Re: New addresses for b.root-servers.net

[William Herrin <bill () herrin us>]

On Sat, Jun 3, 2023 at 8:46 PM Matt Corallo <nanog () as397444 net> wrote:
> On 6/3/23 4:17 PM, William Herrin wrote:
> > It *is* a security update. After some period of time, the folks running
> > b.root-servers.net should file a CVE against implementations still
> > using the deprecated IP address.
>
> Not really sure how you go about filing a CVE for a file that isn't usually a part of a standard
> software project -

https://downloads.isc.org/isc/bind9/9.18.15/bind-9.18.15.tar.xz

grep -ri b.root-servers.net bind-9.18.15/
bind-9.18.15/lib/dns/rootns.c:  ".                       518400  IN
  NS      B.ROOT-SERVERS.NET.\n"
bind-9.18.15/lib/dns/rootns.c:  "B.ROOT-SERVERS.NET.     3600000 IN
  A       199.9.14.201\n"
bind-9.18.15/lib/dns/rootns.c:  "B.ROOT-SERVERS.NET.     3600000 IN
  AAAA    2001:500:200::b\n"
bind-9.18.15/bin/named/config.c:        2001:500:200::b;        #
b.root-servers.net\n\
bind-9.18.15/bin/named/config.c:        199.9.14.201;           #
b.root-servers.net\n\

So, when 199.9.14.201 stops being a root DNS server, bind 9.18.15
legitimately has a CVE because that IP address is hard-coded.

I would bet that the other major DNS server software also has some
sort of mechanism for including the root hints instead of making the
packager or user go fetch it. This is not a bad thing. Filing a CVE
against it does not reflect badly on the programmers. It's a
reasonable notification path for security folks to discover and
address external changes that impact the security of the software they
operate.

-Bill Herrin


-- 
William Herrin
bill () herrin us
https://bill.herrin.us/