Upstream says this bug was fixed in 4.0.4. Zesty is on 4.0.3-1, so this
bug presumably also affects Zesty (17.04)?
** Also affects: pdns (Ubuntu Xenial)
Importance: Undecided
Status: New
** Changed in: pdns (Ubuntu)
Status: New => Fix Released
** Changed in: pdns (Ubuntu Xenial)
Status: New => Triaged
** Also affects: pdns (Ubuntu Zesty)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1705766
Title:
Invalid DNSSEC signatures on empty responses to mixed-case queries
Status in Power DNS:
Fix Released
Status in pdns package in Ubuntu:
Fix Released
Status in pdns source package in Xenial:
Triaged
Status in pdns source package in Zesty:
New
Bug description:
In PowerDNS 4.0.3 and earlier, when signing an empty response,
PowerDNS, operating as an authoritative resolver, would sign based on
the mixed-case input, rather than downcasing before signing. This
would lead any mixed-case query by a DNSSEC-validating recursive
resolver to get a validation failure. Mixed-case queries are a common
security measure to avoid DNS poisoning attacks (https://dyn.com/blog
/use-of-bit-0x20-in-dns-labels/).
This bug went unnoticed for a long time because, for A records, if the
response is empty, it doesn't matter whether you get a validation
failure or an empty response; you can't resolve either way. However,
when a certificate authority validates CAA records
(https://tools.ietf.org/html/rfc6844), an empty response is important
and meaningful: it means that there is no record restricting issuance,
so issuance is okay.
Starting September 8, all public certificate authorities will by
required by the CA/Browser Forum to check CAA before issuance.
The bug has been fixed in PowerDNS 4.0.4, and PowerDNS 4.0.4 is
shipped in Ubuntu development (Artful Aardvark). Here's the fix:
https://github.com/PowerDNS/pdns/pull/5377, and the backport from git
master into the 4.0.x release series (which includes some unrelated
fixes): https://github.com/PowerDNS/pdns/pull/5378.
[Impact]
After September 8, any domain names whose authoritative resolver is a
version of PowerDNS with this bug will be unable to issue or renew
Let's Encrypt certificates (and most likely certificates from other
CAs), because the responses to CAA queries will fail to validate.
This thread also provides some context about the impact:
https://community.letsencrypt.org/t/caa-servfail-changes/38298/2.
[Test Case]
Set up a DNSSEC-signed zone running PowerDNS as the authoritative
resolver. Then attempt to look up any empty resource record set (e.g.
TXT or CAA) using a recursive resolver that validates DNSSEC and uses
mixed-case queries (DNS 0x20). https://unboundtest.com/ provides a
convenient interface to query such a recursive resolver.
[Regression Potential]
If a regression manifests, it would most likely manifest in responses
for DNSSEC zones that fail to validate in unusual ways, or in failed
responses to mixed-case queries.
To manage notifications about this bug go to:
https://bugs.launchpad.net/pdns/+bug/1705766/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help : https://help.launchpad.net/ListHelp
