Re: New addresses for b.root-servers.net

Wed, 07 Jun 2023 12:47:11 -0700 

On 6/7/23 15:13, Izaac wrote:

On Wed, Jun 07, 2023 at 09:30:36AM -0700, William Herrin wrote:

Data embedded in the binary is hard-coded. That's what hard-coded
means. If it makes you happier I'll qualify it as a "hard-coded
default," to differentiate it from settings the operator can't
override with configuration.


No.  I will not indulge your invention of terms.  "Hard-coded" means you
need to recompile to change it.  This is a default value.  A
configuration option takes precedence.


BIND-9.18.14 requires recompilation to update the embedded defaults ..

bin/named/config.c:     2001:500:200::b;        # b.root-servers.net\n\
bin/named/config.c:     199.9.14.201;           # b.root-servers.net\n\

lib/dns/rootns.c:       "B.ROOT-SERVERS.NET.     3600000 IN      A 
199.9.14.201\n"
lib/dns/rootns.c:       "B.ROOT-SERVERS.NET.     3600000 IN      AAAA 
2001:500:200::b\n"




It's an instance of https://cwe.mitre.org/data/definitions/344.html


No, it is not in any respect.  The code you grepped out generates a
default configuration hints file when one does not exist.

The CWE you cite specifically refers to default values for things like
cryptographic RNG seeds and salts and TCP sequence number generators and
the like.  Viz something like
https://www.debian.org/security/2008/dsa-1571 from 2008.


A quick search of https://cve.mitre.org/cve/search_cve_list.html shows
between 600 and 3700 CVEs related to default configurations that are
either directly insecure or unexpectedly become insecure when some but
not all of the defaults are changed by the operator. The vast majority
of these CVEs exhibit, as you say, no flaw in the computational logic.


You literally just gave me a link to the CVE search page, waved your
hand, and said, "See?"  Well, I'll admit to not being as good at
conducting CVE research as you.  So, as an expert on the topic: How many
of these "between 600 and 3700 CVEs" are related to a violating the
baseless expectation of confidentially in a protocol which does not
guarantee confidentiality?  Somewhere between 0 and 2000?

But you know what, go ahead.  Submit the CVE.  Be the hero that you
believe yourself to be.





























					Reply via email to