New addresses for b.root-servers.net
William Herrin
bill at herrin.us
Sun Jun 4 06:16:01 UTC 2023
On Sat, Jun 3, 2023 at 8:46 PM Matt Corallo <nanog at as397444.net> wrote:
> On 6/3/23 4:17 PM, William Herrin wrote:
> > It *is* a security update. After some period of time, the folks running
> > b.root-servers.net should file a CVE against implementations still
> > using the deprecated IP address.
>
> Not really sure how you go about filing a CVE for a file that isn't usually a part of a standard
> software project -
https://downloads.isc.org/isc/bind9/9.18.15/bind-9.18.15.tar.xz
grep -ri b.root-servers.net bind-9.18.15/
bind-9.18.15/lib/dns/rootns.c: ". 518400 IN
NS B.ROOT-SERVERS.NET.\n"
bind-9.18.15/lib/dns/rootns.c: "B.ROOT-SERVERS.NET. 3600000 IN
A 199.9.14.201\n"
bind-9.18.15/lib/dns/rootns.c: "B.ROOT-SERVERS.NET. 3600000 IN
AAAA 2001:500:200::b\n"
bind-9.18.15/bin/named/config.c: 2001:500:200::b; #
b.root-servers.net\n\
bind-9.18.15/bin/named/config.c: 199.9.14.201; #
b.root-servers.net\n\
So, when 199.9.14.201 stops being a root DNS server, bind 9.18.15
legitimately has a CVE because that IP address is hard-coded.
I would bet that the other major DNS server software also has some
sort of mechanism for including the root hints instead of making the
packager or user go fetch it. This is not a bad thing. Filing a CVE
against it does not reflect badly on the programmers. It's a
reasonable notification path for security folks to discover and
address external changes that impact the security of the software they
operate.
-Bill Herrin
--
William Herrin
bill at herrin.us
https://bill.herrin.us/
More information about the NANOG
mailing list