[dns-operations] Please issue CVEs for servers that BADVERS/FORMERR for Unknown EDNS options.
Robert Edmonds
edmonds at mycre.ws
Thu Feb 16 20:54:13 UTC 2017
Pieter Lexis wrote:
> Hi Mark,
>
> On Tue, 14 Feb 2017 12:58:10 +1100
> Mark Andrews <marka at isc.org> wrote:
>
> > Servers with these behaviours are causing interop issues.
>
> Mitre describes CVE's as "Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e., CVE Identifiers) for publicly known cybersecurity vulnerabilities"[1].
> The desire to get these bad implementations off the internet, bad interop is not a security issue by itself and I don't believe CVE's will be issued for these issues.
>
> The dns-violations initiative, combined with informing vendors, users and operators might be only way to do this.
I wonder if firewall/IPS signatures for CVEs from years past could be
causing some of the interop issues seen today.
E.g.,
http://signatures.juniper.net/documentation/signatures/DNS%3AISC-BIND-EDNS-OPT-DOS.html
https://exchange.xforce.ibmcloud.com/signature/DNS_Bind_EDNS_Option_DoS
Though typically for those kinds of signatures you'd expect matched
packets to simply be dropped.
--
Robert Edmonds
More information about the dns-operations
mailing list