[dns-operations] Hall of DNS Shame (?)

Steven Carr sjcarr at gmail.com
Mon Jan 30 20:42:29 UTC 2017

On 30 January 2017 at 19:44, Mark Andrews <marka at isc.org> wrote:
> The first vendors that need to be contacted are firewall vendors.
> They need to remove the idiotic packet dropping by default for:
> * dropping requests with EDNS version != 0
> * dropping requests with EDNS option being present
> * dropping requests with EDNS NSID option being present
> * dropping requests with A EDNS flag being set other than DO.
> * dropping requests with AD=1
> * dropping requests with DO=1 (nearly gone)
> * dropping requests with the last MBZ bit set.
> They need to issue CVE's for all code that has these properties.

Why would any of the above "broken" implementations warrant a CVE?
AFAIU CVE are for information security exposure and security
vulnerabilities, how do any of the above consititute one of those? In
order to raise a CVE you're going to have to prove it's causing damage
(or has the potential to cause damage).

More information about the dns-operations mailing list