[dns-operations] Please issue CVEs for servers that BADVERS/FORMERR for Unknown EDNS options.

Mark Andrews marka at isc.org
Tue Feb 14 01:58:10 UTC 2017

If any version of your products returned BADVERS or FORMERR to a
unknown EDNS option could you please issue a CVE for those versions
so that your customers know that they should be replacing the
nameserver with something that meets the EDNS specification.

* BADVERS was always outside of spec.  It is for EDNS version
  negotiation not that I don't understand this option.

* FORMERR is also outside of the current spec.  The nameservers
  that do this also return FORMERR if the EDNS version is 1 rather
  than BADVERS you can't even use EDNS version negotiation to get
  a good answer to well formed queries.  The two behaviours put
  these servers outside of the initial EDNS specification.

Servers with these behaviours are causing interop issues.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE:	+61 2 9871 4742		         INTERNET: marka at isc.org

More information about the dns-operations mailing list