Upstream says this bug was fixed in 4.0.4. Zesty is on 4.0.3-1, so this bug presumably also affects Zesty (17.04)?
** Also affects: pdns (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: pdns (Ubuntu) Status: New => Fix Released ** Changed in: pdns (Ubuntu Xenial) Status: New => Triaged ** Also affects: pdns (Ubuntu Zesty) Importance: Undecided Status: New -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1705766 Title: Invalid DNSSEC signatures on empty responses to mixed-case queries Status in Power DNS: Fix Released Status in pdns package in Ubuntu: Fix Released Status in pdns source package in Xenial: Triaged Status in pdns source package in Zesty: New Bug description: In PowerDNS 4.0.3 and earlier, when signing an empty response, PowerDNS, operating as an authoritative resolver, would sign based on the mixed-case input, rather than downcasing before signing. This would lead any mixed-case query by a DNSSEC-validating recursive resolver to get a validation failure. Mixed-case queries are a common security measure to avoid DNS poisoning attacks (https://dyn.com/blog /use-of-bit-0x20-in-dns-labels/). This bug went unnoticed for a long time because, for A records, if the response is empty, it doesn't matter whether you get a validation failure or an empty response; you can't resolve either way. However, when a certificate authority validates CAA records (https://tools.ietf.org/html/rfc6844), an empty response is important and meaningful: it means that there is no record restricting issuance, so issuance is okay. Starting September 8, all public certificate authorities will by required by the CA/Browser Forum to check CAA before issuance. The bug has been fixed in PowerDNS 4.0.4, and PowerDNS 4.0.4 is shipped in Ubuntu development (Artful Aardvark). Here's the fix: https://github.com/PowerDNS/pdns/pull/5377, and the backport from git master into the 4.0.x release series (which includes some unrelated fixes): https://github.com/PowerDNS/pdns/pull/5378. [Impact] After September 8, any domain names whose authoritative resolver is a version of PowerDNS with this bug will be unable to issue or renew Let's Encrypt certificates (and most likely certificates from other CAs), because the responses to CAA queries will fail to validate. This thread also provides some context about the impact: https://community.letsencrypt.org/t/caa-servfail-changes/38298/2. [Test Case] Set up a DNSSEC-signed zone running PowerDNS as the authoritative resolver. Then attempt to look up any empty resource record set (e.g. TXT or CAA) using a recursive resolver that validates DNSSEC and uses mixed-case queries (DNS 0x20). https://unboundtest.com/ provides a convenient interface to query such a recursive resolver. [Regression Potential] If a regression manifests, it would most likely manifest in responses for DNSSEC zones that fail to validate in unusual ways, or in failed responses to mixed-case queries. To manage notifications about this bug go to: https://bugs.launchpad.net/pdns/+bug/1705766/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp