewV9qSMIGP/I5uzHN04
cGDTRc+ra/2Kj/KBv5tKfF3yVUU1kcckaRwwtLHCHpssG1vACazcN5iszyoxGJJJ
M+FWnrcFffLuy7vF7FQIvC2Y0CIwkPNoxdSVazz1/MIbAHJAkx9bTum03S3my2Lu
MlNGXWK9yb6iNYDflqF8LfkBfKNdJR8jamh7U3xSExFlawYvzIQmuuZS2z2Pt0Ko
r6sxaw0Fqng4Nsq6j5pWWfJDNYrCuzCHNot5idB6oTYg8fmNEGKPescP78B8yyxu
bWqPbBZ9GQ/SnkiqWfwKSRqEqK2N5F8EZ7Munm6CQyfiT1MhbCDk/LGS42nB9wVX
h76d7KkVJaenmFx/1SVVlIEkAVU87TZk+wJYfGdSnNUnqagn9aRuOYTZtWKqEULI
05Gy7CZ0DgnA0+xrA6sq2cgwNricG4l1EwPGYt8VydCQQYW5JduF7v0RvPeKyfAn
yw5Jb4YORdrlc+R4lW3RSXyVwwm1guQwXWBv6EvH9rUFo9eacJjomTeq86pAmTJY
IhBLgUIxY85MSw7GxY8vxvzTFmiplT6HIV40tHHdFaBjeS6gF/lfaL8YunHunULD
t08MMuCg/aatRxEFRBxAzfMARtNxHD7YaVee0rZxK1TlQCIelmIIoVDp5WWgBZzq
XqB5mM1Vx90pwlFOAING
=Ty73
-----END PGP SIGNATURE-----

More information about the Pdns-announce mailing list