Invalid DNSSEC signatures on empty responses to mixed-case queries
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Power DNS |
Fix Released
|
Unknown
|
|||
pdns (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Triaged
|
Undecided
|
Unassigned | ||
Zesty |
New
|
Undecided
|
Unassigned |
Bug Description
In PowerDNS 4.0.3 and earlier, when signing an empty response, PowerDNS, operating as an authoritative resolver, would sign based on the mixed-case input, rather than downcasing before signing. This would lead any mixed-case query by a DNSSEC-validating recursive resolver to get a validation failure. Mixed-case queries are a common security measure to avoid DNS poisoning attacks (https:/
This bug went unnoticed for a long time because, for A records, if the response is empty, it doesn't matter whether you get a validation failure or an empty response; you can't resolve either way. However, when a certificate authority validates CAA records (https:/
Starting September 8, all public certificate authorities will by required by the CA/Browser Forum to check CAA before issuance.
The bug has been fixed in PowerDNS 4.0.4, and PowerDNS 4.0.4 is shipped in Ubuntu development (Artful Aardvark). Here's the fix: https:/
[Impact]
After September 8, any domain names whose authoritative resolver is a version of PowerDNS with this bug will be unable to issue or renew Let's Encrypt certificates (and most likely certificates from other CAs), because the responses to CAA queries will fail to validate.
This thread also provides some context about the impact: https:/
[Test Case]
Set up a DNSSEC-signed zone running PowerDNS as the authoritative resolver. Then attempt to look up any empty resource record set (e.g. TXT or CAA) using a recursive resolver that validates DNSSEC and uses mixed-case queries (DNS 0x20). https:/
[Regression Potential]
If a regression manifests, it would most likely manifest in responses for DNSSEC zones that fail to validate in unusual ways, or in failed responses to mixed-case queries.
Changed in pdns (Ubuntu): | |
status: | New → Fix Released |
Changed in pdns: | |
status: | Unknown → Fix Released |
When 16.04 LTS was released, PowerDNS had not yet reached a full 4.0.0 release; a pre-release version was included into xenial with the understanding that at some point an update would be made to a point release. I filed bug 1652392 to suggest that this should happen but of course have not found time myself to prepare packages for testing.
So I suggest rather than backporting this specific fix we should instead focus on updating 16.04 LTS to include an actual released version of PowerDNS.
Thanks