--- /dev/null
+Frequently Asked Questions
+==========================
+
+This document lists categorized answers and questions with links to the relevant documentation.
+
+Replication
+-----------
+Please note that not all PowerDNS Server backends support master or slave support, see the :doc:`table of backends <../backends/index>`.
+
+My PowerDNS Authoritative Server does not send NOTIFY messages
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Don't forget to enable master-support by setting :ref:`setting-master` to ``yes`` in your configuration.
+In :ref:`master mode<master-operation>` PowerDNS Authoritative Server will send NOTIFYs to all nameservers that are listed as NS records in the zone by default.
+
+My PowerDNS Authoritative Server does not start AXFRs
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Don't forget to enable slave-support by setting :ref:`setting-slave` to ``yes`` in your configuration.
+In :ref:`slave mode<slave-operation>` PowerDNS Authoritative Server listens for NOTIFYs from the master IP for zones that are configured as slave zones.
+And will also periodically check for SOA serial number changes at the master.
+
+Can PowerDNS Server act as Slave and Master at the same time?
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Yes totally, enable both by saying ``yes`` to :ref:`setting-master` and :ref:`setting-slave` in your configuration.
+
+How can I limit Zone Transfers (AXFR) per Domain?
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+With the ALLOW-AXFR-FROM metadata, See :ref:`the documentation <metadata-allow-axfr-from>`.
+
+I have a working Supermaster/Superslave setup but when I remove Domains from the Master they still remain on the Slave. Am I doing something wrong?
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+You're not doing anything wrong.
+This is the perfectly normal and expected behavior because the AXFR (DNS Zonetransfer) Protocol does not provide for zone deletion.
+You need to remove the zones from the slave manually or via a custom script.
+
+Operational
+-----------
+
+The ADDITIONAL is section different than BIND's answer, why?
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+My server is not answering with a verbose "ADDITIONAL SECTION" that includes A records for the namservers of the domain queried
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The PowerDNS Authoritative Server by default does not 'trust' other zones in its own database.
+You may want to add :ref:`setting-out-of-zone-additional-processing` to ``yes`` in your configuration to tell it to do so.
+If the domain your nameservers are in are known to the backend they will now be included in the additional section.
+
+PowerDNS does not give authoritative answers, how come?
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+This is almost always not the case.
+An authoritative answer is recognized by the 'AA' bit being set.
+Many tools prominently print the number of Authority records included in an answer, leading users to conclude that the absence or presence of these records indicates the authority of an answer. This is not the case.
+
+Verily, many misguided country code domain operators have fallen into this trap and demand authority records, even though these are fluff and quite often misleading.
+Invite such operators to look at :rfc:`section 6.2.1 of RFC 1034 <1034#section-6.2.1>`, which shows a correct authoritative answer without authority records.
+In fact, none of the non-deprecated authoritative answers shown have authority records!
+
+Master or Slave support is not working, PowerDNS is not picking up changes
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+The Master/Slave apparatus is off by default.
+Turn it on by adding a :ref:`setting-slave` and/or :ref:`setting-master` statement to the configuration file.
+Also, check that the configured backend is master or slave capable and you entered exactly the same string to the Domains tables without the ending dot.
+
+My masters won't allow PowerDNS to access zones as it is using the wrong local IP address
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+By default, PowerDNS lets the kernel pick the source address.
+To set an explicit source address, use the :ref:`setting-query-local-address` and :ref:`setting-query-local-address6` settings.
+
+PowerDNS does not answer queries on all my IP addresses (and I've ignored the warning I got about that at startup)
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Please don't ignore what PowerDNS says to you.
+Furthermore, see the documentation for the :ref:`setting-local-address` and :ref:`setting-local-ipv6` settings, and use it to specify which IP addresses PowerDNS should listen on.
+If this is a fail-over address, then the :ref:`setting-local-address-nonexist-fail` and :ref:`setting-local-ipv6-nonexist-fail` settings might interest you.
+
+Linux Netfilter says your conntrack table is full?
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Thats a common problem with Netfilter Conntracking and DNS Servers, just tune your kernel variable (``/etc/sysctl.conf``) ``net.ipv4.netfilter.ip_conntrack_max`` up accordingly.
+Try setting it for a million if you don't mind spending some MB of RAM on it for example.
+
+Backends
+--------
+
+Does PowerDNS support splitting of TXT records (multipart or multiline) with the MySQL backend?
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+PowerDNS with the :doc:`../backends/generic-sql` do NOT support this.
+Simply make the "content" field in your database the appropriate size for the records you require.
+
+I see this a lot of "Failed to execute mysql_query" or similar log-entries
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Check your MySQL timeout, it may be set too low.
+This can be changed in the ``my.cnf`` file.
+
+Which backend should I use? There are so many!
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+If you have no external constraints, the :doc:`../backends/generic-mysql`, :doc:`../backends/generic-postgresql` and :doc:`../backends/generic-sqlite3` ones are probably the most used and complete.
+
+The Oracle backend also has happy users, the BIND backend is pretty capable too in fact, but many prefer a relational database.
+
+Can I launch multiple backends simultaneously?
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+You can.
+This might for example be useful to keep an existing BIND configuration around but to store new zones in, say MySQL.
+The syntax to use is ``launch=bind,gmysql``.
+Do note that multi-backend behaviour is not specified and might change between versions.
+This is especially true when DNSSEC is involved.
+
+I've added extra fields to the domains and/or records table. Will this eventually affect the resolution process in any way?
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+No, the :doc:`../backends/generic-sql` use several default queries to provide the PowerDNS Server with data and all of those refer to specific field names, so as long as you don't change any of the predefined field names you are fine.
+
+Can I specify custom sql queries for the gmysql / gpgsql backend or are those hardcoded?
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Yes you can override the :ref:`default queries <generic-sql-queries>`.
Setting this to 'yes' will make the backend behave like MyDNS on the TTL
values. Setting it to 'no' will make it ignore the minimal-ttl of the
zone. The default is "yes".
