Debian Bug report logs - #449148
bind9: db.root needs update: L.ROOT-SERVERS.NET has changed IP address to 199.7.83.42

version graph

Package: bind9; Maintainer for bind9 is LaMont Jones <lamont@debian.org>; Source for bind9 is src:bind9.

Reported by: Bjørn Mork <bjorn@mork.no>

Date: Sat, 3 Nov 2007 14:30:03 UTC

Severity: wishlist

Found in version bind9/1:9.3.4-2etch1

Fixed in versions bind9/1:9.4.1-p1-4, 1:9.3.4-2etch2

Done: Thijs Kinkhorst <thijs@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#449148; Package bind9. Full text and rfc822 format available.

Acknowledgement sent to Bjørn Mork <bjorn@mork.no>:
New Bug report received and forwarded. Copy sent to LaMont Jones <lamont@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Bjørn Mork <bjorn@mork.no>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: bind9: db.root needs update: L.ROOT-SERVERS.NET has changed IP address to 199.7.83.42
Date: Sat, 03 Nov 2007 15:27:30 +0100
Package: bind9
Version: 1:9.3.4-2etch1
Severity: normal

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


/etc/bind/db.root needs an update.  Please see forwarded message


====
From: Mark Andrews <Mark_Andrews@isc.org>
Subject: L.ROOT-SERVERS.NET has changed IP address to 199.7.83.42
To: bind-announce@isc.org
Date: Sat, 03 Nov 2007 08:37:24 +1100
Reply-to: bind-users@isc.org

	If you already have a root hints zone defined in named.conf
	you need to update the address in the file it loads from.

	The easiest way to create a new file is to run dig, check
	the contents of the file it generates then move the file
	into place.

		dig ns . @a.root-servers.net > newfile

	If you don't have any root zone defined they you will be
	using the built-in hints.  In this case you should create
	a root hints zone if you don't have a root zone already
	defined and you are using class IN (the default class).

		dig ns . @a.root-servers.net > root-hints

		zone "." {
			type hint;
			file "root-hints";
		};

	If you are not using views you do this at the options level.
	If you are using views you need to define this zone in
	each view of class IN.

	BIND 9.3.5, BIND 9.4.2 (9.4.2rc2) and BIND 9.5.0 (9.5.0a7) will
	have their built-in root hints updated to reflect this change.

	If you wish to change the built in hints apply the attached
	patch.  In the top level directory run.

		patch -p1 < l-root-servers.patch
		make clean
		make

	Mark
- -- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE:	+61 2 9871 4742		         INTERNET: Mark_Andrews@isc.org
====


- -- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (700, 'stable'), (650, 'testing')
Architecture: i386 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.22-2-amd64
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages bind9 depends on:
ii  adduser                3.102             Add and remove users and groups
ii  libbind9-0             1:9.3.4-2etch1    BIND9 Shared Library used by BIND
ii  libc6                  2.3.6.ds1-13etch2 GNU C Library: Shared libraries
ii  libdns22               1:9.3.4-2etch1    DNS Shared Library used by BIND
ii  libisc11               1:9.3.4-2etch1    ISC Shared Library used by BIND
ii  libisccc0              1:9.3.4-2etch1    Command Channel Library used by BI
ii  libisccfg1             1:9.3.4-2etch1    Config File Handling Library used 
ii  liblwres9              1:9.3.4-2etch1    Lightweight Resolver Library used 
ii  libssl0.9.8            0.9.8c-4etch1     SSL shared libraries
ii  lsb-base               3.1-23.2etch1     Linux Standard Base 3.1 init scrip
ii  netbase                4.29              Basic TCP/IP networking system

bind9 recommends no packages.

- -- no debconf information

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHLIVS10rqkowbIskRAlEeAJ9AAsAuFslD6rZe1k8rcl0FJePN9ACaAvDD
ViZMjQVDDTC6wL0XD387n4o=
=FfMo
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#449148; Package bind9. Full text and rfc822 format available.

Acknowledgement sent to LaMont Jones <lamont@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at 449148@bugs.debian.org (full text, mbox):

From: LaMont Jones <lamont@debian.org>
To: Bjørn Mork <bjorn@mork.no>, 449148@bugs.debian.org
Subject: Re: Bug#449148: bind9: db.root needs update: L.ROOT-SERVERS.NET has changed IP address to 199.7.83.42
Date: Mon, 5 Nov 2007 09:28:43 -0700
On Sat, Nov 03, 2007 at 03:27:30PM +0100, Bjørn Mork wrote:
> /etc/bind/db.root needs an update.  Please see forwarded message

Yes, it does.  The forwarded message arrived in my mailbox a few hours
earlier.  And this obviously critical update needs to be done before too
many of the root namerservers change IP addresses...

