[Pdns-users] New: PowerDNS Security Status Polling
bert.hubert at netherlabs.nl
Wed Oct 22 19:38:38 UTC 2014
PowerDNS software sadly sometimes has critical security bugs. Even though we
send out notifications of these via all channels available, our recent
security releases have taught us that not everybody actually finds out about
important security updates via our mailing lists, Facebook and Twitter.
To solve this, the development versions of PowerDNS software have been
updated to poll for security notifications over DNS, and log these
periodically. Secondly, the security status of the software is available for
monitoring using the built-in metrics. This allows operators to poll for the
PowerDNS security status and alert on it.
In the implementation of this idea, we have taken the unique role of
operating system distributors into account. Specifically, we can deal with
backported security fixes.
This feature can easily be disabled, and operators can also point the
queries point at their own status service.
In this post, we want to inform you that the most recent snapshots of
PowerDNS now include security polling, and we want to solicit your rapid
feedback before this feature becomes part of the next PowerDNS releases.
PowerDNS software periodically tries to resolve
Ã¢ÂÂrecursor-x.y.z.security-status.secpoll.powerdns.com|TXTÃ¢ÂÂ (if the
security-poll-suffix setting is left at the default of
secpoll.powerdns.com). No other data is included in the request.
The data returned is in one of the following forms:
* NXDOMAIN or resolution failure
* Ã¢ÂÂ1 OkÃ¢ÂÂ -> security-status=1
* Ã¢ÂÂ2 Upgrade recommended for security reasons, see http://powerdns.com/..Ã¢ÂÂ ->
* Ã¢ÂÂ3 Upgrade mandatory for security reasons, see http://powerdns.com/..Ã¢ÂÂ ->
In cases 2 or 3, periodic logging commences at syslog level Ã¢ÂÂErrorÃ¢ÂÂ. The
metric security-status is set to 2 or 3 respectively. The security status
could be lowered however if we discover the issue is less urgent than we
If resolution fails, and the previous security-status was 1, the new
security-status becomes 0 (Ã¢ÂÂno dataÃ¢ÂÂ). If the security-status was higher
than 1, it will remain that way, and not get set to 0. In this way,
security-status of 0 really means Ã¢ÂÂno dataÃ¢ÂÂ, and can not mask a known
Distributions frequently backport security fixes to the PowerDNS versions
they ship. This might lead to a version number that is known to us to be
insecure to be secure in reality.
To solve this issue, PowerDNS can be compiled with a distribution setting
which will move the security polls from:
Note two things, one, there is a separate namespace for debian, and
secondly, we use the package version of this release. This allows us to know
that 3.6.0-1 (say) is insecure, but that 3.6.0-2 is not.
Details and how to disable
The configuration setting Ã¢ÂÂsecurity-poll-suffixÃ¢ÂÂ is by default set to
Ã¢ÂÂsecpoll.powerdns.comÃ¢ÂÂ. If empty, nothing is polled. This can be moved to
Ã¢ÂÂsecpoll.yourorganization.comÃ¢ÂÂ. Our up to date secpoll zonefile is available
on github for this purpose.
If compiled with PACKAGEVERSION=3.1.6-abcde.debian, queries will be sent to
If a distribution wants to host its own file with version information, we
can delegate dist.security-status.secpoll.powerdns.com to their nameservers
More information about the Pdns-users