BIND 9 Security Audit
In the aftermath of yesterday’s BIND announcement of seven new CVEs, one of them with a fairly wide impact, BIND users might be wondering why ISC publishes so many security vulnerabilities.Read post
Five of us from ISC attended the RIPE 86 meeting in Rotterdam, May 22 - 26, 2023. RIPE meetings bring together people working on IPv6, DNS, open source, peering, abuse, Internet measurement, and Internet policy. Highlights, from one biased perspective:
The weekend prior to the RIPE meeting ISC co-sponsored a DNS Hackathon. The hackathon had its own logo, t-shirt, and cookie (the stroopwaffle), and was well-attended by an energetic group. Tony Finch from ISC worked on a project that made significant progress towards a more efficient, easier-to-use way of scripting DNS analysis via RIPE nodes. In addition, Tony’s nsnotifyd was a critical component of the DNS-Out-of-Band Signaling (DNS-OOPS) project, which was able to trigger BGP route inserts and withdrawals based on Knot, BIND, and NSD authoritative server readiness signals.
The RIPE meeting kicked off with a plenary talk in which Vesna Manojlovic of RIPE gave an impassioned call to action for us all to contribute whatever we can to addressing the climate change emergency. She made a compelling case for not dismissing it as a problem for just the oil and gas industry, or any other industry, explaining that doesn’t relieve the rest of us of responsibility.
Benno Overeinder and Robert Carolina stepped in at the last minute to replace Maarten Aertsen from NLNET Labs in a 3-part presentation with Bastiaan Goslings from RIPE on The EU Regulating (Open Source) Software: The Proposed Cyber Resilience Act and Product Liability Directive. Rob, who teaches cybersecurity to law students when he isn’t lawyering for ISC, just happened to have a slide deck handy that explained how product liability works and that he was able to deliver in a five-minute class. Rob described how the updated Product Liability Directive might mean that, for example, a defective car containing a component which incorporated a popular, general-purpose open source library might expose the original author of that open source library to liability. This change in EU liability law could have a massive impact on open source if it isn’t moderated before it goes into effect.
Peter Thomassen gave an update on deSEC: Secure DNSSEC Hosting in which he said “deSEC is a non-profit doing the same thing as Let’s Encrypt, but for DNSSEC.” It’s worth checking out.
Theodoros Fyllaridis reported on the number of Law Enforcement Agency (LEA) requests received by RIPE in his presentation, “How the RIPE NCC Handles LEA Requests”; see page 14 here. The transparency was welcome, but it was amusing to see that the vast majority of LEA requests were for information RIPE does not have, and these were mostly from French law enforcement.
There were several discussions about the hot topic of payments for carrying traffic, including a RIPE task team responding to the European Telecom Network Operators Association study supporting the European Declaration on Digital Rights and Principles (which had an open comment period that just ended in May). The ETNO study naturally recommended payments from hyperscalers to network operators.
The team behind the Internet.nl Standards Compliance Test Suite gave an overview of the toolset. This is not a new thing, but it is very popular and some readers who aren’t aware of it might be interested in setting up a local instance of the tool for their users.
There was a talk in the Connect working group about a tool (Amethyst) for analyzing the connection between geopolitics and the connectivity architecture (in central Asia), with very impressive and elaborate visualizations. This seems like it might somehow be useful for those people trying to analyze access to the DNS root, and places where better peering is needed.
Matthijs Mekking, from the BIND team at ISC, gave a talk on testing BIND 9 and DNSSEC Multi-signer Models, in which he uncovered a number of ways that the multi-signer model breaks BIND’s assumptions. Matthijs was interrupted - just as he got to the slide entitled “Let’s Go Crazy” - by a loud fire alarm that sent everyone to the exits. There is interest in the multi-signer model to enable moving a signed zone from one provider to another without going insecure.
On the topic of open resolvers and the DNS4EU project, Geoff Huston, in Measuring Open Resolver Use in the EU, noted that the use of open resolvers has “declined sharply from a peak of 30% of users in early 2022 to 10% of users today,” quite a sharp change that he could not explain the reason for. It almost seems as if the public awareness generated by the DNS4EU project has sent users back to their access providers for DNS services. RIPE is organizing a DNS Resolver Task Force to document best practices. (What they need now are fewer participants, who are more committed to the work.)
Anand Buddhdev, in his update on K-root, reported an incident in which one of their authoritative systems was serving zones with expired signatures. This was due to short signature validity relative to a long transfer chain and TTLs. I was kind of surprised this hasn’t happened to anyone else before (Anand is quite an expert operator) but at any rate, I learned what EDNS Expire is for.
Tony Finch gave a very entertaining lightning talk on Where Does My Computer Get the Time From? on the final day of RIPE. (Watch the video, it is funnier than the slides. Tony has great comedic timing.)
As always, the presentations were only half of the experience, and, sadly for those of you who missed the event, the in-person interactions were great. However, this is the first RIPE this blogger has attended that did not also have fantastic food, so there is that comforting thought for those of you who stayed home.
What's New from ISC