+
+Migrating from MyDNS to another SQL backend
+-------------------------------------------
+To use one of the :doc:`generic SQL backend <generic-sql>`, like the :doc:`Postgresql <generic-postgresql>` or :doc:`MySQL <generic-mysql>` backends, the data can be migratedusing the :ref:`Backend to Backend <b2b-migrate>` migration guide.
PowerDNS Authoritative Server 4.0.5
-----------------------------------
-Unreleased
+Released 27th of November 2017
+
+This release fixes PowerDNS Security Advisory
+:doc:`2017-04 <../security-advisories/powerdns-advisory-2017-04>`: Missing check on API operations (CVE-2017-15091).
Bug fixes
~~~~~~~~~
- `#5777 <https://github.com/PowerDNS/pdns/pull/5777>`__: Handle a signing pipe worker dying with work still pending
- `#5815 <https://github.com/PowerDNS/pdns/pull/5815>`__: Ignore SOA-EDIT for PRESIGNED zones. Fixes #5814
- `#5933 <https://github.com/PowerDNS/pdns/pull/5933>`__: Check return value for all getTSIGKey calls. Fixes #5931
+- `#5996 <https://github.com/PowerDNS/pdns/pull/5996>`__: Deny cache flush, zone retrieve and notify if the API is RO (Security Advisory
+ :doc:`2017-04 <../security-advisories/powerdns-advisory-2017-04>`)
Improvements
~~~~~~~~~~~~
:tags: Improvements
:pullreq: 5842
- Add :ref:`log-timestamp` option. This option can be used to disable
+ Add :ref:`setting-log-timestamp` option. This option can be used to disable
printing timestamps to stdout, this is useful when using
systemd-journald or another supervisor that timestamps stdout by
itself. As the logs will not have 2 timestamps.
# The short X.Y version.
version = '4.1'
# The full version, including alpha/beta/rc tags.
-release = '4.1.0-alpha0'
+#release = '4.1.0-alpha0'
# The language for content autogenerated by Sphinx. Refer to documentation
# for a list of supported languages.
INCEPTION (not recommended)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
+.. deprecated:: 4.1.0
+ Removed in this release
+
Sets the SOA serial to the last inception time in YYYYMMDD01 format.
Uses localtime to find the day for inception time.
changes to the zone will get visible on slaves only on the following
inception day.
-.. deprecated:: 4.1.0
-
INCEPTION-WEEK (not recommended)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+.. deprecated:: 4.1.0
+ Removed in this release
+
Sets the SOA serial to the number of weeks since the epoch, which is the
last inception time in weeks.
.. warning::
Same problem as INCEPTION.
-.. deprecated:: 4.1.0
-
EPOCH
^^^^^
For permissions, a number of per zone settings are available via the
:doc:`domain metadata `<domainmetadata>`.
+.. _metadata-allow-dnsupdate-from:
+
ALLOW-DNSUPDATE-FROM
~~~~~~~~~~~~~~~~~~~~
This will allow 198.51.100.0/8 and 203.0.113.2/32 to send DNS update
messages for the example.org domain.
+.. _metadata-tsig-allow-dnsupdate:
+
TSIG-ALLOW-DNSUPDATE
~~~~~~~~~~~~~~~~~~~~
``ALLOW-DNSUPDATE-FROM`` setting. If a TSIG key is set, and if ``ALLOW-DNSUPDATE-FROM`` is set,
the IP(-range) of the updater still needs to be allowed via ``ALLOW-DNSUPDATE-FROM``.
+.. _metadata-forward-dnsupdate:
+
FORWARD-DNSUPDATE
~~~~~~~~~~~~~~~~~
globally. Using the domainmetadata setting than allows you to enable it
per domain.
+.. _metadata-notify-dnsupdate:
+
NOTIFY-DNSUPDATE
~~~~~~~~~~~~~~~~
API-RECTIFY
-----------
-.. since:: 4.1.0
+.. versionadded:: 4.1.0
This metadata item controls whether or not a zone is fully rectified on changes
to the contents of a zone made through the :doc:`API <http-api/index>`.
ZONE MANIPULATION COMMANDS
--------------------------
+add-record *ZONE* *NAME* *TYPE* [*TTL*] *CONTENT*
+ Add one or more records of *NAME* and *TYPE* to *ZONE* with *CONTENT*
+ and optional *TTL*. If *TTL* is not set, default will be used.
create-zone *ZONE*
Create an empty zone named *ZONE*.
create-slave-zone *ZONE* *MASTER* [*MASTER*]..
zone is imported atomically (i.e. it is fully imported, or not) and any
existing records for that zone are overwritten.
+.. _b2b-migrate:
+
Migrating Data from one Backend to Another Backend
--------------------------------------------------
-@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2017112202 10800 3600 604800 10800
+@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2017112702 10800 3600 604800 10800
@ 3600 IN NS pdns-public-ns1.powerdns.com.
@ 3600 IN NS pdns-public-ns2.powerdns.com.
