On Sat, Jun 03, 2023 at 04:17:41PM -0700, William Herrin wrote: > It *is* a security update. That's a really great point that I > completely missed. After some period of time, the folks running > b.root-servers.net should file a CVE against implementations still > using the deprecated IP address. The CVE makes it a security issue > compelling vendors of any still-supported software to issue an update.
It's not a security update. It's a configuration change. It's also not a vulnerability. A vulnerability, as defined by MITRE for CVE is: "A weakness in the computational logic (e.g., code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, or availability. Mitigation of the vulnerabilities in this context typically involves coding changes, but could also include specification changes or even specification deprecations (e.g., removal of affected protocols or functionality in their entirety)." Do not leverage the already fragile de facto security notification and tracking mechanisms to propagate your desired configuration change. Use the fragile de facto configuration change notification mechanism, e.g. this list, to handle it. If NS operators are not have updated their configurations, they will be the ones to bear the suffering. If the IP is snatched up and employed for malicious purposes, it will again be those who failed to update their configuration who will suffer. Especially if they aren't doing the DNSSEC verifications which would make such an attack moot. -- . ___ ___ . . ___ . \ / |\ |\ \ . _\_ /__ |-\ |-\ \__
