On Sun, Jun 4, 2023 at 7:41 AM Izaac <izaac@setec.org> wrote:
It's not a security update. It's a configuration change.
Hi Izaac, Perhaps you missed my subsequent message where I pointed out that the IP address is hard-coded in Bind which will use it by default unless configured not to.
It's also not a vulnerability. A vulnerability, as defined by MITRE for CVE is:
"A weakness in the computational logic (e.g., code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, or availability.
At an absolute minimum there's an impact to confidentiality since it causes Bind to announce itself to an IP address that is not a root server. If the user configured bind with DNSSEC validation disabled, it's also a negative impact to integrity and availability since the potential false responder can steer bind away from the true DNS tree. Like well known default passwords, for which there are many CVEs, it's a vulnerability. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/