nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New addresses for b.root-servers.net

From: Izaac <izaac () setec org>
Date: Sun, 4 Jun 2023 10:40:58 -0400
On Sat, Jun 03, 2023 at 04:17:41PM -0700, William Herrin wrote:

It *is* a security update. That's a really great point that I
completely missed. After some period of time, the folks running
b.root-servers.net should file a CVE against implementations still
using the deprecated IP address. The CVE makes it a security issue
compelling vendors of any still-supported software to issue an update.


It's not a security update.  It's a configuration change.

It's also not a vulnerability.  A vulnerability, as defined by MITRE for
CVE is:

"A weakness in the computational logic (e.g., code) found in software
and hardware components that, when exploited, results in a negative
impact to confidentiality, integrity, or availability. Mitigation of the
vulnerabilities in this context typically involves coding changes, but
could also include specification changes or even specification
deprecations (e.g., removal of affected protocols or functionality in
their entirety)."

Do not leverage the already fragile de facto security notification and
tracking mechanisms to propagate your desired configuration change.  Use
the fragile de facto configuration change notification mechanism, e.g.
this list, to handle it.

If NS operators are not have updated their configurations, they will be
the ones to bear the suffering.  If the IP is snatched up and employed
for malicious purposes, it will again be those who failed to update
their configuration who will suffer.  Especially if they aren't doing
the DNSSEC verifications which would make such an attack moot.

-- 
. ___ ___  .   .  ___
.  \    /  |\  |\ \
.  _\_ /__ |-\ |-\ \__
Previous By Date Next
Previous By Thread Next

Current thread: