Re: New addresses for b.root-servers.net

[Matt Corallo <nanog () as397444 net>]

On 6/3/23 4:17 PM, William Herrin wrote:
> On Sat, Jun 3, 2023 at 12:46 PM Matt Corallo <nanog () as397444 net> wrote:
> > I assume RHEL would ship a root hints update during that time, but such things can slip through
> > pretty easily as its not a security update.
>
> Hi Matt,
>
> It *is* a security update. That's a really great point that I
> completely missed. After some period of time, the folks running
> b.root-servers.net should file a CVE against implementations still
> using the deprecated IP address. The CVE makes it a security issue
> compelling vendors of any still-supported software to issue an update.

Mmm, good point, it is indeed.

Not really sure how you go about filing a CVE for a file that isn't usually a part of a standard 
software project - I guess that would require some nontrivial amount of work to figure out which 
distro(s) are still shipping an old copy of the hints file and nag them to upgrade (not sure a CVE 
would move the needle).

Sadly your usual method of getting CVE notifications for software you run probably wouldn't show for 
"DNS Root Hint file". You could maybe try just doing it blanket against older resolvers as they also 
distribute the hints file, but that's kinda rude given its not really an issue in their software and 
the hints file distributed with bind isn't the one Debian/Fedora are gonna use.

Matt