[dns-operations] Please issue CVEs for servers that BADVERS/FORMERR for Unknown EDNS options.

Shane Kerr shane at time-travellers.org
Tue Feb 14 12:31:48 UTC 2017


Pieter,

At 2017-02-14 12:24:12 +0100
Pieter Lexis <pieter.lexis at powerdns.com> wrote:

> Hi Mark,
> 
> On Tue, 14 Feb 2017 12:58:10 +1100
> Mark Andrews <marka at isc.org> wrote:
> 
> > Servers with these behaviours are causing interop issues.  
> 
> Mitre describes CVE's as "Common Vulnerabilities and Exposures (CVE®)
> is a dictionary of common names (i.e., CVE Identifiers) for publicly
> known cybersecurity vulnerabilities"[1]. The desire to get these bad
> implementations off the internet, bad interop is not a security issue
> by itself and I don't believe CVE's will be issued for these issues.
> 
> The dns-violations initiative, combined with informing vendors, users
> and operators might be only way to do this.

Agreed.

A CVE isn't "our software doesn't work 100% properly, here is a better
version", a CVE is "OMFG you are about to get hax0r3d!!!!!!11".
Handling a CVE takes a lot of resources, and if vendors start misusing
them then administrators and users will start ignoring them. We don't
want to be in that world.

Cheers,

--
Shane
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170214/79c16ead/attachment.sig>


More information about the dns-operations mailing list