New addresses for b.root-servers.net

• Previous message (by thread): New addresses for b.root-servers.net
• Next message (by thread): New addresses for b.root-servers.net
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On 5 Jun 2023, at 06:19, William Herrin <bill at herrin.us> wrote:
> 
> On Sun, Jun 4, 2023 at 7:41 AM Izaac <izaac at setec.org> wrote:
>> It's not a security update.  It's a configuration change.
> 
> Hi Izaac,
> 
> Perhaps you missed my subsequent message where I pointed out that the
> IP address is hard-coded in Bind which will use it by default unless
> configured not to.
> 
> 
>> It's also not a vulnerability.  A vulnerability, as defined by MITRE for
>> CVE is:
>> 
>> "A weakness in the computational logic (e.g., code) found in software
>> and hardware components that, when exploited, results in a negative
>> impact to confidentiality, integrity, or availability.
> 
> At an absolute minimum there's an impact to confidentiality since it
> causes Bind to announce itself to an IP address that is not a root
> server. If the user configured bind with DNSSEC validation disabled,
> it's also a negative impact to integrity and availability since the
> potential false responder can steer bind away from the true DNS tree.

It announces itself to an address which remains under the control of
USC/ISI the current and on going root server operator for b.root-servers.net.
So apart from leaking that the root hints have not been updated I don’t
see a big risk here.  The address block, as has been stated, is in a reserved
range for critical infrastructure and, I suspect, has special controls placed
on it by ARIN regarding its re-use should USC/ISI ever release it / cease to
be a root-server operator.  I would hope that ARIN and all the RIRs have
the list of current and old root-server addresses and that any block that
are being transferred that have one of these addresses are flagged for
special consideration.

There is already a issue raised for updating the compiled in address.
https://gitlab.isc.org/isc-projects/bind9/-/issues/4101

I suspect that most of the distributions that include named will have had
or will have similar issues raised.  Many distributions include their own
set of hints and do not rely on the compiled in set.

Named will log any differences between its configured root servers (names
and addresses) and those returned when priming.

> Like well known default passwords, for which there are many CVEs, it's
> a vulnerability.
> 
> Regards,
> Bill Herrin
> 
> 
> -- 
> William Herrin
> bill at herrin.us
> https://bill.herrin.us/

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

• Previous message (by thread): New addresses for b.root-servers.net
• Next message (by thread): New addresses for b.root-servers.net
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]