PowerDNS Security Status Polling

PowerDNS software sadly sometimes has critical security bugs. Even though we send out notifications of these via all channels available, our recent security releases have taught us that not everybody actually finds out about important security updates via our mailing lists, Facebook and Twitter.

To solve this, the development versions of PowerDNS software have been updated to  poll for security notifications over DNS, and log these periodically. Secondly, the security status of the software is available for monitoring using the built-in metrics. This allows operators to poll for the PowerDNS security status and alert on it.

In the implementation of this idea, we have taken the unique role of operating system distributors into account. Specifically, we can deal with backported security fixes.

This feature can easily be disabled, and operators can also point the queries point at their own status service.

In this post, we want to inform you that the most recent snapshots of PowerDNS now include security polling, and we want to solicit your rapid feedback before this feature becomes part of the next PowerDNS releases.

Implementation

PowerDNS software periodically tries to resolve ‘auth-x.y.z.security-status.secpoll.powerdns.com|TXT’ or ‘recursor-x.y.z.security-status.secpoll.powerdns.com|TXT’ (if the security-poll-suffix setting is left at the default of secpoll.powerdns.com). No other data is included in the request.

The data returned is in one of the following forms:

  • NXDOMAIN or resolution failure
  • “1 Ok” -> security-status=1
  • “2 Upgrade recommended for security reasons, see http://powerdns.com/..” -> security-status=2
  • “3 Upgrade mandatory for security reasons, see http://powerdns.com/..” -> security-status=3

In cases 2 or 3, periodic logging commences at syslog level ‘Error’. The metric security-status is set to 2 or 3 respectively. The security status could be lowered however if we discover the issue is less urgent than we thought.

If resolution fails, and the previous security-status was 1, the new security-status becomes 0 (‘no data’). If the security-status was higher than 1, it will remain that way, and not get set to 0. In this way, security-status of 0 really means ‘no data’, and can not mask a known problem.

Distributions

Distributions frequently backport security fixes to the PowerDNS versions they ship. This might lead to a version number that is known to us to be insecure to be secure in reality.

To solve this issue, PowerDNS can be compiled with a distribution setting which will move the security polls from: ‘auth-x.y.z.security-status.secpoll.powerdns.com’ to ‘auth-x.y.z-n.debian.security-status.secpoll.powerdns.com

Note two things, one, there is a separate namespace for debian, and secondly, we use the package version of this release. This allows us to know that 3.6.0-1 (say) is insecure, but that 3.6.0-2 is not.

Details and how to disable

The configuration setting ‘security-poll-suffix’ is by default set to ‘secpoll.powerdns.com’. If empty, nothing is polled. This can be moved to ‘secpoll.yourorganization.com’. Our up to date secpoll zonefile is available on github for this purpose.

If compiled with PACKAGEVERSION=3.1.6-abcde.debian, queries will be sent to “auth-3.1.6-abcde.debian.security-status.security-poll-suffix”.

Delegation

If a distribution wants to host its own file with version information, we can delegate dist.security-status.secpoll.powerdns.com to their nameservers directly.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s