[dns-operations] Hall of DNS Shame (?)

Joe Greco jgreco at ns.sol.net
Mon Jan 30 22:14:47 UTC 2017


> On 30 January 2017 at 19:44, Mark Andrews <marka at isc.org> wrote:
> >
> > The first vendors that need to be contacted are firewall vendors.
> > They need to remove the idiotic packet dropping by default for:
> >
> > * dropping requests with EDNS version != 0
> > * dropping requests with EDNS option being present
> > * dropping requests with EDNS NSID option being present
> > * dropping requests with A EDNS flag being set other than DO.
> > * dropping requests with AD=1
> > * dropping requests with DO=1 (nearly gone)
> > * dropping requests with the last MBZ bit set.
> >
> > They need to issue CVE's for all code that has these properties.
> 
> Why would any of the above "broken" implementations warrant a CVE?
> AFAIU CVE are for information security exposure and security
> vulnerabilities, how do any of the above consititute one of those? In
> order to raise a CVE you're going to have to prove it's causing damage
> (or has the potential to cause damage).

Because DNS is a core service, and things that actively break DNS and
force resolver implementations to do stupid things in order to work
around hare-brained software written by people who didn't understand
(or even read) the spec, or refused to update it as the spec has 
evolved, are creating interoperability issues.

Trying to "fix" this within the DNS framework creates a false sense 
that the firewall isn't really at fault, and that future issues will
similarly be addressed within the "faulty" protocol.

There's probably a fairly strong argument to be made that creating
fallback workarounds for some of these problems is just as much part
of the problem, but I find it hard to blame developers for trying to
make things work in suboptimal environments.

But in the end, this is similar to blocking TCP 53.  It's broken, and,
more importantly, relies on workarounds and retries and othe cruft 
that allows the status quo to remain, which creates new hazards as we
move forward.  It may not be quite the same as a conventional CVE, but
I don't think the community has a viable alternative mechanism to seek
a correction.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.



More information about the dns-operations mailing list