On Sat, Jun 3, 2023 at 8:46 PM Matt Corallo <nanog@as397444.net> wrote:
On 6/3/23 4:17 PM, William Herrin wrote:
It *is* a security update. After some period of time, the folks running b.root-servers.net should file a CVE against implementations still using the deprecated IP address.
Not really sure how you go about filing a CVE for a file that isn't usually a part of a standard software project -
https://downloads.isc.org/isc/bind9/9.18.15/bind-9.18.15.tar.xz grep -ri b.root-servers.net bind-9.18.15/ bind-9.18.15/lib/dns/rootns.c: ". 518400 IN NS B.ROOT-SERVERS.NET.\n" bind-9.18.15/lib/dns/rootns.c: "B.ROOT-SERVERS.NET. 3600000 IN A 199.9.14.201\n" bind-9.18.15/lib/dns/rootns.c: "B.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:200::b\n" bind-9.18.15/bin/named/config.c: 2001:500:200::b; # b.root-servers.net\n\ bind-9.18.15/bin/named/config.c: 199.9.14.201; # b.root-servers.net\n\ So, when 199.9.14.201 stops being a root DNS server, bind 9.18.15 legitimately has a CVE because that IP address is hard-coded. I would bet that the other major DNS server software also has some sort of mechanism for including the root hints instead of making the packager or user go fetch it. This is not a bad thing. Filing a CVE against it does not reflect badly on the programmers. It's a reasonable notification path for security folks to discover and address external changes that impact the security of the software they operate. -Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/