[dns-operations] Please issue CVEs for servers that BADVERS/FORMERR for Unknown EDNS options.

Mark Andrews marka at isc.org
Tue Feb 14 12:15:34 UTC 2017

In message <20170214122412.4faa54b9 at ananas.home.plexis.eu>, Pieter Lexis writes:
> Hi Mark,
> On Tue, 14 Feb 2017 12:58:10 +1100
> Mark Andrews <marka at isc.org> wrote:
> > Servers with these behaviours are causing interop issues.
> Mitre describes CVE's as "Common Vulnerabilities and Exposures (CVE) is a
> dictionary of common names (i.e., CVE Identifiers) for publicly known
> cybersecurity vulnerabilities"1.
> The desire to get these bad implementations off the internet, bad interop
> is not a security issue by itself and I don't believe CVE's will be
> issued for these issues.
> The dns-violations initiative, combined with informing vendors, users and
> operators might be only way to do this.

Whether it should be called a CVE or not, a advisaries should be
issued for these versions as RFC compliant DNS clients will not
interoperate with these servers without appling yet more workarounds.

This is no different in practice than
https://www.kb.cert.org/vuls/id/714121 (NXDOMAIN for AAAA).  Broken
servers inflicting denial of service on part of their client base.

The orange highlighted zones here will not resolve with any server
that supports DNS Cookies and DNSSEC without applying yet another
set of workarounds beyound those already being applied to get EDNS
to work.  https://ednscomp.isc.org/compliance/gov-full-report.html#eo

And before anyone asks, yes I have attempted to get these fixed by
trying to contact the operators.


> Best regards,
> Pieter
> 1 - https://cve.mitre.org/about/
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list