nanog mailing list archives
Re: New addresses for b.root-servers.net
From: Mark Andrews <marka () isc org>
Date: Mon, 5 Jun 2023 09:57:26 +1000
On 5 Jun 2023, at 06:19, William Herrin <bill () herrin us> wrote: On Sun, Jun 4, 2023 at 7:41 AM Izaac <izaac () setec org> wrote:It's not a security update. It's a configuration change.Hi Izaac, Perhaps you missed my subsequent message where I pointed out that the IP address is hard-coded in Bind which will use it by default unless configured not to.It's also not a vulnerability. A vulnerability, as defined by MITRE for CVE is: "A weakness in the computational logic (e.g., code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, or availability.At an absolute minimum there's an impact to confidentiality since it causes Bind to announce itself to an IP address that is not a root server. If the user configured bind with DNSSEC validation disabled, it's also a negative impact to integrity and availability since the potential false responder can steer bind away from the true DNS tree.
It announces itself to an address which remains under the control of USC/ISI the current and on going root server operator for b.root-servers.net. So apart from leaking that the root hints have not been updated I don’t see a big risk here. The address block, as has been stated, is in a reserved range for critical infrastructure and, I suspect, has special controls placed on it by ARIN regarding its re-use should USC/ISI ever release it / cease to be a root-server operator. I would hope that ARIN and all the RIRs have the list of current and old root-server addresses and that any block that are being transferred that have one of these addresses are flagged for special consideration. There is already a issue raised for updating the compiled in address. https://gitlab.isc.org/isc-projects/bind9/-/issues/4101 I suspect that most of the distributions that include named will have had or will have similar issues raised. Many distributions include their own set of hints and do not rely on the compiled in set. Named will log any differences between its configured root servers (names and addresses) and those returned when priming.
Like well known default passwords, for which there are many CVEs, it's a vulnerability. Regards, Bill Herrin -- William Herrin bill () herrin us https://bill.herrin.us/
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka () isc org
Current thread:
- Re: New addresses for b.root-servers.net, (continued)
- Re: New addresses for b.root-servers.net Masataka Ohta (Jun 01)
- Re: New addresses for b.root-servers.net Jim (Jun 02)
- Re: New addresses for b.root-servers.net William Herrin (Jun 02)
- Re: New addresses for b.root-servers.net Matthew Petach (Jun 02)
- Re: New addresses for b.root-servers.net Matt Corallo (Jun 03)
- Re: New addresses for b.root-servers.net William Herrin (Jun 03)
- Re: New addresses for b.root-servers.net Matt Corallo (Jun 03)
- Re: New addresses for b.root-servers.net William Herrin (Jun 03)
- Re: New addresses for b.root-servers.net Izaac (Jun 04)
- Re: New addresses for b.root-servers.net William Herrin (Jun 04)
- Re: New addresses for b.root-servers.net Mark Andrews (Jun 04)
- Re: New addresses for b.root-servers.net William Herrin (Jun 04)
- Re: New addresses for b.root-servers.net Masataka Ohta (Jun 07)
- Re: New addresses for b.root-servers.net Izaac (Jun 07)
- Re: New addresses for b.root-servers.net William Herrin (Jun 07)
- Re: New addresses for b.root-servers.net Izaac (Jun 07)
- Re: New addresses for b.root-servers.net Michael Butler via NANOG (Jun 07)
- Re: New addresses for b.root-servers.net Izaac (Jun 07)
- Re: New addresses for b.root-servers.net William Herrin (Jun 07)
- Re: New addresses for b.root-servers.net Izaac (Jun 07)
- Re: New addresses for b.root-servers.net William Herrin (Jun 07)