[Pdns-dev] UPDATED important security information for DNSSEC users
Peter van Dijk
peter.van.dijk at netherlabs.nl
Sat Apr 28 18:53:37 CEST 2012
-----BEGIN PGP SIGNED MESSAGE-----
Dear PowerDNS Authoritative Server users,
Summary: DNSSEC keys generated with 3.1-RC1, RC2 and SVN builds between
february 14th and april 28th may be weak.
Earlier this week the PolarSSL team released version 1.1.2 of their library.
This is a security release; their advisory is at
PolarSSL 1.1.1 (which has the defects described in the advisory) was imported
into PowerDNS SVN on february 14th, in revision 2396. This means that PowerDNS
3.0 was not using the affected version. We have confirmation from the PolarSSL
team that the version of PolarSSL used in PowerDNS 3.0 is free of these issues.
For PowerDNS, the issues in this advisory impact RSA key generation, which is
the default for pdnssec secure-zone.
PowerDNS 3.1-RC1 and RC2, and any build from SVN between revision 2396 and
2585, may be affected. If you have generated keys with any of these versions,
assuming they were built with PolarSSL, we recommend replacing those keys.
Make sure to replace your keys carefully (i.e. do a correct DNSSEC key
rollover) to avoid making your domain invisible to validating resolvers.
Our official static packages are built with both Botan and PolarSSL; when
both are present, PowerDNS prefers Botan. This means our static packages
for 3.1-RC1 and RC2 are not affected.
If you have done your own built of PowerDNS in the affected revision range,
run 'pdnssec test-algorithm'. If you see 'Botan RSA' alongside 'PolarSSL RSA',
your build is not affected as Botan will have been used to generate your keys.
Please let us know if you require assistance, of have further questions.
PolarSSL has been upgraded to 1.1.2 as of PowerDNS SVN revision 2586. Releases
and release candidates *after* 3.1-RC2 will include PolarSSL 1.1.2 as well.
Our apologies for the inconvenience.
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
-----END PGP SIGNATURE-----
More information about the Pdns-dev