[dns-operations] Please issue CVEs for servers that BADVERS/FORMERR for Unknown EDNS options.

Fred Morris m3047 at m3047.net
Tue Feb 14 17:34:51 UTC 2017

Maybe I should slice this another way...

On Tue, 14 Feb 2017, Pieter Lexis wrote:
> On Tue, 14 Feb 2017 12:58:10 +1100
> Mark Andrews <marka at isc.org> wrote:
> > Servers with these behaviours are causing interop issues.
> [...]
> The desire to get these bad
> implementations off the internet, bad interop is not a security issue by
> itself and I don't believe CVE's will be issued for these issues.

Are there any examples of CVEs which have been issued for
"vulnerabilities" which arise when resolver implementations do not work
around broken upstream implementations?

An hypothetical example would be a security downgrade due to interop
issues, where the server is nonconformant and client resolvers fail to
take some (nonstandard) course of action to mitigate, and thereby the
downgrade occurs; a CVE is then issued against the client resolver
software as opposed to the nonconformant server implementation.


Fred Morris

More information about the dns-operations mailing list