Anyrate, it'll get uploaded once I'm back in the land of reasonable
connectivity.

lamont




Tags added: pending Request was from LaMont Jones <lamont@debian.org> to control@bugs.debian.org. (Tue, 06 Nov 2007 05:48:04 GMT) Full text and rfc822 format available.

Reply sent to LaMont Jones <lamont@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Bjørn Mork <bjorn@mork.no>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #17 received at 449148-close@bugs.debian.org (full text, mbox):

From: LaMont Jones <lamont@debian.org>
To: 449148-close@bugs.debian.org
Subject: Bug#449148: fixed in bind9 1:9.4.1-P1-4
Date: Mon, 12 Nov 2007 05:17:23 +0000
Source: bind9
Source-Version: 1:9.4.1-P1-4

We believe that the bug you reported is fixed in the latest version of
bind9, which is due to be installed in the Debian FTP archive:

bind9-doc_9.4.1-P1-4_all.deb
  to pool/main/b/bind9/bind9-doc_9.4.1-P1-4_all.deb
bind9-host_9.4.1-P1-4_i386.deb
  to pool/main/b/bind9/bind9-host_9.4.1-P1-4_i386.deb
bind9_9.4.1-P1-4.diff.gz
  to pool/main/b/bind9/bind9_9.4.1-P1-4.diff.gz
bind9_9.4.1-P1-4.dsc
  to pool/main/b/bind9/bind9_9.4.1-P1-4.dsc
bind9_9.4.1-P1-4_i386.deb
  to pool/main/b/bind9/bind9_9.4.1-P1-4_i386.deb
dnsutils_9.4.1-P1-4_i386.deb
  to pool/main/b/bind9/dnsutils_9.4.1-P1-4_i386.deb
libbind-dev_9.4.1-P1-4_i386.deb
  to pool/main/b/bind9/libbind-dev_9.4.1-P1-4_i386.deb
libbind9-30_9.4.1-P1-4_i386.deb
  to pool/main/b/bind9/libbind9-30_9.4.1-P1-4_i386.deb
libdns32_9.4.1-P1-4_i386.deb
  to pool/main/b/bind9/libdns32_9.4.1-P1-4_i386.deb
libisc32_9.4.1-P1-4_i386.deb
  to pool/main/b/bind9/libisc32_9.4.1-P1-4_i386.deb
libisccc30_9.4.1-P1-4_i386.deb
  to pool/main/b/bind9/libisccc30_9.4.1-P1-4_i386.deb
libisccfg30_9.4.1-P1-4_i386.deb
  to pool/main/b/bind9/libisccfg30_9.4.1-P1-4_i386.deb
liblwres30_9.4.1-P1-4_i386.deb
  to pool/main/b/bind9/liblwres30_9.4.1-P1-4_i386.deb
lwresd_9.4.1-P1-4_i386.deb
  to pool/main/b/bind9/lwresd_9.4.1-P1-4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 449148@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
LaMont Jones <lamont@debian.org> (supplier of updated bind9 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 08 Nov 2007 21:31:55 -0700
Source: bind9
Binary: lwresd bind9-doc dnsutils libisccc30 bind9 libisccfg30 libbind-dev bind9-host libbind9-30 libdns32 liblwres30 libisc32
Architecture: all i386 source 
Version: 1:9.4.1-P1-4
Distribution: unstable
Urgency: low
Maintainer: LaMont Jones <lamont@debian.org>
Changed-By: LaMont Jones <lamont@debian.org>
Description: 
 bind9      - Internet Domain Name Server
 bind9-doc  - Documentation for BIND
 bind9-host - Version of 'host' bundled with BIND 9.X
 dnsutils   - Clients provided with BIND
 libbind-dev - Static Libraries and Headers used by BIND
 libbind9-30 - BIND9 Shared Library used by BIND
 libdns32   - DNS Shared Library used by BIND
 libisc32   - ISC Shared Library used by BIND
 libisccc30 - Command Channel Library used by BIND
 libisccfg30 - Config File Handling Library used by BIND
 liblwres30 - Lightweight Resolver Library used by BIND
 lwresd     - Lightweight Resolver Daemon
Closes: 430065 449148
Launchpad-Bugs-Fixed: 160176
Changes: 
 bind9 (1:9.4.1-P1-4) unstable; urgency=low
 .
   [Thomas Antepoth]
 .
   * unix/socket.c: don't send to a socket with pending_send.  Closes: #430065
 .
   [LaMont Jones]
 .
   * document git repositories
   * db.root: l.root-servers.net changed IP address.  Closes: #449148  LP: #160176
   * init.d: if there are no networks configured, error out quickly
Files: 
 061730a05f3d99bee96f7ee84c9057cd 41216 net standard bind9-host_9.4.1-P1-4_i386.deb
 74254aea5214aa3cfa8b3360be33f762 865 net optional bind9_9.4.1-P1-4.dsc
 11c920ed337d38a873c1dbf8d7dc3ba8 21044 libs optional libisccc30_9.4.1-P1-4_i386.deb
 1244d78eba20cce302b7472111b83c96 284564 net optional bind9_9.4.1-P1-4.diff.gz
 25289976baafe7724eafa14411e7f9c0 35854 libs optional libisccfg30_9.4.1-P1-4_i386.deb
 2e8462f4a7aa6bfce426d0f229ea78ed 109542 libs standard libisc32_9.4.1-P1-4_i386.deb
 317374c380b017b619603166bc2b4f31 103842 net standard dnsutils_9.4.1-P1-4_i386.deb
 3b3c45a9fc27fa8c622e23bb82344a22 237334 doc optional bind9-doc_9.4.1-P1-4_all.deb
 5c1abab0d284472e253db709d989c8e4 247004 net optional bind9_9.4.1-P1-4_i386.deb
 6fad432b4c80179f37e5b85c3a3b4036 143520 net optional lwresd_9.4.1-P1-4_i386.deb
 92659e249b4e5fa8215654c02a034697 36652 libs standard liblwres30_9.4.1-P1-4_i386.deb
 c8ee5b489a9378934a41c8092cf23ec2 1013112 libdevel optional libbind-dev_9.4.1-P1-4_i386.deb
 d8ece8e02e4c99ffdc92375683460d0d 450238 libs standard libdns32_9.4.1-P1-4_i386.deb
 ec04658894cd8ee41e8691e77086b7d6 23720 libs standard libbind9-30_9.4.1-P1-4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHM+Q5zN/kmwoKyScRAu8MAJ4zQfUG0i6DsfDRhaWfQCY58goMsACfbfkC
5HpdF3iJrHox6wOw0tJQPsQ=
=glgl
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#449148; Package bind9. Full text and rfc822 format available.

