Page MenuHomePhabricator

Disable broken security update polling for dnsdist
Closed, ResolvedPublic

Description

Currently, dnsdist on startup polls security-status.secpoll.powerdns.com to check the security status of a given version of dnsdist. This is done through DNS and looks like:

dig dnsdist-1.5.0.security-status.secpoll.powerdns.com TXT +short
"1 OK"

However and because we build our own Debian package of dnsdist backported from testing to buster, we get the following error in the dnsdist systemd journal:

Error while retrieving the security update for version dnsdist-1.5.0-1wm1.Debian: Unable to get a valid Security Status update

This version string (dnsdist-1.5.0-1wm1.Debian) is computed from pdns/dnsdistdist/dnsdist-secpoll.cc:

const std::string pkgv(PACKAGEVERSION);
bool releaseVersion = std::count(pkgv.begin(), pkgv.end(), '.') == 2;
const std::string version = "dnsdist-" + pkgv;
std::string queriedName = version.substr(0, 63) + ".security-status." + suffix;

For the Debian package, the rules file sets PACKAGEVERSION to:

CXXFLAGS += -DPACKAGEVERSION='"$(DEB_VERSION).$(DEB_VENDOR)"'

... which results in a string like dnsdist-1.5.0-1wm1.Debian. Because of this "invalid" string, the security polling doesn't happen and instead an error is generated in the dnsdist journal as shown above.

To get around this, the Debian package for dnsdist disables the security polling by setting it to an empty string in the default config file. We should do the same for our dnsdist.conf so that the broken security poll is disabled and the dnsdist systemd journal is kept clean.

Event Timeline

Change 659990 had a related patch set uploaded (by Ssingh; owner: Ssingh):
[operations/puppet@production] dnsdist: update template to disable broken security polling

https://gerrit.wikimedia.org/r/659990

Change 659990 merged by Ssingh:
[operations/puppet@production] dnsdist: update template to disable broken security polling

https://gerrit.wikimedia.org/r/659990

Change merged and tested; broken security polling is now disabled.