[dns-operations] Please issue CVEs for servers that BADVERS/FORMERR for Unknown EDNS options.
shane at time-travellers.org
Tue Feb 14 12:31:48 UTC 2017
At 2017-02-14 12:24:12 +0100
Pieter Lexis <pieter.lexis at powerdns.com> wrote:
> Hi Mark,
> On Tue, 14 Feb 2017 12:58:10 +1100
> Mark Andrews <marka at isc.org> wrote:
> > Servers with these behaviours are causing interop issues.
> Mitre describes CVE's as "Common Vulnerabilities and Exposures (CVE®)
> is a dictionary of common names (i.e., CVE Identifiers) for publicly
> known cybersecurity vulnerabilities". The desire to get these bad
> implementations off the internet, bad interop is not a security issue
> by itself and I don't believe CVE's will be issued for these issues.
> The dns-violations initiative, combined with informing vendors, users
> and operators might be only way to do this.
A CVE isn't "our software doesn't work 100% properly, here is a better
version", a CVE is "OMFG you are about to get hax0r3d!!!!!!11".
Handling a CVE takes a lot of resources, and if vendors start misusing
them then administrators and users will start ignoring them. We don't
want to be in that world.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the dns-operations