; Auth
auth-3.4.8.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2016-01/ https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/3/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/3/security/powerdns-advisory-2016-04/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-05/"
auth-3.4.9.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2016-01/ https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/3/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/3/security/powerdns-advisory-2016-04/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-05/"
auth-3.4.10.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/3/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/3/security/powerdns-advisory-2016-04/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-05/"
-auth-3.4.11.security-status 60 IN TXT "1 OK"
-
-auth-4.0.0-alpha1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.0-alpha2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.0-alpha3.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.0-beta1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.0-rc1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.0-rc2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.2.security-status 60 IN TXT "1 OK"
-auth-4.0.3.security-status 60 IN TXT "1 OK"
-auth-4.0.4-rc1.security-status 60 IN TXT "1 OK"
-auth-4.0.4.security-status 60 IN TXT "1 OK"
+auth-3.4.11.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2017-04.html"
+
+auth-4.0.0-alpha1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.0-alpha2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.0-alpha3.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.0-beta1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.0-rc1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.0-rc2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2017-04.html"
+auth-4.0.3.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2017-04.html"
+auth-4.0.4-rc1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2017-04.html"
+auth-4.0.4.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2017-04.html"
auth-4.0.5.security-status 60 IN TXT "1 OK"
auth-4.1.0-rc1.security-status 60 IN TXT "1 OK"
auth-4.1.0-rc2.security-status 60 IN TXT "1 OK"
auth-3.4.1-4_deb8u4.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2016-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-03/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-04/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-05/"
auth-3.4.1-4_deb8u5.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2016-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-03/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-04/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-05/"
auth-3.4.1-4_deb8u6.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-03/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-04/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-05/"
-auth-3.4.1-4_deb8u7.debian.security-status 60 IN TXT "1 OK"
+auth-3.4.1-4_deb8u7.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2017-04.html"
auth-3.4.4-2_bpo8_1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2015-02/ and https://doc.powerdns.com/3/security/powerdns-advisory-2015-03/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-03/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-04/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-05/"
auth-3.4.5-1_bpo8_1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-02/ and https://doc.powerdns.com/3/security/powerdns-advisory-2015-03/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-03/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-04/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-05/"
auth-3.4.6-1_bpo8_1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-03/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-03/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-04/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-05/"
auth-3.4.7-1_bpo8_1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2016-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-03/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-04/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-05/"
-auth-4.0.0_alpha1-1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.0_alpha1-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.0_alpha2-1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.0_alpha2-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.0_alpha2-3.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.0_alpha2-4.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.0_alpha3-1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.0_alpha3-1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.0_beta1-1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.0_beta1-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.0-1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.0-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.0-3.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.0-4.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.0-5.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.1-1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.1-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.1-3.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.1-4.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.1-5.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.1-6.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.1-7.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.2-1.debian.security-status 60 IN TXT "1 OK"
-auth-4.0.3-1.debian.security-status 60 IN TXT "1 OK"
+auth-4.0.0_alpha1-1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.0_alpha1-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.0_alpha2-1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.0_alpha2-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.0_alpha2-3.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.0_alpha2-4.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.0_alpha3-1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.0_alpha3-1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.0_beta1-1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.0_beta1-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.0-1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.0-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.0-3.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.0-4.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.0-5.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.1-1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.1-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.1-3.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.1-4.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.1-5.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.1-6.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.1-7.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.2-1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2017-04.html"
+auth-4.0.3-1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2017-04.html"
; Auth Ubuntu
auth-3.4.1-3.ubuntu.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2015-02/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-03/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-04/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-05/"
auth-3.4.6-1.ubuntu.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-03/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-03/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-04/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-05/"
auth-3.4.7-1.ubuntu.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2016-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-03/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-04/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-05/"
-auth-4.0.0_alpha1-1.ubuntu.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.0_alpha2-1.ubuntu.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.0_alpha2-3build1.ubuntu.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
+auth-4.0.0_alpha1-1.ubuntu.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.0_alpha2-1.ubuntu.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.0_alpha2-3build1.ubuntu.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
; Auth Raspbian
auth-3.4.1-3.raspbian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2015-02/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-03/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-04/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-05/"
recursor-3.7.1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/"
recursor-3.7.2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/"
recursor-3.7.3.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/"
-recursor-3.7.4.security-status 60 IN TXT "1 OK"
-
-recursor-4.0.0-alpha1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/"
-recursor-4.0.0-alpha2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/"
-recursor-4.0.0-alpha3.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/"
-recursor-4.0.0-beta1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/"
-recursor-4.0.0-rc1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/"
-recursor-4.0.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/"
-recursor-4.0.1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/"
-recursor-4.0.2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/"
-recursor-4.0.3.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/"
-recursor-4.0.4.security-status 60 IN TXT "1 OK"
-recursor-4.0.5-rc1.security-status 60 IN TXT "1 OK"
-recursor-4.0.5-rc2.security-status 60 IN TXT "1 OK"
-recursor-4.0.5.security-status 60 IN TXT "1 OK"
-recursor-4.0.6.security-status 60 IN TXT "1 OK"
+recursor-3.7.4.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-06.html"
+
+recursor-4.0.0-alpha1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-02.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-04.html"
+recursor-4.0.0-alpha2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-02.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-04.html"
+recursor-4.0.0-alpha3.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-02.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-04.html"
+recursor-4.0.0-beta1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-02.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-04.html"
+recursor-4.0.0-rc1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-02.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-04.html"
+recursor-4.0.0.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-02.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-04.html"
+recursor-4.0.1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-02.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-04.html"
+recursor-4.0.2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-02.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-04.html"
+recursor-4.0.3.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-02.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-04.html"
+recursor-4.0.4.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-03.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-05.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-06.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-07.html"
+recursor-4.0.5-rc1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-03.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-05.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-06.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-07.html"
+recursor-4.0.5-rc2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-03.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-05.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-06.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-07.html"
+recursor-4.0.5.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-03.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-05.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-06.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-07.html"
+recursor-4.0.6.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-03.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-05.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-06.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-07.html"
recursor-4.0.7.security-status 60 IN TXT "1 OK"
-recursor-4.1.0-alpha1.security-status 60 IN TXT "1 OK"
+recursor-4.1.0-alpha1.security-status 60 IN TXT "1 OK"
recursor-4.1.0-rc1.security-status 60 IN TXT "1 OK"
recursor-4.1.0-rc2.security-status 60 IN TXT "1 OK"
recursor-4.1.0-rc3.security-status 60 IN TXT "1 OK"
recursor-3.6.2-2_deb8u1_bpo70_1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/"
recursor-3.6.2-2_deb8u2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/"
recursor-3.6.2-2_deb8u2_bpo70_1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/"
-recursor-3.6.2-2_deb8u3.debian.security-status 60 IN TXT "1 OK"
+recursor-3.6.2-2_deb8u3.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-06.html"
recursor-3.7.2-1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/"
recursor-3.7.2-1_bpo8_1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/"
recursor-3.7.3-1_bpo8_1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/"
recursor-3.7.3-1_bpo7_1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/"
-recursor-4.0.0_alpha1-1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/"
-recursor-4.0.0_alpha1-3.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/"
-recursor-4.0.0_alpha2-1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/"
-recursor-4.0.0_alpha2-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/"
-recursor-4.0.0_alpha3-1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/"
-recursor-4.0.0_beta1-1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/"
-recursor-4.0.0_beta1-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/"
-recursor-4.0.0_rc1-1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/"
-recursor-4.0.0_rc1-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/"
-recursor-4.0.0-1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/"
-recursor-4.0.0-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/"
-recursor-4.0.0-3.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/"
-recursor-4.0.1-1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/"
-recursor-4.0.2-1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/"
-recursor-4.0.3-1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/"
-recursor-4.0.3-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/"
-recursor-4.0.3-3.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/"
-recursor-4.0.3-4.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/"
-recursor-4.0.3-5.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/"
-recursor-4.0.3-5_exp1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/"
-recursor-4.0.3-5_exp2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/"
-recursor-4.0.3-5_exp3.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/"
-recursor-4.0.3-6.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/"
-recursor-4.0.4-1_bpo8_1.debian.security-status 60 IN TXT "1 OK"
-recursor-4.0.4-1_deb9u1.debian.security-status 60 IN TXT "1 OK"
-recursor-4.0.4-1.debian.security-status 60 IN TXT "1 OK"
-recursor-4.0.5-2.debian.security-status 60 IN TXT "1 OK"
+recursor-4.0.0_alpha1-1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-02.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-04.html"
+recursor-4.0.0_alpha1-3.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-02.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-04.html"
+recursor-4.0.0_alpha2-1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-02.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-04.html"
+recursor-4.0.0_alpha2-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-02.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-04.html"
+recursor-4.0.0_alpha3-1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-02.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-04.html"
+recursor-4.0.0_beta1-1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-02.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-04.html"
+recursor-4.0.0_beta1-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-02.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-04.html"
+recursor-4.0.0_rc1-1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-02.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-04.html"
+recursor-4.0.0_rc1-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-02.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-04.html"
+recursor-4.0.0-1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-02.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-04.html"
+recursor-4.0.0-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-02.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-04.html"
+recursor-4.0.0-3.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-02.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-04.html"
+recursor-4.0.1-1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-02.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-04.html"
+recursor-4.0.2-1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-02.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-04.html"
+recursor-4.0.3-1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-02.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-04.html"
+recursor-4.0.3-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-02.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-04.html"
+recursor-4.0.3-3.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-02.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-04.html"
+recursor-4.0.3-4.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-02.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-04.html"
+recursor-4.0.3-5.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-02.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-04.html"
+recursor-4.0.3-5_exp1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-02.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-04.html"
+recursor-4.0.3-5_exp2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-02.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-04.html"
+recursor-4.0.3-5_exp3.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-02.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-04.html"
+recursor-4.0.3-6.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-02.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-04.html"
+recursor-4.0.4-1_bpo8_1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-03.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-05.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-06.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-07.html"
+recursor-4.0.4-1_deb9u1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-03.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-05.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-06.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-07.html"
+recursor-4.0.4-1.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-03.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-05.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-06.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-07.html"
+recursor-4.0.5-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-03.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-05.html https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-06.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-07.html"
; Recursor Raspbian
recursor-3.6.2-2.raspbian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/"
recursor-3.7.2-1.ubuntu.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/"
recursor-3.7.3-1.ubuntu.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/"
-auth-4.0.0_alpha1-1.ubuntu.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/"
-auth-4.0.0_alpha2-2.ubuntu.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/"
+auth-4.0.0_alpha1-1.ubuntu.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-02.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-04.html"
+auth-4.0.0_alpha2-2.ubuntu.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-02.html and https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2016-04.html"
; Recursor Fedora, EL
recursor-3.6.2-1.fc19.fedora.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/"
;; Builder Generated packages (auth)
; Debian
-auth-4.0.0_alpha1-1pdns.jessie.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.0_alpha2-1pdns.jessie.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.0_alpha3-1pdns.jessie.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.0_beta1-1pdns.jessie.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
+auth-4.0.0_alpha1-1pdns.jessie.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.0_alpha2-1pdns.jessie.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.0_alpha3-1pdns.jessie.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.0_beta1-1pdns.jessie.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
; Ubuntu
-auth-4.0.0_alpha2-1pdns.wily.ubuntu.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.0_alpha2-1pdns.trusty.ubuntu.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.0_alpha3-1pdns.trusty.ubuntu.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.0_beta1-1pdns.trusty.ubuntu.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
+auth-4.0.0_alpha2-1pdns.wily.ubuntu.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.0_alpha2-1pdns.trusty.ubuntu.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.0_alpha3-1pdns.trusty.ubuntu.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.0_beta1-1pdns.trusty.ubuntu.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
; Raspbian
-auth-4.0.0_alpha2-1pdns.jessie.raspbian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.0_alpha3-1pdns.jessie.raspbian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
-auth-4.0.0_beta1-1pdns.jessie.raspbian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/"
+auth-4.0.0_alpha2-1pdns.jessie.raspbian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.0_alpha3-1pdns.jessie.raspbian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
+auth-4.0.0_beta1-1pdns.jessie.raspbian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-02.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-04.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2016-05.html"
;; Builder Generated packages (recursor)
--- /dev/null
+PowerDNS Security Advisory 2017-04: Missing check on API operations
+===================================================================
+
+- CVE: CVE-2017-15091
+- Date: November 27th 2017
+- Credit: everyman
+- Affects: PowerDNS Authoritative up to and including 4.0.4, 3.4.11
+- Not affected: PowerDNS Authoritative 4.0.5
+- Severity: Low
+- Impact: Denial of service
+- Exploit: This problem can be triggered by an attacker with valid
+ API credentials
+- Risk of system compromise: No
+- Solution: Upgrade to a non-affected version
+
+An issue has been found in the API component of PowerDNS Authoritative,
+where some operations that have an impact on the state of the server
+are still allowed even though the API has been configured as read-only
+via the
+`api-readonly <https://docs.powerdns.com/authoritative/settings.html#api-readonly>`__
+keyword.
+This missing check allows an attacker with valid API credentials to flush
+the cache, trigger a zone transfer or send a NOTIFY. This issue has been
+assigned CVE-2017-15091.
+
+PowerDNS Authoritative up to and including 4.0.4 and 3.4.11 are affected.
+
+For those unable to upgrade to a new version, a minimal patch is
+`available <https://downloads.powerdns.com/patches/2017-04>`__
+
+We would like to thank everyman for finding and subsequently reporting
+this issue.
if (iqmp == NULL) {
RSA_free(key);
BN_clear_free(dmq1);
- BN_clear_free(iqmp);
+ BN_clear_free(dmp1);
throw runtime_error(getName()+" allocation of BIGNUM iqmp failed");
}
RSA_set0_crt_params(key, dmp1, dmq1, iqmp);
BIGNUM *n = BN_bin2bn((unsigned char*)modulus.c_str(), modulus.length(), NULL);
if (!n) {
RSA_free(key);
+ BN_clear_free(e);
throw runtime_error(getName()+" error loading n value of public key");
}
int ret = EC_POINT_oct2point(d_ecgroup, pub_key, (unsigned char*) ecdsaPoint.c_str(), ecdsaPoint.length(), d_ctx);
if (ret != 1) {
+ EC_POINT_free(pub_key);
throw runtime_error(getName()+" reading ECP point from binary failed");
}
{
L<<Logger::Error<<"Exception while performing security poll: "<<e.reason<<endl;
}
+ catch(ImmediateServFailException &e)
+ {
+ L<<Logger::Error<<"Exception while performing security poll: "<<e.reason<<endl;
+ }
catch(...)
{
L<<Logger::Error<<"Exception while performing security poll"<<endl;
PowerDNS Recursor 4.0.7
-----------------------
-Unreleased
+Released 27th of November 2017
+
+This release fixes PowerDNS Security Advisories :doc:`2017-03 <../security-advisories/powerdns-advisory-2017-03>`,
+:doc:`2017-05 <../security-advisories/powerdns-advisory-2017-05>`, :doc:`2017-06 <../security-advisories/powerdns-advisory-2017-06>`
+and :doc:`2017-07 <../security-advisories/powerdns-advisory-2017-07>`.
Bug fixes
^^^^^^^^^
- `#5740 <https://github.com/PowerDNS/pdns/pull/5740>`__: Lowercase all outgoing qnames when lowercase-outgoing is set
- `#5599 <https://github.com/PowerDNS/pdns/pull/5599>`__: Fix libatomic detection on ppc64
- `#5961 <https://github.com/PowerDNS/pdns/pull/5961>`__: Edit configname definition to include the 'config-name' argument (Jake Reynolds)
+- `#5995 <https://github.com/PowerDNS/pdns/pull/5995>`__: Security Advisories :doc:`2017-03 <../security-advisories/powerdns-advisory-2017-03>`,
+ :doc:`2017-05 <../security-advisories/powerdns-advisory-2017-05>`, :doc:`2017-06 <../security-advisories/powerdns-advisory-2017-06>` and
+ :doc:`2017-07 <../security-advisories/powerdns-advisory-2017-07>`.
Improvements
^^^^^^^^^^^^
--- /dev/null
+PowerDNS Security Advisory 2017-03: Insufficient validation of DNSSEC signatures
+================================================================================
+
+- CVE: CVE-2017-15090
+- Date: November 27th 2017
+- Credit: Kees Monshouwer
+- Affects: PowerDNS Recursor from 4.0.0 and up to and including 4.0.6
+- Not affected: PowerDNS Recursor < 4.0.0, 4.0.7
+- Severity: Medium
+- Impact: Records manipulation
+- Exploit: This problem can be triggered by an attacker in position of
+ man-in-the-middle
+- Risk of system compromise: No
+- Solution: Upgrade to a non-affected version
+
+An issue has been found in the DNSSEC validation component of PowerDNS Recursor,
+where the signatures might have been accepted as valid even if the signed data
+was not in bailiwick of the DNSKEY used to sign it. This allows an attacker in
+position of man-in-the-middle to alter the content of records by issuing a valid
+signature for the crafted records. This issue has been assigned CVE-2017-15090.
+
+PowerDNS Recursor from 4.0.0 up to and including 4.0.6 are affected.
+
+For those unable to upgrade to a new version, a minimal patch is
+`available <https://downloads.powerdns.com/patches/2017-03>`__
+
+We would like to thank Kees Monshouwer for finding and subsequently reporting
+this issue.
--- /dev/null
+PowerDNS Security Advisory 2017-05: Cross-Site Scripting in the web interface
+=============================================================================
+
+- CVE: CVE-2017-15092
+- Date: November 27th 2017
+- Credit: Nixu, Chris Navarrete of Fortinet's Fortiguard Labs
+- Affects: PowerDNS Recursor from 4.0.0 up to and including 4.0.6
+- Not affected: PowerDNS Recursor 4.0.7, 3.7.x
+- Severity: Medium
+- Impact: Alteration and denial of service of the web interface
+- Exploit: This problem can be triggered by an attacker sending DNS queries
+ to the server
+- Risk of system compromise: No
+- Solution: Upgrade to a non-affected version
+
+An issue has been found in the web interface of PowerDNS Recursor, where the
+qname of DNS queries was displayed without any escaping, allowing a remote
+attacker to inject HTML and Javascript code into the web interface, altering
+the content. This issue has been assigned CVE-2017-15092.
+
+PowerDNS Recursor from 4.0.0 up to and including 4.0.6 are affected.
+
+For those unable to upgrade to a new version, a minimal patch is
+`available <https://downloads.powerdns.com/patches/2017-05>`__
+
+We would like to thank Nixu and Chris Navarrete of Fortinet's Fortiguard Labs
+for independently finding and reporting this issue.
--- /dev/null
+PowerDNS Security Advisory 2017-06: Configuration file injection in the API
+===========================================================================
+
+- CVE: CVE-2017-15093
+- Date: November 27th 2017
+- Credit: Nixu
+- Affects: PowerDNS Recursor up to and including 4.0.6, 3.7.4
+- Not affected: PowerDNS Recursor 4.0.7
+- Severity: Medium
+- Impact: Alteration of configuration by an API user
+- Exploit: This problem can be triggered by an attacker with valid API
+ credentials
+- Risk of system compromise: No
+- Solution: Upgrade to a non-affected version
+- Workaround: Disable the ability to alter the configuration via the API
+ by setting `api-config-dir` to an empty value (default), or set the API
+ read-only via the `api-readonly` setting.
+
+An issue has been found in the API of PowerDNS Recursor during a source code
+audit by Nixu. When `api-config-dir` is set to a non-empty value, which is not
+the case by default, the API allows an authorized user to update the Recursor's
+ACL by adding and removing netmasks, and to configure forward zones. It was
+discovered that the new netmask and IP addresses of forwarded zones were not
+sufficiently validated, allowing an authenticated user to inject new
+configuration directives into the Recursor's configuration. This issue has been
+assigned CVE-2017-15093.
+
+PowerDNS Recursor up to and including 4.0.6 and 3.7.4 are affected.
+
+For those unable to upgrade to a new version, a minimal patch is
+`available <https://downloads.powerdns.com/patches/2017-06>`__
+
+We would like to thank Nixu for finding and subsequently reporting this issue.
--- /dev/null
+PowerDNS Security Advisory 2017-07: Memory leak in DNSSEC parsing
+=================================================================
+
+- CVE: CVE-2017-15094
+- Date: November 27th 2017
+- Credit: Nixu
+- Affects: PowerDNS Recursor from 4.0.0 up to and including 4.0.6
+- Not affected: PowerDNS Recursor 4.0.7
+- Severity: Medium
+- Impact: Denial of service
+- Exploit: This problem can be triggered by an authoritative server
+ sending crafted ECDSA DNSSEC keys to the Recursor.
+- Risk of system compromise: No
+- Solution: Upgrade to a non-affected version
+- Workaround: Disable DNSSEC validation by setting the `dnssec` parameter
+ to `off` or `process-no-validate` (default).
+
+An issue has been found in the DNSSEC parsing code of PowerDNS Recursor during
+a code audit by Nixu, leading to a memory leak when parsing specially crafted
+DNSSEC ECDSA keys. These keys are only parsed when validation is enabled by
+setting `dnssec` to a value other than `off` or `process-no-validate` (default).
+This issue has been assigned CVE-2017-15094.
+
+PowerDNS Recursor from 4.0.0 up to and including 4.0.6 are affected.
+
+For those unable to upgrade to a new version, a minimal patch is
+`available <https://downloads.powerdns.com/patches/2017-07>`__
+
+We would like to thank Nixu for finding and subsequently reporting
+this issue.
BOOST_CHECK_EQUAL(queriesCount, 9);
}
+BOOST_AUTO_TEST_CASE(test_dnssec_dnskey_signed_child) {
+ /* check that we don't accept a signer below us */
+ std::unique_ptr<SyncRes> sr;
+ initSR(sr, true);
+
+ setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+ primeHints();
+ const DNSName target("www.powerdns.com.");
+ testkeysset_t keys;
+
+ auto luaconfsCopy = g_luaconfs.getCopy();
+ luaconfsCopy.dsAnchors.clear();
+ generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+ generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+ generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+ generateKeyMaterial(DNSName("www.powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+ generateKeyMaterial(DNSName("sub.www.powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+ g_luaconfs.setState(luaconfsCopy);
+
+ size_t queriesCount = 0;
+
+ sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, std::shared_ptr<RemoteLogger> outgoingLogger, LWResult* res) {
+ queriesCount++;
+
+ if (type == QType::DS) {
+ DNSName auth(domain);
+ auth.chopOff();
+
+ setLWResult(res, 0, true, false, true);
+ if (domain == target) {
+ addRecordToLW(res, domain, QType::SOA, "ns1.powerdns.com. blah. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
+ addRRSIG(keys, res->d_records, target, 300);
+ }
+ else {
+ addDS(domain, 300, res->d_records, keys, DNSResourceRecord::ANSWER);
+ addRRSIG(keys, res->d_records, auth, 300);
+ }
+ return 1;
+ }
+ else if (type == QType::DNSKEY) {
+ setLWResult(res, 0, true, false, true);
+ addDNSKEY(keys, domain, 300, res->d_records);
+ if (domain == DNSName("www.powerdns.com.")) {
+ addRRSIG(keys, res->d_records, DNSName("sub.www.powerdns.com."), 300);
+ }
+ else {
+ addRRSIG(keys, res->d_records, domain, 300);
+ }
+ return 1;
+ }
+ else {
+ if (isRootServer(ip)) {
+ setLWResult(res, 0, false, false, true);
+ addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+ addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+ addDS(DNSName("com."), 300, res->d_records, keys);
+ addRRSIG(keys, res->d_records, DNSName("."), 300);
+ return 1;
+ }
+ else if (ip == ComboAddress("192.0.2.1:53")) {
+ if (domain == DNSName("com.")) {
+ setLWResult(res, 0, true, false, true);
+ addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
+ addRRSIG(keys, res->d_records, domain, 300);
+ addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+ addRRSIG(keys, res->d_records, domain, 300);
+ }
+ else {
+ setLWResult(res, 0, false, false, true);
+ addRecordToLW(res, "powerdns.com.", QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
+ addDS(DNSName("powerdns.com."), 300, res->d_records, keys);
+ addRRSIG(keys, res->d_records, DNSName("com."), 300);
+ addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+ }
+ return 1;
+ }
+ else if (ip == ComboAddress("192.0.2.2:53")) {
+ if (type == QType::NS) {
+ setLWResult(res, 0, true, false, true);
+ addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
+ addRRSIG(keys, res->d_records, domain, 300);
+ addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+ addRRSIG(keys, res->d_records, domain, 300);
+ }
+ else {
+ setLWResult(res, 0, true, false, true);
+ addRecordToLW(res, domain, QType::A, "192.0.2.42");
+ addRRSIG(keys, res->d_records, domain, 300);
+ }
+
+ return 1;
+ }
+ }
+
+ return 0;
+ });
+
+ vector<DNSRecord> ret;
+ int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+ BOOST_CHECK_EQUAL(res, RCode::NoError);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+ BOOST_REQUIRE_EQUAL(ret.size(), 2);
+ BOOST_CHECK_EQUAL(queriesCount, 9);
+
+ /* again, to test the cache */
+ ret.clear();
+ res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+ BOOST_CHECK_EQUAL(res, RCode::NoError);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+ BOOST_REQUIRE_EQUAL(ret.size(), 2);
+ BOOST_CHECK_EQUAL(queriesCount, 9);
+}
+
BOOST_AUTO_TEST_CASE(test_dnssec_no_ds_on_referral_insecure) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);
BOOST_CHECK_EQUAL(queriesCount, 5);
}
+BOOST_AUTO_TEST_CASE(test_dnssec_validation_additional_without_rrsig) {
+ /*
+ We get a record from a secure zone in the additional section, without
+ the corresponding RRSIG. The record should not be marked as authoritative
+ and should be correctly validated.
