Maintained by: NLnet Labs

PowerDNS, empty responses, and use-caps-for-id

Jacob Hoffman-Andrews
Fri Jul 21 18:41:11 CEST 2017


(Renaming this branch of the thread to reflect the topic)

On 07/21/2017 09:12 AM, Markus Gutschke wrote:
> It's great to hear that PowerDNS found and fixed the bug.
> By default, [Xenial] ships with a version of PowerDNS that lags behind
> the official 4.0.x
> branch: https://packages.ubuntu.com/xenial/pdns-server. This is of
> course not uncommon for Linux distributions. And as far as I can tell,
> this particular version doesn't even have support for CAA, but I am
> not sure whether that would be a good or a bad thing in this
> particular situation.
Lack of support for CAA doesn't make a difference. A server that doesn't
understand CAA queries will respond with an empty NOERROR, the same as a
server that understands CAA queries but has no resource records of that
type. The problem comes in with the signing of the response.

> Personally, I could probably upgrade to a newer version of PowerDNS
> without too much hassle. But if every Ubuntu user needs to do that,
> that's going to require a lot of coordination. Has anybody tried
> getting Ubuntu to officially backport the bug fix into Xenial?
That's a very good idea. I don't think anyone has; would you like to
lead that effort? I could introduce you to the person who helps Certbot
maintain Ubuntu packages. He might have some ideas about the correct
process to follow.