[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Root name server changes -> bind
From: Marcus Meissner <meissner () suse ! de>
Date: 2008-05-23 11:31:49
Message-ID: 20080523113149.GA16560 () suse ! de
[Download RAW message or body]
On Thu, May 22, 2008 at 10:58:46AM +0200, Thijs Kinkhorst wrote:
> On Wednesday 21 May 2008 15:02, Marcus Meissner wrote:
> > The security consequences of obscure DNS root server usage are
> > obvious, IMHO. You might want to consider security updates to the bind
> > package with an updated root.hint file. (Since the story is on Slashdot, it
> > is as public as it can get; thus I use the regular channel for this
> > request.)
> >
> > Not sure if this warrants a CVE id.
>
> We've gotten similar requests at Debian, with people requesting it be fixed in
> a security update. Our position until now has been that we're not treating it
> as a security issue: it has been in that IP space for years and there are no
> concrete indications that the owner of that block has turned bad. The same
> could be said for many other IP's of the root servers, where the owner of the
> space, connectivity or housing is currently trusted but could go bad at some
> point. We'll probably fix it in a next point update.
>
> However, if many other vendors are treating it as a security issue, we're
> interested in their reasons and may follow suit to prevent confusion.
We will be releasing a bind update with the current root.hint file.
I am still undecided whether to label it security or not.
Ciao, Marcus
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic