pdns
pdns copied to clipboard
PowerDNS
Please update signing keys to not use SHA1
Thank you for providing PGP signatures on release tarballs. Unfortunately at least some keys still use SHA1 certificates, and are thus not trusted by modern Debian tooling.
% sq cert lint --cert 16E12866B7738C73976A57436FFC33439B0D04DF
Certificate 6FFC33439B0D04DF is not valid under the standard policy: No binding signature at time 2025-02-11T12:50:44Z
Certificate 6FFC33439B0D04DF contains a User ID (Winkels, Erik <[email protected]>) protected by SHA-1
Certificate 6FFC33439B0D04DF, key 98E2D02464C86649 uses a SHA-1-protected binding signature.
Examined 1 certificate.
0 certificates are invalid and were not linted. (GOOD)
1 certificate was linted.
1 of the 1 certificates (100%) has at least one issue. (BAD)
0 of the linted certificates were revoked.
0 of the 0 certificates has revocation certificates that are weaker than the certificate and should be recreated. (GOOD)
0 of the linted certificates were expired.
1 of the non-revoked linted certificate has at least one non-revoked User ID:
1 has at least one User ID protected by SHA-1. (BAD)
1 has all User IDs protected by SHA-1. (BAD)
1 of the non-revoked linted certificates has at least one non-revoked, live subkey:
1 has at least one non-revoked, live subkey with a binding signature that uses SHA-1. (BAD)
0 of the non-revoked linted certificates have at least one non-revoked, live, signing-capable subkey:
0 certificates have at least one non-revoked, live, signing-capable subkey with a strong binding signature, but a backsig that uses SHA-1. (GOOD)
Error: 1 certificate have at least one issue
% sq cert lint --cert 990C3D0EAC7C275DC6B18436EACAB90B1963EC2B
Certificate EACAB90B1963EC2B is not valid under the standard policy: No binding signature at time 2025-02-11T12:52:31Z
Certificate EACAB90B1963EC2B contains a User ID (Moerbeek, Otto <[email protected]>) protected by SHA-1
Certificate EACAB90B1963EC2B contains a User ID (Otto Moerbeek <[email protected]>) protected by SHA-1
Certificate EACAB90B1963EC2B, key BA9E576120C2C4BD uses a SHA-1-protected binding signature.
Examined 1 certificate.
0 certificates are invalid and were not linted. (GOOD)
1 certificate was linted.
1 of the 1 certificates (100%) has at least one issue. (BAD)
0 of the linted certificates were revoked.
0 of the 0 certificates has revocation certificates that are weaker than the certificate and should be recreated. (GOOD)
0 of the linted certificates were expired.
1 of the non-revoked linted certificate has at least one non-revoked User ID:
1 has at least one User ID protected by SHA-1. (BAD)
1 has all User IDs protected by SHA-1. (BAD)
1 of the non-revoked linted certificates has at least one non-revoked, live subkey:
1 has at least one non-revoked, live subkey with a binding signature that uses SHA-1. (BAD)
0 of the non-revoked linted certificates have at least one non-revoked, live, signing-capable subkey:
0 certificates have at least one non-revoked, live, signing-capable subkey with a strong binding signature, but a backsig that uses SHA-1. (GOOD)
Error: 1 certificate have at least one issue
% sq cert lint --cert FBAE0323821C7706A5CA151BDCF513FA7EED19F3
Certificate DCF513FA7EED19F3 is not valid under the standard policy: No binding signature at time 2025-02-11T12:53:07Z
Certificate DCF513FA7EED19F3 contains a User ID (Peter van Dijk <[email protected]>) protected by SHA-1
Certificate DCF513FA7EED19F3 contains a User ID (Peter van Dijk <[email protected]>) protected by SHA-1
Certificate DCF513FA7EED19F3, key E85DF3E1CB626418 uses a SHA-1-protected binding signature.
Examined 1 certificate.
0 certificates are invalid and were not linted. (GOOD)
1 certificate was linted.
1 of the 1 certificates (100%) has at least one issue. (BAD)
0 of the linted certificates were revoked.
0 of the 0 certificates has revocation certificates that are weaker than the certificate and should be recreated. (GOOD)
0 of the linted certificates were expired.
1 of the non-revoked linted certificate has at least one non-revoked User ID:
1 has at least one User ID protected by SHA-1. (BAD)
1 has all User IDs protected by SHA-1. (BAD)
1 of the non-revoked linted certificates has at least one non-revoked, live subkey:
1 has at least one non-revoked, live subkey with a binding signature that uses SHA-1. (BAD)
0 of the non-revoked linted certificates have at least one non-revoked, live, signing-capable subkey:
0 certificates have at least one non-revoked, live, signing-capable subkey with a strong binding signature, but a backsig that uses SHA-1. (GOOD)
Error: 1 certificate have at least one issue
@rgacogne 's key seems to be fine :)
sq cert lint --fix --cert <key ID> is supposed to fix the issue if you have the corresponding private key available.
I just downloaded https://dnsdist.org/_static/dnsdist-keyblock.asc and sq cert lint is still not happy:
% sq cert lint --cert-file dnsdist-keyblock.asc
Certificate DCF513FA7EED19F3 is not valid under the standard policy: No binding signature at time 2025-04-29T12:16:50Z
Certificate DCF513FA7EED19F3 contains a User ID (Peter van Dijk <[email protected]>) protected by SHA-1
Certificate DCF513FA7EED19F3 contains a User ID (Peter van Dijk <[email protected]>) protected by SHA-1
Certificate DCF513FA7EED19F3, key E85DF3E1CB626418 uses a SHA-1-protected binding signature.
Certificate A208ED4F8AF58446 contains a User ID (Gacogne, Remi <[email protected]>) protected by SHA-1
Certificate A208ED4F8AF58446, key 10FE20C8944FCD0B uses a SHA-1-protected binding signature.
Certificate 6FFC33439B0D04DF is not valid under the standard policy: No binding signature at time 2025-04-29T12:16:50Z
Certificate 6FFC33439B0D04DF contains a User ID (Winkels, Erik <[email protected]>) protected by SHA-1
Certificate 6FFC33439B0D04DF, key 98E2D02464C86649 uses a SHA-1-protected binding signature.
Certificate EACAB90B1963EC2B is not valid under the standard policy: No binding signature at time 2025-04-29T12:16:50Z
Certificate EACAB90B1963EC2B contains a User ID (Moerbeek, Otto <[email protected]>) protected by SHA-1
Certificate EACAB90B1963EC2B contains a User ID (Otto Moerbeek <[email protected]>) protected by SHA-1
Certificate EACAB90B1963EC2B, key BA9E576120C2C4BD uses a SHA-1-protected binding signature.
Examined 4 certificates.
0 certificates are invalid and were not linted. (GOOD)
4 certificates were linted.
4 of the 4 certificates (100%) have at least one issue. (BAD)
0 of the linted certificates were revoked.
0 of the 0 certificates has revocation certificates that are weaker than the certificate and should be recreated. (GOOD)
0 of the linted certificates were expired.
4 of the non-revoked linted certificates have at least one non-revoked User ID:
4 have at least one User ID protected by SHA-1. (BAD)
3 have all User IDs protected by SHA-1. (BAD)
4 of the non-revoked linted certificates have at least one non-revoked, live subkey:
4 have at least one non-revoked, live subkey with a binding signature that uses SHA-1. (BAD)
0 of the non-revoked linted certificates have at least one non-revoked, live, signing-capable subkey:
0 certificates have at least one non-revoked, live, signing-capable subkey with a strong binding signature, but a backsig that uses SHA-1. (GOOD)
Error: 4 certificates have at least one issue
@omoerbeek did you push the fixed version of your key to a public key server? I'm still seeing issues:
Certificate EACAB90B1963EC2B is not valid under the standard policy: No binding signature at time 2025-04-29T12:44:46Z
Certificate EACAB90B1963EC2B contains a User ID (Moerbeek, Otto <[email protected]>) protected by SHA-1
Certificate EACAB90B1963EC2B contains a User ID (Otto Moerbeek <[email protected]>) protected by SHA-1
Certificate EACAB90B1963EC2B, key BA9E576120C2C4BD uses a SHA-1-protected binding signature.
My personal key is now fixed and published. The keys used for release signing (https://repo.powerdns.com/CBC8B383-pub.asc and https://repo.powerdns.com/FD380FBB-pub.asc) should still be updated. Tagging @Habbie and @aerique
Additionally, the published key blocks (https://doc.powerdns.com/powerdns-keyblock.asc and https://dnsdist.org/_static/dnsdist-keyblock.asc) should also be updated.
Running
gpg --receive-keys -r [email protected] -r [email protected] -r [email protected] -r [email protected]
gpg --export --armor [email protected] [email protected] [email protected] [email protected] > keyblock.asc
sq cert lint --cert-file keyblock.asc
Gives me these issues:
Certificate A208ED4F8AF58446 contains a User ID (Gacogne, Remi <[email protected]>)
protected by SHA-1
Certificate A208ED4F8AF58446, key 10FE20C8944FCD0B uses a SHA-1-protected binding signature.
Certificate 6FFC33439B0D04DF is not valid under the standard policy: No binding signature at time
2025-07-08T15:24:16Z
Certificate 6FFC33439B0D04DF contains a User ID (Winkels, Erik <[email protected]>)
protected by SHA-1
Certificate 6FFC33439B0D04DF, key 98E2D02464C86649 uses a SHA-1-protected binding signature.
Certificate DCF513FA7EED19F3 is not valid under the standard policy: No binding signature at time
2025-07-08T15:24:16Z
Certificate DCF513FA7EED19F3 contains a User ID (Peter van Dijk <[email protected]>)
protected by SHA-1
Certificate DCF513FA7EED19F3 contains a User ID (Peter van Dijk <[email protected]>)
protected by SHA-1
Certificate DCF513FA7EED19F3, key E85DF3E1CB626418 uses a SHA-1-protected binding signature.
Examined 4 certificates.
0 certificates are invalid and were not linted. (GOOD)
4 certificates were linted.
3 of the 4 certificates (75%) have at least one issue. (BAD)
0 of the linted certificates were revoked.
0 of the 0 certificates has revocation certificates that are weaker than the certificate and should be recreated. (GOOD)
0 of the linted certificates were expired.
4 of the non-revoked linted certificates have at least one non-revoked User ID:
3 have at least one User ID protected by SHA-1. (BAD)
2 have all User IDs protected by SHA-1. (BAD)
4 of the non-revoked linted certificates have at least one non-revoked, live subkey:
3 have at least one non-revoked, live subkey with a binding signature that uses SHA-1. (BAD)
0 of the non-revoked linted certificates have at least one non-revoked, live, signing-capable subkey:
0 certificates have at least one non-revoked, live, signing-capable subkey with a strong binding signature, but a backsig that uses SHA-1. (GOOD)
Error: 3 certificates have at least one issue
After switching keyserver to keyserver.ubuntu.com and running gpg --refresh-keys the script above reports:
sh ./testkeys
Certificate 6FFC33439B0D04DF is not valid under the standard policy: No binding signature at time
2025-07-09T07:41:04Z
Certificate 6FFC33439B0D04DF contains a User ID (Winkels, Erik <[email protected]>)
protected by SHA-1
Certificate 6FFC33439B0D04DF, key 98E2D02464C86649 uses a SHA-1-protected binding signature.
Certificate DCF513FA7EED19F3 is not valid under the standard policy: No binding signature at time
2025-07-09T07:41:04Z
Certificate DCF513FA7EED19F3 contains a User ID (Peter van Dijk <[email protected]>)
protected by SHA-1
Certificate DCF513FA7EED19F3 contains a User ID (Peter van Dijk <[email protected]>)
protected by SHA-1
Certificate DCF513FA7EED19F3, key E85DF3E1CB626418 uses a SHA-1-protected binding signature.
Examined 4 certificates.
0 certificates are invalid and were not linted. (GOOD)
4 certificates were linted.
2 of the 4 certificates (50%) have at least one issue. (BAD)
0 of the linted certificates were revoked.
0 of the 0 certificates has revocation certificates that are weaker than the certificate and should be recreated. (GOOD)
0 of the linted certificates were expired.
4 of the non-revoked linted certificates have at least one non-revoked User ID:
2 have at least one User ID protected by SHA-1. (BAD)
2 have all User IDs protected by SHA-1. (BAD)
4 of the non-revoked linted certificates have at least one non-revoked, live subkey:
2 have at least one non-revoked, live subkey with a binding signature that uses SHA-1. (BAD)
0 of the non-revoked linted certificates have at least one non-revoked, live, signing-capable subkey:
0 certificates have at least one non-revoked, live, signing-capable subkey with a strong binding signature, but a backsig that uses SHA-1. (GOOD)
Error: 2 certificates have at least one issue
So that's progress.
Erik updated:
$ sq cert lint --cert-file keyblock.asc
Certificate DCF513FA7EED19F3 is not valid under the standard policy: No binding signature at time
2025-07-16T11:00:21Z
Certificate DCF513FA7EED19F3 contains a User ID (Peter van Dijk <[email protected]>)
protected by SHA-1
Certificate DCF513FA7EED19F3 contains a User ID (Peter van Dijk <[email protected]>)
protected by SHA-1
Certificate DCF513FA7EED19F3, key E85DF3E1CB626418 uses a SHA-1-protected binding signature.
Examined 4 certificates.
0 certificates are invalid and were not linted. (GOOD)
4 certificates were linted.
1 of the 4 certificates (25%) has at least one issue. (BAD)
0 of the linted certificates were revoked.
0 of the 0 certificates has revocation certificates that are weaker than the certificate and should be recreated. (GOOD)
0 of the linted certificates were expired.
4 of the non-revoked linted certificates have at least one non-revoked User ID:
1 has at least one User ID protected by SHA-1. (BAD)
1 has all User IDs protected by SHA-1. (BAD)
4 of the non-revoked linted certificates have at least one non-revoked, live subkey:
1 has at least one non-revoked, live subkey with a binding signature that uses SHA-1. (BAD)
0 of the non-revoked linted certificates have at least one non-revoked, live, signing-capable subkey:
0 certificates have at least one non-revoked, live, signing-capable subkey with a strong binding signature, but a backsig that uses SHA-1. (GOOD)
Error: 1 certificate have at least one issue
Debian trixie now warns about this on apt update stating "Policy will reject signature within a year".
root@VM-d0060bf8-e5c1-4583-81c4-f124c8915aea:~# apt update --audit
Hit:1 http://repo.powerdns.com/debian trixie-auth-50 InRelease
Hit:2 https://security.debian.org/debian-security trixie-security InRelease
Hit:3 https://deb.debian.org/debian trixie InRelease
Hit:4 https://deb.debian.org/debian trixie-updates InRelease
All packages are up to date.
Warning: http://repo.powerdns.com/debian/dists/trixie-auth-50/InRelease: Policy will reject signature within a year, see --audit for details
Audit: http://repo.powerdns.com/debian/dists/trixie-auth-50/InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is:
Signing key on 9FAAA5577E8FCF62093D036C1B0C6205FD380FBB is not bound:
No binding signature at time 2025-07-24T10:36:22Z
because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
because: SHA1 is not considered secure since 2026-02-01T00:00:00Z
Audit: The sources.list(5) entry for 'http://repo.powerdns.com/debian' should be upgraded to deb822 .sources
Yuu might need to update your local copy of the pubkey:
sudo install -d /etc/apt/keyrings; curl https://repo.powerdns.com/CBC8B383-pub.asc | sudo tee /etc/apt/keyrings/auth-master-pub.asc
I've just tried this but got an error:
Warning: OpenPGP signature verification failed: https://repo.powerdns.com/debian trixie-auth-49 InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Missing key 9FAAA5577E8FCF62093D036C1B0C6205FD380FBB, which is needed to verify signature
Per https://repo.powerdns.com/ it is
sudo install -d /etc/apt/keyrings; curl https://repo.powerdns.com/FD380FBB-pub.asc | sudo tee /etc/apt/keyrings/auth-49-pub.asc
for PowerDNS Authoritative Server - version 4.9.X (stable).
As we can check with
$ curl https://repo.powerdns.com/FD380FBB-pub.asc | gpg -v gpg: enabled compatibility flags: gpg: WARNING: no command supplied. Trying to guess what you mean ... % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 2578 100 2578 0 0 7173 0 --:--:-- --:--:-- --:--:-- 7181 gpg: using classic trust model pub rsa4096 2015-06-09 [SC] 9FAAA5577E8FCF62093D036C1B0C6205FD380FBB uid PowerDNS Release Signing Key [email protected] sig 1B0C6205FD380FBB 2025-07-16 [selfsig] sig 1B0C6205FD380FBB 2019-06-13 [selfsig]
it also sports a new signature.
Ahh, OK, the key for versioned repositories hasn't been changed, it's just been given a new signature. Thanks.