+ */
+ std::unique_ptr<SyncRes> sr;
+ initSR(sr, true);
+
+ setDNSSECValidation(sr, DNSSECMode::Process);
+
+ primeHints();
+ const DNSName target("com.");
+ const DNSName addTarget("nsX.com.");
+ testkeysset_t keys;
+
+ auto luaconfsCopy = g_luaconfs.getCopy();
+ luaconfsCopy.dsAnchors.clear();
+ generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+ g_luaconfs.setState(luaconfsCopy);
+
+ size_t queriesCount = 0;
+
+ sr->setAsyncCallback([target,addTarget,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, std::shared_ptr<RemoteLogger> outgoingLogger, LWResult* res) {
+ queriesCount++;
+
+ if (type == QType::DS || type == QType::DNSKEY) {
+ if (domain == addTarget) {
+ DNSName auth(domain);
+ /* no DS for com, auth will be . */
+ auth.chopOff();
+ return genericDSAndDNSKEYHandler(res, domain, auth, type, keys, false);
+ }
+ return genericDSAndDNSKEYHandler(res, domain, domain, type, keys, false);
+ }
+ else {
+ if (domain == target && type == QType::A) {
+ setLWResult(res, 0, true, false, true);
+ addRecordToLW(res, target, QType::A, "192.0.2.1");
+ addRRSIG(keys, res->d_records, DNSName("."), 300);
+ addRecordToLW(res, addTarget, QType::A, "192.0.2.42", DNSResourceRecord::ADDITIONAL);
+ /* no RRSIG for the additional record */
+ return 1;
+ } else if (domain == addTarget && type == QType::A) {
+ setLWResult(res, 0, true, false, true);
+ addRecordToLW(res, addTarget, QType::A, "192.0.2.42");
+ addRRSIG(keys, res->d_records, DNSName("."), 300);
+ return 1;
+ }
+ }
+
+ return 0;
+ });
+
+ vector<DNSRecord> ret;
+ /* first query for target/A, will pick up the additional record as non-auth / unvalidated */
+ sr->setDNSSECValidationRequested(false);
+ int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+ BOOST_CHECK_EQUAL(res, RCode::NoError);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
+ BOOST_CHECK_EQUAL(ret.size(), 2);
+ for (const auto& record : ret) {
+ BOOST_CHECK(record.d_type == QType::RRSIG || record.d_type == QType::A);
+ }
+ BOOST_CHECK_EQUAL(queriesCount, 1);
+
+ ret.clear();
+ /* ask for the additional record directly, we should not use
+ the non-auth one and issue a new query, properly validated */
+ sr->setDNSSECValidationRequested(true);
+ res = sr->beginResolve(addTarget, QType(QType::A), QClass::IN, ret);
+ BOOST_CHECK_EQUAL(res, RCode::NoError);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+ BOOST_CHECK_EQUAL(ret.size(), 2);
+ for (const auto& record : ret) {
+ BOOST_CHECK(record.d_type == QType::RRSIG || record.d_type == QType::A);
+ }
+ BOOST_CHECK_EQUAL(queriesCount, 5);
+}
+
BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_negcache_secure) {
/*
Validation is optional, and the first query does not ask for it,
uint32_t calculateEditSOA(const DNSZoneRecord& rr, const string& kind)
{
auto src = getRR<SOARecordContent>(rr.dr);
- if(pdns_iequals(kind,"INCEPTION")) {
- L<<Logger::Warning<<"Deprecation warning: The 'INCEPTION' soa-edit value will be removed in PowerDNS 4.1"<<endl;
- time_t inception = getStartOfWeek();
- return localtime_format_YYYYMMDDSS(inception, 1);
- }
- else if(pdns_iequals(kind,"INCEPTION-INCREMENT")) {
+ if(pdns_iequals(kind,"INCEPTION-INCREMENT")) {
time_t inception = getStartOfWeek();
uint32_t inception_serial = localtime_format_YYYYMMDDSS(inception, 1);
uint32_t dont_increment_after = localtime_format_YYYYMMDDSS(inception + 2*86400, 99);
return (src->d_st.serial + 2); /* "<inceptionday>00" and "<inceptionday>01" are reserved for inception increasing, so increment sd.serial by two */
}
}
- else if(pdns_iequals(kind,"INCEPTION-WEEK")) {
- L<<Logger::Warning<<"Deprecation warning: The 'INCEPTION-WEEK' soa-edit value will be removed in PowerDNS 4.1"<<endl;
- time_t inception = getStartOfWeek();
- return ( inception / (7*86400) );
- }
else if(pdns_iequals(kind,"INCREMENT-WEEKS")) {
time_t inception = getStartOfWeek();
return (src->d_st.serial + (inception / (7*86400)));
}
else if(pdns_iequals(kind,"EPOCH")) {
- L<<Logger::Warning<<"Deprecation warning: The 'EPOCH' soa-edit value will be removed in PowerDNS 4.1"<<endl;
return time(0);
}
else if(pdns_iequals(kind,"INCEPTION-EPOCH")) {
if (!signatures.empty()) {
DNSName signer = getSigner(signatures);
- if (!signer.empty() && signer.isPartOf(zone)) {
+ if (!signer.empty() && zone.isPartOf(signer)) {
vState state = getDSRecords(signer, ds, false, depth);
if (state != Secure) {
if(i->second.records.empty()) // this happens when we did store signatures, but passed on the records themselves
continue;
- bool isAA = lwr.d_aabit;
+ /* Even if the AA bit is set, additional data cannot be considered
+ as authoritative. This is especially important during validation
+ because keeping records in the additional section is allowed even
+ if the corresponding RRSIGs are not included, without setting the TC
+ bit, as stated in rfc4035's section 3.1.1. Including RRSIG RRs in a Response:
+ "When placing a signed RRset in the Additional section, the name
+ server MUST also place its RRSIG RRs in the Additional section.
