Re: Root name server changes -> bind

[Marcus Meissner <meissner () suse de>]

On Thu, May 22, 2008 at 10:58:46AM +0200, Thijs Kinkhorst wrote:
> On Wednesday 21 May 2008 15:02, Marcus Meissner wrote:
> >         The security consequences of obscure DNS root server usage are
> > obvious, IMHO. You might want to consider security updates to the bind
> > package with an updated root.hint file. (Since the story is on Slashdot, it
> > is as public as it can get; thus I use the regular channel for this
> > request.)
> >
> > Not sure if this warrants a CVE id.
>
> We've gotten similar requests at Debian, with people requesting it be fixed in 
> a security update. Our position until now has been that we're not treating it 
> as a security issue: it has been in that IP space for years and there are no 
> concrete indications that the owner of that block has turned bad. The same 
> could be said for many other IP's of the root servers, where the owner of the 
> space, connectivity or housing is currently trusted but could go bad at some 
> point. We'll probably fix it in a next point update.
>
> However, if many other vendors are treating it as a security issue, we're 
> interested in their reasons and may follow suit to prevent confusion.

We will be releasing a bind update with the current root.hint file.

I am still undecided whether to label it security or not.

Ciao, Marcus