[Pdns-users] New: PowerDNS Security Status Polling
bert hubert
bert.hubert at netherlabs.nl
Wed Oct 22 19:38:38 UTC 2014
Hi everybody,
PowerDNS software sadly sometimes has critical security bugs. Even though we
send out notifications of these via all channels available, our recent
security releases have taught us that not everybody actually finds out about
important security updates via our mailing lists, Facebook and Twitter.
To solve this, the development versions of PowerDNS software have been
updated to poll for security notifications over DNS, and log these
periodically. Secondly, the security status of the software is available for
monitoring using the built-in metrics. This allows operators to poll for the
PowerDNS security status and alert on it.
In the implementation of this idea, we have taken the unique role of
operating system distributors into account. Specifically, we can deal with
backported security fixes.
This feature can easily be disabled, and operators can also point the
queries point at their own status service.
In this post, we want to inform you that the most recent snapshots of
PowerDNS now include security polling, and we want to solicit your rapid
feedback before this feature becomes part of the next PowerDNS releases.
Implementation
PowerDNS software periodically tries to resolve
âÂÂauth-x.y.z.security-status.secpoll.powerdns.com|TXTâ or
âÂÂrecursor-x.y.z.security-status.secpoll.powerdns.com|TXTâ (if the
security-poll-suffix setting is left at the default of
secpoll.powerdns.com). No other data is included in the request.
The data returned is in one of the following forms:
* NXDOMAIN or resolution failure
* âÂÂ1 Okâ -> security-status=1
* âÂÂ2 Upgrade recommended for security reasons, see http://powerdns.com/..â ->
security-status=2
* âÂÂ3 Upgrade mandatory for security reasons, see http://powerdns.com/..â ->
security-status=3
In cases 2 or 3, periodic logging commences at syslog level âÂÂErrorâÂÂ. The
metric security-status is set to 2 or 3 respectively. The security status
could be lowered however if we discover the issue is less urgent than we
thought.
If resolution fails, and the previous security-status was 1, the new
security-status becomes 0 (âÂÂno dataâÂÂ). If the security-status was higher
than 1, it will remain that way, and not get set to 0. In this way,
security-status of 0 really means âÂÂno dataâÂÂ, and can not mask a known
problem.
Distributions
Distributions frequently backport security fixes to the PowerDNS versions
they ship. This might lead to a version number that is known to us to be
insecure to be secure in reality.
To solve this issue, PowerDNS can be compiled with a distribution setting
which will move the security polls from:
âÂÂauth-x.y.z.security-status.secpoll.powerdns.comâ to
âÂÂauth-x.y.z-n.debian.security-status.secpoll.powerdns.com
Note two things, one, there is a separate namespace for debian, and
secondly, we use the package version of this release. This allows us to know
that 3.6.0-1 (say) is insecure, but that 3.6.0-2 is not.
Details and how to disable
The configuration setting âÂÂsecurity-poll-suffixâ is by default set to
âÂÂsecpoll.powerdns.comâÂÂ. If empty, nothing is polled. This can be moved to
âÂÂsecpoll.yourorganization.comâÂÂ. Our up to date secpoll zonefile is available
on github for this purpose.
If compiled with PACKAGEVERSION=3.1.6-abcde.debian, queries will be sent to
âÂÂauth-3.1.6-abcde.debian.security-status.security-poll-suffixâÂÂ.
Delegation
If a distribution wants to host its own file with version information, we
can delegate dist.security-status.secpoll.powerdns.com to their nameservers
directly.
More information about the Pdns-users
mailing list