New addresses for b.root-servers.net
Michael Butler
imb at protected-networks.net
Wed Jun 7 19:46:39 UTC 2023
On 6/7/23 15:13, Izaac wrote:
> On Wed, Jun 07, 2023 at 09:30:36AM -0700, William Herrin wrote:
>> Data embedded in the binary is hard-coded. That's what hard-coded
>> means. If it makes you happier I'll qualify it as a "hard-coded
>> default," to differentiate it from settings the operator can't
>> override with configuration.
>
> No. I will not indulge your invention of terms. "Hard-coded" means you
> need to recompile to change it. This is a default value. A
> configuration option takes precedence.
BIND-9.18.14 requires recompilation to update the embedded defaults ..
bin/named/config.c: 2001:500:200::b; # b.root-servers.net\n\
bin/named/config.c: 199.9.14.201; # b.root-servers.net\n\
lib/dns/rootns.c: "B.ROOT-SERVERS.NET. 3600000 IN A
199.9.14.201\n"
lib/dns/rootns.c: "B.ROOT-SERVERS.NET. 3600000 IN AAAA
2001:500:200::b\n"
>> It's an instance of https://cwe.mitre.org/data/definitions/344.html
>
> No, it is not in any respect. The code you grepped out generates a
> default configuration hints file when one does not exist.
>
> The CWE you cite specifically refers to default values for things like
> cryptographic RNG seeds and salts and TCP sequence number generators and
> the like. Viz something like
> https://www.debian.org/security/2008/dsa-1571 from 2008.
>
>> A quick search of https://cve.mitre.org/cve/search_cve_list.html shows
>> between 600 and 3700 CVEs related to default configurations that are
>> either directly insecure or unexpectedly become insecure when some but
>> not all of the defaults are changed by the operator. The vast majority
>> of these CVEs exhibit, as you say, no flaw in the computational logic.
>
> You literally just gave me a link to the CVE search page, waved your
> hand, and said, "See?" Well, I'll admit to not being as good at
> conducting CVE research as you. So, as an expert on the topic: How many
> of these "between 600 and 3700 CVEs" are related to a violating the
> baseless expectation of confidentially in a protocol which does not
> guarantee confidentiality? Somewhere between 0 and 2000?
>
> But you know what, go ahead. Submit the CVE. Be the hero that you
> believe yourself to be.
>
More information about the NANOG
mailing list