[Pdns-users] New: PowerDNS Security Status Polling

Ciro Iriarte cyruspy at gmail.com
Mon Oct 27 02:52:57 UTC 2014


2014-10-22 16:38 GMT-03:00 bert hubert <bert.hubert at netherlabs.nl>:
> Hi everybody,
>
> PowerDNS software sadly sometimes has critical security bugs. Even though we
> send out notifications of these via all channels available, our recent
> security releases have taught us that not everybody actually finds out about
> important security updates via our mailing lists, Facebook and Twitter.
>
> To solve this, the development versions of PowerDNS software have been
> updated to poll for security notifications over DNS, and log these
> periodically. Secondly, the security status of the software is available for
> monitoring using the built-in metrics. This allows operators to poll for the
> PowerDNS security status and alert on it.
>
> In the implementation of this idea, we have taken the unique role of
> operating system distributors into account. Specifically, we can deal with
> backported security fixes.
>
> This feature can easily be disabled, and operators can also point the
> queries point at their own status service.
>
> In this post, we want to inform you that the most recent snapshots of
> PowerDNS now include security polling, and we want to solicit your rapid
> feedback before this feature becomes part of the next PowerDNS releases.
>
> Implementation
>
> PowerDNS software periodically tries to resolve
> ‘auth-x.y.z.security-status.secpoll.powerdns.com|TXT’ or
> ‘recursor-x.y.z.security-status.secpoll.powerdns.com|TXT’ (if the
> security-poll-suffix setting is left at the default of
> secpoll.powerdns.com). No other data is included in the request.
>
> The data returned is in one of the following forms:
>
>  * NXDOMAIN or resolution failure
>  * “1 Ok” -> security-status=1
>  * “2 Upgrade recommended for security reasons, see http://powerdns.com/..” ->
>    security-status=2
>  * “3 Upgrade mandatory for security reasons, see http://powerdns.com/..” ->
>    security-status=3
>
> In cases 2 or 3, periodic logging commences at syslog level ‘Error’. The
> metric security-status is set to 2 or 3 respectively. The security status
> could be lowered however if we discover the issue is less urgent than we
> thought.
>
> If resolution fails, and the previous security-status was 1, the new
> security-status becomes 0 (‘no data’). If the security-status was higher
> than 1, it will remain that way, and not get set to 0. In this way,
> security-status of 0 really means ‘no data’, and can not mask a known
> problem.
>
> Distributions
>
> Distributions frequently backport security fixes to the PowerDNS versions
> they ship. This might lead to a version number that is known to us to be
> insecure to be secure in reality.
>
> To solve this issue, PowerDNS can be compiled with a distribution setting
> which will move the security polls from:
> ‘auth-x.y.z.security-status.secpoll.powerdns.com’ to
> ‘auth-x.y.z-n.debian.security-status.secpoll.powerdns.com
>
> Note two things, one, there is a separate namespace for debian, and
> secondly, we use the package version of this release. This allows us to know
> that 3.6.0-1 (say) is insecure, but that 3.6.0-2 is not.
>
> Details and how to disable
>
> The configuration setting ‘security-poll-suffix’ is by default set to
> ‘secpoll.powerdns.com’. If empty, nothing is polled. This can be moved to
> ‘secpoll.yourorganization.com’. Our up to date secpoll zonefile is available
> on github for this purpose.
>
> If compiled with PACKAGEVERSION=3.1.6-abcde.debian, queries will be sent to
> “auth-3.1.6-abcde.debian.security-status.security-poll-suffix”.
>
> Delegation
>
> If a distribution wants to host its own file with version information, we
> can delegate dist.security-status.secpoll.powerdns.com to their nameservers
> directly.
>
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users

I like it, having the possibility to disable polling is good too.

Regards,

-- 
Ciro Iriarte
http://iriarte.it
--




More information about the Pdns-users mailing list