[Pdns-dev] important security information for DNSSEC users
Peter van Dijk
peter.van.dijk at netherlabs.nl
Sat Apr 28 16:53:00 CEST 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dear PowerDNS Authoritative Server users,
Summary: DNSSEC keys generated with 3.1-RC1, RC2 and SVN builds between
february 14th and april 28th may be weak.
Earlier this week the PolarSSL team released version 1.1.2 of their library.
This is a security release; their advisory is at
http://polarssl.org/trac/wiki/SecurityAdvisory201201
For PowerDNS, the issues in this advisory impact RSA key generation, which is
the default for pdnssec secure-zone.
PolarSSL 1.1.1 (which has the defects described in the advisory) was imported
into PowerDNS SVN on february 14th, in revision 2396. This means that PowerDNS
3.0 was not using the affected version. We have confirmation from the PolarSSL
team that the version of PolarSSL used in PowerDNS 3.0 is free of these issues.
PowerDNS 3.1-RC1 and RC2, and any build from SVN between revision 2396 and
2585, are affected. If you have generated keys with any of these versions, we
recommend replacing those keys. Make sure to replace your keys carefully (i.e.
do a correct DNSSEC key rollover) to avoid making your domain invisible to
validating resolvers.
Please let us know if you require assistance, of have further questions.
PolarSSL has been upgraded to 1.1.2 as of PowerDNS SVN revision 2586. Releases
and release candidates *after* 3.1-RC2 will include PolarSSL 1.1.2 as well.
Our apologies for the inconvenience.
Kind regards,
- --
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJPm/ggAAoJENz1E/p+7Rnzf+QQALE7KaOpbDAtFGXk5fdncwgG
imUlgPjTr7NAzeUpZRENj6EPzu6h7HTnyMMy9XFdqUt4TFFXG0Itl6tbsZBc/EIL
NwUhjPZVP7tGnjo38bCQ7k+VVKBazpUKsoXkAdIzm9+8Cv1z+ydXJmOzZa7f/DBM
7qETWyOahW1iE1uivRDv1/8SnCRoTqm6sRAWyH/T/T0kFyiN6WYy7vI5rJ9aTgIQ
qGEVtoVvYc+kj5vrV7ZiIpJJko5TAVV0jU5vm2RYR1cx3JAPT2GxrTatDsSw4Jel
DxN3y7WezHtXBXBYOZ0x3qevLwA2DGeJNHEs8VOo7ZT2cEX7+jpMF3j8AJ91qTdG
WXO+PPFvQXtdsin40G5kj/2oy4+HjcZamd/4SA+yQYU+S7hGescR9rqk6qod90lk
CfRu+AZtAkSe8ABVNvVUAlcn29JAYw5/5zII4W0mIL86JFVallPG2RkKST2D0eML
p8707iza1bMVRLAVC85QXRt3wA0aW0zM54j0LAF+aV2tB9LlJgd7XHWuBAkQxpmR
LIS1BYAqWPE8qN1mmVJzhhZyEM49SHdbFrBTM8gp35TF4bu+bRYV/nB5tyChrueb
2jxNgdvl0f7EVb6T08n9usDzdTrsBQ/4w9bjb7xqe+ddgu4QPpNvUKOYkUm4h9Sp
sep/ndTpl/c6XrnRZqeB
=wCgA
-----END PGP SIGNATURE-----
More information about the Pdns-dev
mailing list