Acknowledgement sent to Faidon Liambotis <paravoid@debian.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. Full text and rfc822 format available.

Message #22 received at 449148@bugs.debian.org (full text, mbox):

From: Faidon Liambotis <paravoid@debian.org>
To: 449148@bugs.debian.org
Cc: control@bugs.debian.org, security@debian.org
Subject: Re: bind9: db.root needs update: L.ROOT-SERVERS.NET has changed IP address to 199.7.83.42
Date: Tue, 20 May 2008 01:46:03 +0300
severity 449148 grave
tags 449148 + security
thanks

Hi,
You pointed out earlier in the bug log that is is a "critical" (sic) bug 
but there wasn't a fix prepared for etch.

I wasn't aware of this change until I discovered[1] (via slashdot) a 
blog post explaining that the old IP address was still in use by a 
non-authoritative body, possibly recording queries and therefore 
gathering sensitive information.

The old IP address has actually stopped responding to queries and 
therefore this isn't a very great deal, security-wise, right now.
It is, however, a serious (imho) bug since 1 of the 13 root NS on etch 
systems isn't responding to queries.

Also, nothing (AFAIK) is stopping the new owner to start responding to 
queries again, perhaps for malicious purposes such as recording data -- 
or worse, responding with fake answers!

Please fix this bug for etch; I'd vote to do it via a security upload 
(and a DSA) but I guess an update through a stable point release would 
also be an option.

Thanks,
Faidon

1: 
http://www.renesys.com/blog/2008/05/identity_theft_hits_the_root_n_1.shtml




Severity set to `grave' from `normal' Request was from Faidon Liambotis <paravoid@debian.org> to control@bugs.debian.org. (Mon, 19 May 2008 22:54:06 GMT) Full text and rfc822 format available.

Tags added: security Request was from Faidon Liambotis <paravoid@debian.org> to control@bugs.debian.org. (Mon, 19 May 2008 22:54:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#449148; Package bind9. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. Full text and rfc822 format available.

Message #31 received at 449148@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Faidon Liambotis <paravoid@debian.org>
Cc: 449148@bugs.debian.org, control@bugs.debian.org, security@debian.org
Subject: Re: bind9: db.root needs update: L.ROOT-SERVERS.NET has changed IP address to 199.7.83.42
Date: Tue, 20 May 2008 08:38:47 +0200
severity 449148 wishlist
tag 449148 -security
thanks

* Faidon Liambotis:

> You pointed out earlier in the bug log that is is a "critical" (sic)
> bug but there wasn't a fix prepared for etch.

