[Pdns-dev] important security information for DNSSEC users
Peter van Dijk
peter.van.dijk at netherlabs.nl
Sat Apr 28 16:53:00 CEST 2012
-----BEGIN PGP SIGNED MESSAGE-----
Dear PowerDNS Authoritative Server users,
Summary: DNSSEC keys generated with 3.1-RC1, RC2 and SVN builds between
february 14th and april 28th may be weak.
Earlier this week the PolarSSL team released version 1.1.2 of their library.
This is a security release; their advisory is at
For PowerDNS, the issues in this advisory impact RSA key generation, which is
the default for pdnssec secure-zone.
PolarSSL 1.1.1 (which has the defects described in the advisory) was imported
into PowerDNS SVN on february 14th, in revision 2396. This means that PowerDNS
3.0 was not using the affected version. We have confirmation from the PolarSSL
team that the version of PolarSSL used in PowerDNS 3.0 is free of these issues.
PowerDNS 3.1-RC1 and RC2, and any build from SVN between revision 2396 and
2585, are affected. If you have generated keys with any of these versions, we
recommend replacing those keys. Make sure to replace your keys carefully (i.e.
do a correct DNSSEC key rollover) to avoid making your domain invisible to
Please let us know if you require assistance, of have further questions.
PolarSSL has been upgraded to 1.1.2 as of PowerDNS SVN revision 2586. Releases
and release candidates *after* 3.1-RC2 will include PolarSSL 1.1.2 as well.
Our apologies for the inconvenience.
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
-----END PGP SIGNATURE-----
More information about the Pdns-dev