[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Root name server changes -> bind
From:       Marcus Meissner <meissner () suse ! de>
Date:       2008-05-23 11:31:49
Message-ID: 20080523113149.GA16560 () suse ! de
[Download RAW message or body]

On Thu, May 22, 2008 at 10:58:46AM +0200, Thijs Kinkhorst wrote:
> On Wednesday 21 May 2008 15:02, Marcus Meissner wrote:
> >         The security consequences of obscure DNS root server usage are
> > obvious, IMHO. You might want to consider security updates to the bind
> > package with an updated root.hint file. (Since the story is on Slashdot, it
> > is as public as it can get; thus I use the regular channel for this
> > request.)
> >
> > Not sure if this warrants a CVE id.
> 
> We've gotten similar requests at Debian, with people requesting it be fixed in 
> a security update. Our position until now has been that we're not treating it 
> as a security issue: it has been in that IP space for years and there are no 
> concrete indications that the owner of that block has turned bad. The same 
> could be said for many other IP's of the root servers, where the owner of the 
> space, connectivity or housing is currently trusted but could go bad at some 
> point. We'll probably fix it in a next point update.
> 
> However, if many other vendors are treating it as a security issue, we're 
> interested in their reasons and may follow suit to prevent confusion.

We will be releasing a bind update with the current root.hint file.

I am still undecided whether to label it security or not.

Ciao, Marcus
[prev in list] [next in list] [prev in thread] [next in thread]