← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1705766] Re: Invalid DNSSEC signatures on empty responses to mixed-case queries

 

Upstream says this bug was fixed in 4.0.4. Zesty is on 4.0.3-1, so this
bug presumably also affects Zesty (17.04)?

** Also affects: pdns (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Changed in: pdns (Ubuntu)
       Status: New => Fix Released

** Changed in: pdns (Ubuntu Xenial)
       Status: New => Triaged

** Also affects: pdns (Ubuntu Zesty)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1705766

Title:
  Invalid DNSSEC signatures on empty responses to mixed-case queries

Status in Power DNS:
  Fix Released
Status in pdns package in Ubuntu:
  Fix Released
Status in pdns source package in Xenial:
  Triaged
Status in pdns source package in Zesty:
  New

Bug description:
  In PowerDNS 4.0.3 and earlier, when signing an empty response,
  PowerDNS, operating as an authoritative resolver, would sign based on
  the mixed-case input, rather than downcasing before signing. This
  would lead any mixed-case query by a DNSSEC-validating recursive
  resolver to get a validation failure. Mixed-case queries are a common
  security measure to avoid DNS poisoning attacks (https://dyn.com/blog
  /use-of-bit-0x20-in-dns-labels/).

  This bug went unnoticed for a long time because, for A records, if the
  response is empty, it doesn't matter whether you get a validation
  failure or an empty response; you can't resolve either way. However,
  when a certificate authority validates CAA records
  (https://tools.ietf.org/html/rfc6844), an empty response is important
  and meaningful: it means that there is no record restricting issuance,
  so issuance is okay.

  Starting September 8, all public certificate authorities will by
  required by the CA/Browser Forum to check CAA before issuance.

  The bug has been fixed in PowerDNS 4.0.4, and PowerDNS 4.0.4 is
  shipped in Ubuntu development (Artful Aardvark). Here's the fix:
  https://github.com/PowerDNS/pdns/pull/5377, and the backport from git
  master into the 4.0.x release series (which includes some unrelated
  fixes): https://github.com/PowerDNS/pdns/pull/5378.

  [Impact]

  After September 8, any domain names whose authoritative resolver is a
  version of PowerDNS with this bug will be unable to issue or renew
  Let's Encrypt certificates (and most likely certificates from other
  CAs), because the responses to CAA queries will fail to validate.

  This thread also provides some context about the impact:
  https://community.letsencrypt.org/t/caa-servfail-changes/38298/2.

  [Test Case]

  Set up a DNSSEC-signed zone running PowerDNS as the authoritative
  resolver. Then attempt to look up any empty resource record set (e.g.
  TXT or CAA) using a recursive resolver that validates DNSSEC and uses
  mixed-case queries (DNS 0x20). https://unboundtest.com/ provides a
  convenient interface to query such a recursive resolver.

  [Regression Potential]

  If a regression manifests, it would most likely manifest in responses
  for DNSSEC zones that fail to validate in unusual ways, or in failed
  responses to mixed-case queries.

To manage notifications about this bug go to:
https://bugs.launchpad.net/pdns/+bug/1705766/+subscriptions