I've been using PowerDNS Authoritative DNS Server for the last couple of years - and it's been (and still is) a blast. Fast DNS server, great API, and combined with a powerful UI (Opera DNSUI) very enjoyable to do DNS management.
It's no surprise that I would monitor PowerDNS. The monitoring plugin check_powerdns_auth does an awesome job in not just checking PowerDNS itself, but also showing performance data (metrics) of DNS queries.
But today, after multiple years running and maintaining this setup, I got a new monitoring alert.
All of a sudden, all PowerDNS servers (Masters and Slave Authoritative Servers) started to alert with a - as of this moment - weird message:
A manual launch of the monitoring plugin confirms the same error seen on Icinga:
root@inf-dns01a-p:~# /usr/lib/nagios/plugins/check_powerdns_auth.py
CRITICAL - PowerDNS upgrade mandatory. Queries: 0/s.
Where does this come from?
A closer look inside the Python code of the monitoring plugin shows that the PowerDNS API is called to obtain metrics and other information about the current PowerDNS status.
I manually reproduced the API request using curl and the API Key header:
root@inf-dns01a-p:~# curl -s -H "X-API-Key: secret" http://localhost:8081/api/v1/servers/localhost/statistics | jq
[
{
"name": "backend-latency",
"type": "StatisticItem",
"value": "476"
},
{
"name": "backend-queries",
"type": "StatisticItem",
"value": "22718504"
},
[...]
Whoah! A ton of information is showing up here. Let's focus on one of the JSON keys, which is relevant to the current alert; the security-status key:
root@inf-dns01a-p:~# curl -s -H "X-API-Key: secret" http://localhost:8081/api/v1/servers/localhost/statistics | jq -r '.[] | select(.name == "security-status") | .value'
3
So the API has a security-status key with the current value of 3. To find out what this means, the documentation needs to be consulted:
The data returned is in one of the following forms:
NXDOMAIN or resolution failure -> 0
“1 Ok” -> 1
“2 Upgrade recommended for security reasons, see …” -> 2
“3 Upgrade mandatory for security reasons, see …” -> 3
Inside the plugin itself, the same information can be seen:
if ('security-status' in data_new) and (args.skipsecurity == 0):
if data_new['security-status'] == 0:
monitor.set_status(MStatus().CRITICAL)
security = 'NXDOMAIN or resolution failure.'
elif data_new['security-status'] == 1:
monitor.set_status(MStatus().OK)
security = 'PowerDNS running.'
elif data_new['security-status'] == 2:
monitor.set_status(MStatus().WARNING)
security = 'PowerDNS upgrade recommended.'
elif data_new['security-status'] == 3:
monitor.set_status(MStatus().CRITICAL)
security = 'PowerDNS upgrade mandatory.'
else:
monitor.set_status(MStatus().CRITICAL)
security = "PowerDNS unexpected security-status %d." % data_new['security-status']
At this point we know that the PowerDNS API has a security-status key and has the value set to 3. According to the documentation this means upgrade mandatory for security reasons. But why today?
Checking the currently installed PowerDNS packages revealed that the 4.9 branch (still supported) is currently active and that 4.9.4 is currently active:
root@inf-dns01a-p:~# dpkg -l|grep pdns
ii pdns-backend-mysql 4.9.4-1pdns.noble amd64 MySQL backend for PowerDNS
ii pdns-server 4.9.4-1pdns.noble amd64 extremely powerful and versatile nameserver
Looking through the available new versions, there is 4.9.14 available:
root@inf-dns01a-p:~# apt-cache show pdns-server | grep ^Version
Version: 4.9.14-1pdns.noble
Version: 4.9.4-1pdns.noble
Version: 4.8.3-4build3
Looking closer at the changelog on the PowerDNS website reveals that this version (4.9.14) was released today (!) and is a security release. It fixes multiple issues including CVE CVE-2026-33257. The Security Advisory 2026-05 reveals more information about the vulnerabilities.
After updating the PowerDNS package(s) to the latest version (still in the 4.9 branch), the alert went away and PowerDNS continued to operate smoothly.
Why does that deserve a separate blog post? Because I've never seen that before. Yes, I've seen System Update Monitoring, such as check_apt, which alert on available critical/security patches but I've never seen an application itself showing "hey, I really should be updated for security reasons".
PowerDNS does this quite nicely through its own API. And it was excellent and future-proof thinking of the plugin developer (Remi Frenay) to add this internal check into the monitoring plugin.
No comments yet.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Observability Office OpenSearch PHP Perl Personal PostgreSQL PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Znuny Zoneminder