nanog mailing list archives
Re: New addresses for b.root-servers.net
From: William Herrin <bill () herrin us>
Date: Sat, 3 Jun 2023 23:16:01 -0700
On Sat, Jun 3, 2023 at 8:46 PM Matt Corallo <nanog () as397444 net> wrote:
On 6/3/23 4:17 PM, William Herrin wrote:It *is* a security update. After some period of time, the folks running b.root-servers.net should file a CVE against implementations still using the deprecated IP address.Not really sure how you go about filing a CVE for a file that isn't usually a part of a standard software project -
https://downloads.isc.org/isc/bind9/9.18.15/bind-9.18.15.tar.xz grep -ri b.root-servers.net bind-9.18.15/ bind-9.18.15/lib/dns/rootns.c: ". 518400 IN NS B.ROOT-SERVERS.NET.\n" bind-9.18.15/lib/dns/rootns.c: "B.ROOT-SERVERS.NET. 3600000 IN A 199.9.14.201\n" bind-9.18.15/lib/dns/rootns.c: "B.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:200::b\n" bind-9.18.15/bin/named/config.c: 2001:500:200::b; # b.root-servers.net\n\ bind-9.18.15/bin/named/config.c: 199.9.14.201; # b.root-servers.net\n\ So, when 199.9.14.201 stops being a root DNS server, bind 9.18.15 legitimately has a CVE because that IP address is hard-coded. I would bet that the other major DNS server software also has some sort of mechanism for including the root hints instead of making the packager or user go fetch it. This is not a bad thing. Filing a CVE against it does not reflect badly on the programmers. It's a reasonable notification path for security folks to discover and address external changes that impact the security of the software they operate. -Bill Herrin -- William Herrin bill () herrin us https://bill.herrin.us/
Current thread:
- Re: New addresses for b.root-servers.net Jan Schaumann via NANOG (Jun 01)
- Re: New addresses for b.root-servers.net Wes Hardaker (Jun 01)
- Re: New addresses for b.root-servers.net William Herrin (Jun 01)
- Re: New addresses for b.root-servers.net Masataka Ohta (Jun 01)
- Re: New addresses for b.root-servers.net Jim (Jun 02)
- Re: New addresses for b.root-servers.net William Herrin (Jun 02)
- Re: New addresses for b.root-servers.net Matthew Petach (Jun 02)
- Re: New addresses for b.root-servers.net William Herrin (Jun 01)
- Re: New addresses for b.root-servers.net Matt Corallo (Jun 03)
- Re: New addresses for b.root-servers.net William Herrin (Jun 03)
- Re: New addresses for b.root-servers.net Matt Corallo (Jun 03)
- Re: New addresses for b.root-servers.net William Herrin (Jun 03)
- Re: New addresses for b.root-servers.net Wes Hardaker (Jun 01)
- Re: New addresses for b.root-servers.net Izaac (Jun 04)
- Re: New addresses for b.root-servers.net William Herrin (Jun 04)
- Re: New addresses for b.root-servers.net Mark Andrews (Jun 04)
- Re: New addresses for b.root-servers.net William Herrin (Jun 04)
- Re: New addresses for b.root-servers.net Masataka Ohta (Jun 07)
- Re: New addresses for b.root-servers.net Izaac (Jun 07)
- Re: New addresses for b.root-servers.net William Herrin (Jun 07)
- Re: New addresses for b.root-servers.net Izaac (Jun 07)
- Re: New addresses for b.root-servers.net Michael Butler via NANOG (Jun 07)
- Re: New addresses for b.root-servers.net Izaac (Jun 07)