+ If space does not permit inclusion of both the RRset and its
+ associated RRSIG RRs, the name server MAY retain the RRset while
+ dropping the RRSIG RRs. If this happens, the name server MUST NOT
+ set the TC bit solely because these RRSIG RRs didn't fit."
+ */
+ bool isAA = lwr.d_aabit && i->first.place != DNSResourceRecord::ADDITIONAL;
if (isAA && isCNAMEAnswer && (i->first.place != DNSResourceRecord::ANSWER || i->first.type != QType::CNAME)) {
/*
rfc2181 states:
static void apiServerZoneAxfrRetrieve(HttpRequest* req, HttpResponse* resp) {
DNSName zonename = apiZoneIdToName(req->parameters["id"]);
- if(req->method != "PUT")
+ if(req->method != "PUT" || ::arg().mustDo("api-readonly"))
throw HttpMethodNotAllowedException();
UeberBackend B;
static void apiServerZoneNotify(HttpRequest* req, HttpResponse* resp) {
DNSName zonename = apiZoneIdToName(req->parameters["id"]);
- if(req->method != "PUT")
+ if(req->method != "PUT" || ::arg().mustDo("api-readonly"))
throw HttpMethodNotAllowedException();
UeberBackend B;
}
void apiServerCacheFlush(HttpRequest* req, HttpResponse* resp) {
- if(req->method != "PUT")
+ if(req->method != "PUT" || ::arg().mustDo("api-readonly"))
throw HttpMethodNotAllowedException();
DNSName canon = apiNameToDNSName(req->getvars["domain"]);
msgFlags = dns.flags.to_text(msg.flags).split()
missingFlags = [flag for flag in flags if flag not in msgFlags]
- msgEdnsFlags = dns.flags.edns_to_text(msg.flags).split()
+ msgEdnsFlags = dns.flags.edns_to_text(msg.ednsflags).split()
missingEdnsFlags = [ednsflag for ednsflag in ednsflags if ednsflag not in msgEdnsFlags]
if len(missingFlags) or len(missingEdnsFlags) or len(msgFlags) > len(flags):
res = self.sendUDPQuery(query)
self.assertRcodeEqual(res, dns.rcode.NOERROR)
- self.assertMessageHasFlags(res, ['QR', 'RA', 'RD'], ['DO'])
+ self.assertMessageHasFlags(res, ['QR', 'RA', 'RD'], [])
self.assertRRsetInAnswer(res, expected)
def testUndelegatedForwardedZoneExisting(self):
res = self.sendUDPQuery(query)
self.assertRcodeEqual(res, dns.rcode.SERVFAIL)
- self.assertMessageHasFlags(res, ['QR', 'RA', 'RD'], ['DO'])
+ self.assertMessageHasFlags(res, ['QR', 'RA', 'RD'], [])
def testUndelegatedForwardedZoneNXDOMAIN(self):
"""
res = self.sendUDPQuery(query)
self.assertRcodeEqual(res, dns.rcode.SERVFAIL)
- self.assertMessageHasFlags(res, ['QR', 'RA', 'RD'], ['DO'])
+ self.assertMessageHasFlags(res, ['QR', 'RA', 'RD'], [])
def testUndelegatedForwardedInsecureZoneExisting(self):
"""
res = self.sendUDPQuery(query)
self.assertRcodeEqual(res, dns.rcode.NOERROR)
- self.assertMessageHasFlags(res, ['QR', 'RA', 'RD'], ['DO'])
+ self.assertMessageHasFlags(res, ['QR', 'RA', 'RD'], [])
self.assertRRsetInAnswer(res, expected)
def testUndelegatedForwardedInsecureZoneNXDOMAIN(self):
res = self.sendUDPQuery(query)
self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
- self.assertMessageHasFlags(res, ['QR', 'RA', 'RD'], ['DO'])
+ self.assertMessageHasFlags(res, ['QR', 'RA', 'RD'], [])
def testBothSecureCNAMEAtApex(self):
"""
self.assertRRsetInAnswer(res, expectedA)
self.assertRRsetInAnswer(res, expectedCNAME)
self.assertRcodeEqual(res, dns.rcode.NOERROR)
- self.assertMessageHasFlags(res, ['QR', 'RD', 'RA', 'AD'], ['DO'])
+ self.assertMessageHasFlags(res, ['QR', 'RD', 'RA', 'AD'], [])
@classmethod
def startResponders(cls):
res = self.sendUDPQuery(msg, fwparams=dict(one_rr_per_rrset=True))
- self.assertMessageHasFlags(res, ['QR', 'RA', 'RD'], ['DO'])
+ self.assertMessageHasFlags(res, ['QR', 'RA', 'RD'], [])
self.assertRcodeEqual(res, dns.rcode.NOERROR)
indexCNAME = -1