No, it's not.  The prefix containing the old route server address is
still assigned to Bill Manning, so there is no immediate cause for
alarm.  Even the fake servers returned the correct address for the L
root, so the priming at the start would have removed the old L root
address.

We can't fix broken Internet routing.  The same thing could happen to
essentially all root servers.  Changing addresses compiled/configured
into BIND does not prevent this.




Severity set to `wishlist' from `grave' Request was from Florian Weimer <fw@deneb.enyo.de> to control@bugs.debian.org. (Tue, 20 May 2008 06:42:04 GMT) Full text and rfc822 format available.

Tags removed: security Request was from Florian Weimer <fw@deneb.enyo.de> to control@bugs.debian.org. (Tue, 20 May 2008 06:42:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#449148; Package bind9. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. Full text and rfc822 format available.

Message #40 received at 449148@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: Faidon Liambotis <paravoid@debian.org>, 449148@bugs.debian.org, security@debian.org
Subject: Re: bind9: db.root needs update: L.ROOT-SERVERS.NET has changed IP address to 199.7.83.42
Date: Tue, 20 May 2008 10:57:35 +0200
[Message part 1 (text/plain, inline)]
On Tuesday 20 May 2008 08:38, Florian Weimer wrote:
> > You pointed out earlier in the bug log that is is a "critical" (sic)
> > bug but there wasn't a fix prepared for etch.
>
> No, it's not.  The prefix containing the old route server address is
> still assigned to Bill Manning, so there is no immediate cause for
> alarm.  Even the fake servers returned the correct address for the L
> root, so the priming at the start would have removed the old L root
> address.
>
> We can't fix broken Internet routing.  The same thing could happen to
> essentially all root servers.  Changing addresses compiled/configured
> into BIND does not prevent this.

I would suggest contacting the stable release managers to see if they will 
accept an update for this in the next stable point release. I agree with 
Florian that it doesn't have direct security implications so an advisory is 
out of place.


Thijs
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#449148; Package bind9. Full text and rfc822 format available.

Acknowledgement sent to Faidon Liambotis <paravoid@debian.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. Full text and rfc822 format available.

Message #45 received at 449148@bugs.debian.org (full text, mbox):

From: Faidon Liambotis <paravoid@debian.org>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: 449148@bugs.debian.org
Subject: Re: bind9: db.root needs update: L.ROOT-SERVERS.NET has changed IP address to 199.7.83.42
Date: Tue, 20 May 2008 15:04:05 +0300
[removing security@debian.org from Cc]

Florian Weimer wrote:
> severity 449148 wishlist
> tag 449148 -security
> thanks
> 
> * Faidon Liambotis:
> 
>> You pointed out earlier in the bug log that is is a "critical" (sic)
>> bug but there wasn't a fix prepared for etch.
> 
> No, it's not.  The prefix containing the old route server address is
> still assigned to Bill Manning, so there is no immediate cause for
> alarm.  Even the fake servers returned the correct address for the L
> root, so the priming at the start would have removed the old L root
> address.
Even without the security tag, this is certainly not "wishlist" since 
the old address for L is currently not responding to queries.
I'm leaving it to the maintainer, however, to avoid a bts war :)

> We can't fix broken Internet routing.  The same thing could happen to
> essentially all root servers.  Changing addresses compiled/configured
> into BIND does not prevent this.
We can't, no, but we can make sure our users are using the current 
root-servers; a routing attack on those would be taken more seriously, I 
guess.

Thanks,
Faidon




Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#449148; Package bind9. Full text and rfc822 format available.

Acknowledgement sent to Christoph Martin <martin@uni-mainz.de>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. Full text and rfc822 format available.

Message #50 received at 449148@bugs.debian.org (full text, mbox):

From: Christoph Martin <martin@uni-mainz.de>
To: 449148@bugs.debian.org
Cc: security@debian.org, paravoid@debian.org, fw@deneb.enyo.de
Subject: Re: Bug#449148: bind9: db.root needs update: L.ROOT-SERVERS.NET has changed IP address to 199.7.83.42
Date: Tue, 20 May 2008 14:41:33 +0200
[Message part 1 (text/plain, inline)]

Faidon Liambotis schrieb:
> [removing security@debian.org from Cc]
> 
> Florian Weimer wrote:
>> severity 449148 wishlist
>> tag 449148 -security
>> thanks
>>
>> * Faidon Liambotis:
>>
>>> You pointed out earlier in the bug log that is is a "critical" (sic)
>>> bug but there wasn't a fix prepared for etch.
>>
>> No, it's not.  The prefix containing the old route server address is
>> still assigned to Bill Manning, so there is no immediate cause for
>> alarm.  Even the fake servers returned the correct address for the L
>> root, so the priming at the start would have removed the old L root
>> address.
> Even without the security tag, this is certainly not "wishlist" since
> the old address for L is currently not responding to queries.
> I'm leaving it to the maintainer, however, to avoid a bts war :)

I think it is up to the Security-Team, because they have to do the Fix,
the code review and the security upload

>> We can't fix broken Internet routing.  The same thing could happen to
>> essentially all root servers.  Changing addresses compiled/configured
>> into BIND does not prevent this.
> We can't, no, but we can make sure our users are using the current
> root-servers; a routing attack on those would be taken more seriously, I
> guess.

I don't see the big problem doing a Security Update for this issue. It
is a minimal change, so the review by the Security Team would be easy.

I don't think we can afford to ignore this issue and let our users ask
one wrong root-server if it happens to pop up again with spoofed
answers. I can imagine the bad press with "Debian taking Security Issues
lightly"

Christoph

-- 
============================================================================
Christoph Martin, Leiter der EDV der Verwaltung, Uni-Mainz, Germany
 Internet-Mail:  Christoph.Martin@Verwaltung.Uni-Mainz.DE
  Telefon: +49-6131-3926337
      Fax: +49-6131-3922856

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#449148; Package bind9. Full text and rfc822 format available.

Acknowledgement sent to Micah Anderson <micah@riseup.net>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. Full text and rfc822 format available.

Message #55 received at 449148@bugs.debian.org (full text, mbox):

From: Micah Anderson <micah@riseup.net>
To: 449148@bugs.debian.org
Subject: More regular root hints updates
Date: Tue, 20 May 2008 10:20:05 -0400
[Message part 1 (text/plain, inline)]
One of the few recommended regular maintainence tasks of running a
nameserver is to periodically update the root hints file. In fact the
DNS-HOWTO on tldp.org has a section describing this[0].

This bug was recently pointed out to me, and I performed the dig
commands recommended by the original bug submitter and found that there
actually has been more root nameserver changes that have been made since
the original report (and since the bind9 package's db.root hints file
was last updated, which was in Feburary). Notably, the A records for the
L, M, N root servers have been removed (although their NS records
remain). 

Seeing as how root hints updates are recommended regular maintainence,
it would be prudent for the bind packages to install a cronjob that does
this sort of update, maybe once a month. That way a security update
doesn't need to be done, nor do people need to find the package in
volatile. 

Such a cronjob would have to make sure it didn't stop on any local admin
changes to the file, and should handle failures gracefully. There are a
few example cronjobs out there on the webbernet that could be used as a
good starting point.

micah

0. http://tldp.org/HOWTO/DNS-HOWTO-8.html


[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#449148; Package bind9. Full text and rfc822 format available.

Acknowledgement sent to Ondřej Surý <ondrej@sury.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. Full text and rfc822 format available.

Message #60 received at 449148@bugs.debian.org (full text, mbox):

From: Ondřej Surý <ondrej@sury.org>
To: Micah Anderson <micah@riseup.net>, 449148@bugs.debian.org
Subject: Re: Bug#449148: More regular root hints updates
Date: Tue, 20 May 2008 16:43:12 +0200
Micah Anderson píše v Út 20. 05. 2008 v 10:20 -0400:
> One of the few recommended regular maintainence tasks of running a
> nameserver is to periodically update the root hints file. In fact the
> DNS-HOWTO on tldp.org has a section describing this[0].
> 
> This bug was recently pointed out to me, and I performed the dig
> commands recommended by the original bug submitter and found that there
> actually has been more root nameserver changes that have been made since
> the original report (and since the bind9 package's db.root hints file
> was last updated, which was in Feburary). Notably, the A records for the
> L, M, N root servers have been removed (although their NS records
> remain). 
> 
> Seeing as how root hints updates are recommended regular maintainence,
> it would be prudent for the bind packages to install a cronjob that does
> this sort of update, maybe once a month. That way a security update
> doesn't need to be done, nor do people need to find the package in
> volatile. 
> 
> Such a cronjob would have to make sure it didn't stop on any local admin
> changes to the file, and should handle failures gracefully. There are a
> few example cronjobs out there on the webbernet that could be used as a
> good starting point.

You forgot the fact that bind is not only DNS server which requires
db.root.  We have powerdns (pdns-recursor) and unbound[1] will hit
archives very soon.

I am thinking whether it's the right time to split db.root to separate
package, so it can be kept in sync with changes.

Ondrej.
1. http://www.unbound.net/
-- 
Ondřej Surý <ondrej@sury.org>  ***  http://blog.rfc1925.org/
Kulturní občasník              ***  http://www.obcasnik.cz/
Nehoupat, prosím               ***  http://nehoupat.blogspot.com/





Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#449148; Package bind9. Full text and rfc822 format available.

Acknowledgement sent to Joey Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. Full text and rfc822 format available.

Message #65 received at 449148@bugs.debian.org (full text, mbox):

From: Joey Schulze <joey@infodrom.org>
To: Christoph Martin <martin@uni-mainz.de>
Cc: 449148@bugs.debian.org, security@debian.org, paravoid@debian.org, fw@deneb.enyo.de
Subject: Re: Bug#449148: bind9: db.root needs update: L.ROOT-SERVERS.NET has changed IP address to 199.7.83.42
Date: Tue, 20 May 2008 17:56:05 +0200
Christoph Martin wrote:
> >> No, it's not.  The prefix containing the old route server address is
> >> still assigned to Bill Manning, so there is no immediate cause for
> >> alarm.  Even the fake servers returned the correct address for the L
> >> root, so the priming at the start would have removed the old L root
> >> address.
> > Even without the security tag, this is certainly not "wishlist" since
> > the old address for L is currently not responding to queries.
> > I'm leaving it to the maintainer, however, to avoid a bts war :)
> 
> I think it is up to the Security-Team, because they have to do the Fix,
> the code review and the security upload
> 
> >> We can't fix broken Internet routing.  The same thing could happen to
> >> essentially all root servers.  Changing addresses compiled/configured
> >> into BIND does not prevent this.
> > We can't, no, but we can make sure our users are using the current
> > root-servers; a routing attack on those would be taken more seriously, I
> > guess.
> 
> I don't see the big problem doing a Security Update for this issue. It
> is a minimal change, so the review by the Security Team would be easy.
> 
> I don't think we can afford to ignore this issue and let our users ask
> one wrong root-server if it happens to pop up again with spoofed
> answers. I can imagine the bad press with "Debian taking Security Issues
> lightly"

Are you sure there is an issue to discuss at all?

Hasn't the old address been operated by an operator of another
root server?

Hasn't the L root server's address been officially turned down
already?

Please explain the security problem in this.

I believe, it would make sense to ask the SRMs whether an update of
the nameserver packages in Debian stable is justified, and if they
believe it is, talk to the respective maintainers to update their
packages.

Regards,

	Joey

-- 
Those who don't understand Unix are condemned to reinvent it, poorly.

Please always Cc to me when replying to me on the lists.




Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#449148; Package bind9. Full text and rfc822 format available.

Acknowledgement sent to Micah Anderson <micah@riseup.net>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. Full text and rfc822 format available.

Message #70 received at 449148@bugs.debian.org (full text, mbox):

From: Micah Anderson <micah@riseup.net>
To: Ondřej Surý <ondrej@sury.org>
Cc: 449148@bugs.debian.org
Subject: Re: Bug#449148: More regular root hints updates
Date: Tue, 20 May 2008 13:00:13 -0400
[Message part 1 (text/plain, inline)]
* Ondřej Surý <ondrej@sury.org> [2008-05-20 07:43-0400]:
> Micah Anderson píše v Út 20. 05. 2008 v 10:20 -0400:
>
> You forgot the fact that bind is not only DNS server which requires
> db.root.  We have powerdns (pdns-recursor) and unbound[1] will hit
> archives very soon.

I didn't actually forget, I am replying to a bind bug report afterall.
 
> I am thinking whether it's the right time to split db.root to separate
> package, so it can be kept in sync with changes.

However, your point is interesting and valid. However, I expect every
DNS server has its own murky format that would cause some difficulties
(and some even store their configs in databases). Even though there is
an RFC that defines the configuration file format, that doesn't mean
name resolvers follow it. Creating such a root hits package could be a
challenge and would likely require cooperation from the various package
developers at which point its questionable if a different package is
a worthwhile effort as each package maintainer could just build this
update into their own package, suited for their own package's individual
peculiarities.

micah
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#449148; Package bind9. Full text and rfc822 format available.

Acknowledgement sent to Ondřej Surý <ondrej@sury.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. Full text and rfc822 format available.

Message #75 received at 449148@bugs.debian.org (full text, mbox):

From: Ondřej Surý <ondrej@sury.org>
To: Micah Anderson <micah@riseup.net>
Cc: 449148@bugs.debian.org
Subject: Re: Bug#449148: More regular root hints updates
Date: Tue, 20 May 2008 19:08:31 +0200
> > I am thinking whether it's the right time to split db.root to separate
> > package, so it can be kept in sync with changes.
> 
> However, your point is interesting and valid. However, I expect every
> DNS server has its own murky format that would cause some difficulties
> (and some even store their configs in databases). Even though there is
> an RFC that defines the configuration file format, that doesn't mean
> name resolvers follow it. Creating such a root hits package could be a
> challenge and would likely require cooperation from the various package
> developers at which point its questionable if a different package is
> a worthwhile effort as each package maintainer could just build this
> update into their own package, suited for their own package's individual
> peculiarities.

bind uses db.root, unbound uses db.root and I just checked pdns-recursor
can use hint file as well.  I am not aware of more not-broken
implementations of recursive DNS servers.

