PowerDNS Security Status Polling
PowerDNS software sadly sometimes has critical security bugs. Even though we send out notifications of these via all channels available, our recent security releases have taught us that not everybody actually finds out about important security updates via our mailing lists, Facebook and Twitter.
To solve this, the development versions of PowerDNS software have been updated to poll for security notifications over DNS, and log these periodically. Secondly, the security status of the software is available for monitoring using the built-in metrics. This allows operators to poll for the PowerDNS security status and alert on it.
In the implementation of this idea, we have taken the unique role of operating system distributors into account. Specifically, we can deal with backported security fixes.
This feature can easily be disabled, and operators can also point the queries point at their own status service.
In this post, we want to inform you that the most recent snapshots of PowerDNS now include security polling, and we want to solicit your rapid feedback before this feature becomes part of the next PowerDNS releases.
PowerDNS software periodically tries to resolve ‘auth-x.y.z.security-status.secpoll.powerdns.com|TXT’ or ‘recursor-x.y.z.security-status.secpoll.powerdns.com|TXT’ (if the security-poll-suffix setting is left at the default of secpoll.powerdns.com). No other data is included in the request.
The data returned is in one of the following forms:
- NXDOMAIN or resolution failure
- “1 Ok” -> security-status=1
- “2 Upgrade recommended for security reasons, see http://powerdns.com/..” -> security-status=2
- “3 Upgrade mandatory for security reasons, see http://powerdns.com/..” -> security-status=3
In cases 2 or 3, periodic logging commences at syslog level ‘Error’. The metric security-status is set to 2 or 3 respectively. The security status could be lowered however if we discover the issue is less urgent than we thought.
If resolution fails, and the previous security-status was 1, the new security-status becomes 0 (‘no data’). If the security-status was higher than 1, it will remain that way, and not get set to 0. In this way, security-status of 0 really means ‘no data’, and can not mask a known problem.
Distributions frequently backport security fixes to the PowerDNS versions they ship. This might lead to a version number that is known to us to be insecure to be secure in reality.
To solve this issue, PowerDNS can be compiled with a distribution setting which will move the security polls from: ‘auth-x.y.z.security-status.secpoll.powerdns.com’ to ‘auth-x.y.z-n.debian.security-status.secpoll.powerdns.com
Note two things, one, there is a separate namespace for debian, and secondly, we use the package version of this release. This allows us to know that 3.6.0-1 (say) is insecure, but that 3.6.0-2 is not.
Details and how to disable
The configuration setting ‘security-poll-suffix’ is by default set to ‘secpoll.powerdns.com’. If empty, nothing is polled. This can be moved to ‘secpoll.yourorganization.com’. Our up to date secpoll zonefile is available on github for this purpose.
If compiled with PACKAGEVERSION=3.1.6-abcde.debian, queries will be sent to “auth-3.1.6-abcde.debian.security-status.security-poll-suffix”.
If a distribution wants to host its own file with version information, we can delegate dist.security-status.secpoll.powerdns.com to their nameservers directly.