Public bug reported: In PowerDNS 4.0.3 and earlier, when signing an empty response, PowerDNS, operating as an authoritative resolver, would sign based on the mixed- case input, rather than downcasing before signing. This would lead any mixed-case query by a DNSSEC-validating recursive resolver to get a validation failure. Mixed-case queries are a common security measure to avoid DNS poisoning attacks (https://dyn.com/blog/use-of-bit-0x20-in- dns-labels/).
This bug went unnoticed for a long time because, for A records, if the response is empty, it doesn't matter whether you get a validation failure or an empty response; you can't resolve either way. However, when a certificate authority validates CAA records (https://tools.ietf.org/html/rfc6844), an empty response is important and meaningful: it means that there is no record restricting issuance, so issuance is okay. Starting September 8, all public certificate authorities will by required by the CA/Browser Forum to check CAA before issuance. The bug has been fixed in PowerDNS 4.0.4, and PowerDNS 4.0.4 is shipped in Ubuntu development (Artful Aardvark). Here's the fix: https://github.com/PowerDNS/pdns/pull/5377, and the backport from git master into the 4.0.x release series (which includes some unrelated fixes): https://github.com/PowerDNS/pdns/pull/5378. [Impact] After September 8, any domain names whose authoritative resolver is a version of PowerDNS with this bug will be unable to issue or renew Let's Encrypt certificates (and most likely certificates from other CAs), because the responses to CAA queries will fail to validate. This thread also provides some context about the impact: https://community.letsencrypt.org/t/caa-servfail-changes/38298/2. [Test Case] Set up a DNSSEC-signed zone running PowerDNS as the authoritative resolver. Then attempt to look up any empty resource record set (e.g. TXT or CAA) using a recursive resolver that validates DNSSEC and uses mixed-case queries (DNS 0x20). https://unboundtest.com/ provides a convenient interface to query such a recursive resolver. [Regression Potential] If a regression manifests, it would most likely manifest in responses for DNSSEC zones that fail to validate in unusual ways, or in failed responses to mixed-case queries. ** Affects: pdns (Ubuntu) Importance: Undecided Status: Fix Released ** Changed in: pdns (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1705766 Title: Invalid DNSSEC signatures on empty responses to mixed-case queries To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pdns/+bug/1705766/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