Ondrej.
-- 
Ondřej Surý <ondrej@sury.org>  ***  http://blog.rfc1925.org/
Kulturní občasník              ***  http://www.obcasnik.cz/
Nehoupat, prosím               ***  http://nehoupat.blogspot.com/





Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#449148; Package bind9. Full text and rfc822 format available.

Acknowledgement sent to "Jan Ingvoldstad" <frettled@gmail.com>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. Full text and rfc822 format available.

Message #80 received at 449148@bugs.debian.org (full text, mbox):

From: "Jan Ingvoldstad" <frettled@gmail.com>
To: 449148@bugs.debian.org
Cc: "Joey Schulze" <joey@infodrom.org>, security@debian.org, paravoid@debian.org, fw@deneb.enyo.de
Subject: Re: Bug#449148: More regular root hints updates
Date: Thu, 22 May 2008 12:17:04 +0200
[Message part 1 (text/plain, inline)]
Since there appears to be some confusion regarding the impact of old IP
address entries for root servers, this blog entry by David Conrad may be of
interest, perhaps especially the comment by Bill Manning and David's
response:

http://blog.icann.org/?p=309

Regarding the security considerations, I think it's strange that e.g. IP
address redelegation hasn't been mentioned. If this issue isn't resolved as
an update to the current stable distribution, people will be refering to the
old IP address for years to come, and who knows what happens to old
nameserver IP addresses in that time frame?

Should this _really_ rely on the goodwill of the people who at any moment in
time manages the IP address?

-- 
Jan
[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#449148; Package bind9. Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. Full text and rfc822 format available.

Message #85 received at 449148@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: "Jan Ingvoldstad" <frettled@gmail.com>
Cc: 449148@bugs.debian.org, "Joey Schulze" <joey@infodrom.org>, security@debian.org, paravoid@debian.org, fw@deneb.enyo.de
Subject: Re: Bug#449148: More regular root hints updates
Date: Thu, 22 May 2008 12:23:38 +0200 (CEST)
On Thu, May 22, 2008 12:17, Jan Ingvoldstad wrote:
> Since there appears to be some confusion regarding the impact of old IP
> address entries for root servers, this blog entry by David Conrad may be
> of interest, perhaps especially the comment by Bill Manning and David's
> response:

Yes, I'm aware of that post. I think it shows no concrete security
implications, even though it being "bad form".

> Regarding the security considerations, I think it's strange that e.g. IP
> address redelegation hasn't been mentioned. If this issue isn't resolved
> as an update to the current stable distribution, people will be refering
> to the old IP address for years to come, and who knows what happens to old
>  nameserver IP addresses in that time frame?

It will be considered to be updated in the next stable point update
(provided that the maintainer or someone else provides a fixed package and
it's accepted by the stable release managers). We are not currently,
however, considering to release it as a DSA. I've sought input on how
other vendors regard this issue; if many other vendors will release
advisories we may follow to prevent user confusion. I hope to get some
input on that soon.

> Should this _really_ rely on the goodwill of the people who at any moment
> in time manages the IP address?

It's very important to note here that the goodwill of people that manage
the current IP addresses, connectivity or housing of any active root
nameserver is equally relied upon.


Thijs





Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#449148; Package bind9. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. Full text and rfc822 format available.

Message #90 received at 449148@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: "Thijs Kinkhorst" <thijs@debian.org>
Cc: "Jan Ingvoldstad" <frettled@gmail.com>, 449148@bugs.debian.org, "Joey Schulze" <joey@infodrom.org>, security@debian.org, paravoid@debian.org
Subject: Re: Bug#449148: More regular root hints updates
Date: Thu, 22 May 2008 12:36:24 +0200
* Thijs Kinkhorst:

>> Should this _really_ rely on the goodwill of the people who at any moment
>> in time manages the IP address?
>
> It's very important to note here that the goodwill of people that manage
> the current IP addresses, connectivity or housing of any active root
> nameserver is equally relied upon.

Indeed.  As far as I know, there is no contractual framework whatsoever
covering performance, security, or privacy.

If this turns out to be a problem, we need to ship a signed copy of the
root zone, together with an appropriate update mechanism, effectively
eliminating our reliance on the root servers.  We should only do this if
there is indeed no other way to cope with the situation.




Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#449148; Package bind9. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. Full text and rfc822 format available.

Message #95 received at 449148@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Ondřej Surý <ondrej@sury.org>
Cc: 449148@bugs.debian.org
Subject: Re: Bug#449148: More regular root hints updates
Date: Thu, 22 May 2008 13:15:30 +0200
* Ondřej Surý:

>> Indeed.  As far as I know, there is no contractual framework whatsoever
>> covering performance, security, or privacy.

> I guess that especially with older root servers it may not be the case,
> but I am pretty sure that there are contracts between ICANN and some
> root server operators (at least with RIPE, WIDE, Autonomica, ISC,
> Verisign).

This was my expectation as well--but I couldn't find any such documents.




Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#449148; Package bind9. Full text and rfc822 format available.

Acknowledgement sent to Ondřej Surý <ondrej@sury.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. Full text and rfc822 format available.

Message #100 received at 449148@bugs.debian.org (full text, mbox):

From: Ondřej Surý <ondrej@sury.org>
To: Florian Weimer <fw@deneb.enyo.de>, 449148@bugs.debian.org
Subject: Re: Bug#449148: More regular root hints updates
Date: Thu, 22 May 2008 13:10:08 +0200
Florian Weimer píše v Čt 22. 05. 2008 v 12:36 +0200:
> * Thijs Kinkhorst:
> 
> >> Should this _really_ rely on the goodwill of the people who at any moment
> >> in time manages the IP address?
> >
> > It's very important to note here that the goodwill of people that manage
> > the current IP addresses, connectivity or housing of any active root
> > nameserver is equally relied upon.
> 
> Indeed.  As far as I know, there is no contractual framework whatsoever
> covering performance, security, or privacy.


I guess that especially with older root servers it may not be the case,
but I am pretty sure that there are contracts between ICANN and some
root server operators (at least with RIPE, WIDE, Autonomica, ISC,
Verisign).

> If this turns out to be a problem, we need to ship a signed copy of the
> root zone, together with an appropriate update mechanism, effectively
> eliminating our reliance on the root servers.  We should only do this if
> there is indeed no other way to cope with the situation.

And after root is signed (DNSSEC - testbed at IANA[1]) we will need
mechanism how to update root zone keys.

Ondrej
1. https://ns.iana.org/dnssec/status.html
-- 
Ondřej Surý <ondrej@sury.org>  ***  http://blog.rfc1925.org/
Kulturní občasník              ***  http://www.obcasnik.cz/
Nehoupat, prosím               ***  http://nehoupat.blogspot.com/





Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#449148; Package bind9. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. Full text and rfc822 format available.

Message #105 received at 449148@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Faidon Liambotis <paravoid@debian.org>
Cc: 449148@bugs.debian.org
Subject: Re: bind9: db.root needs update: L.ROOT-SERVERS.NET has changed IP address to 199.7.83.42
Date: Fri, 23 May 2008 12:15:53 +0200
* Faidon Liambotis:

> Even without the security tag, this is certainly not "wishlist" since
> the old address for L is currently not responding to queries.

It does not really matter because of the priming step at server start.
Just type "dig l.root-servers.net +norecurse", and you should get the
new address, or no address at all.

> We can't, no, but we can make sure our users are using the current
> root-servers;

BIND already takes care of that automatically.




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#449148; Package bind9. Full text and rfc822 format available.

Acknowledgement sent to LaMont Jones <lamont@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #110 received at 449148@bugs.debian.org (full text, mbox):

From: LaMont Jones <lamont@debian.org>
To: Florian Weimer <fw@deneb.enyo.de>, 449148@bugs.debian.org
Subject: Re: Bug#449148: bind9: db.root needs update: L.ROOT-SERVERS.NET has changed IP address to 199.7.83.42
Date: Fri, 23 May 2008 06:23:56 -0600
On Fri, May 23, 2008 at 12:15:53PM +0200, Florian Weimer wrote:
> It does not really matter because of the priming step at server start.
> Just type "dig l.root-servers.net +norecurse", and you should get the
> new address, or no address at all.

Roughly one out of 13 times, l.root-servers.net will answer that question
at startup.  That's the situation that folks are caring about.

> > We can't, no, but we can make sure our users are using the current
> > root-servers;
> BIND already takes care of that automatically.

Not completely.  Just mostly. :(

lamont




Bug marked as fixed in version 1:9.3.4-2etch2, send any further explanations to Bjørn Mork <bjorn@mork.no> Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. (Wed, 09 Jul 2008 09:12:07 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 07 Aug 2008 07:30:18 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 17:02:23 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.