CyberPanel Community

Security Update Mandatory (PDNS 2026), but how?

Cy
CyberPanel.net #1

hello,
today MAY 2026 when you run:

systemctl status pdns.service

result is:

https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-06.html

but how we can update pdns
without BREAK cyberpanel?
some command “magic”?

1 reply
Ka
Kale #2

From DeepSeek. not sure about its accuracy:

"This is a critical security issue. The advisory (CVE-2026-42001) addresses a vulnerability where insufficient validation of autoprimary SOA queries can lead to a denial of service (high severity) .

You are right to be cautious. Do not run a standard apt upgrade pdns or compile from source, as CyberPanel heavily modifies the PowerDNS configuration and database schema. A manual update will almost certainly break the integration, causing the service to fail or your DNS zones to disappear .

Here is the “magic” command and the safe procedure to update only the PDNS binary without breaking CyberPanel.

The Solution: Force Reinstall via Package Manager

CyberPanel usually pins the PowerDNS version. To force an update to the latest minor version available in your OS repository (which should include the May 2026 security patch), run these commands as root:

Step 1: Stop CyberPanel’s LSCPD (Crucial)
This prevents the panel from overwriting your changes immediately.

systemctl stop lscpd

Step 2: Force Reinstall PowerDNS
This updates the binary but preserves your existing configuration files (since you already have them).

apt update
apt install --only-upgrade pdns-server --allow-downgrades -y

(If the above doesn’t work, try apt install --reinstall pdns-server pdns-backend-mysql -y)

Step 3: Verify the Binary Version (Not Config)
Check that the daemon has updated, even if the config file didn’t.

pdns_server --version

Step 4: Restart Services

systemctl daemon-reload
systemctl restart pdns
systemctl restart lscpd

Step 5: Verify Status
Run systemctl status pdns. Ensure it says active (running) and not failed.

Why this works (and what to watch for)

  • The “Magic”: By using --only-upgrade or --reinstall, you update the binary (/usr/sbin/pdns_server) while leaving the CyberPanel-specific config files (/etc/powerdns/pdns.conf) untouched .
  • The Risk: If the security patch requires a new configuration directive, PDNS might fail to start. If that happens, check the error log (journalctl -u pdns -n 20)—you may need to manually add one line to the config file, though this is rare for DoS patches.

Final Check

Navigate to CyberPanel > DNS > Sync Zones and click “Sync”. If your zones are still listed and resolving, the update was successful and secure.

If the service fails to start, immediately run apt install --reinstall pdns-server=<old_version> (check your apt cache for the previous version) to roll back while you investigate the config conflict."

Sign in to reply