From owner-freebsd-security@freebsd.org Wed Jul 8 16:29:44 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B410F9969EB for ; Wed, 8 Jul 2015 16:29:44 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8A4E81CA5 for ; Wed, 8 Jul 2015 16:29:44 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 97083208CF for ; Wed, 8 Jul 2015 12:29:21 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute6.internal (MEProxy); Wed, 08 Jul 2015 12:29:26 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=RVTy2sfSkQ9QcBd 2gdbdmNb8i68=; b=Fv3iof88+1WnVezVqhlCnHElmF4OBF0o3Ak0tOfqYipPmHd iNA3Iyv1evYH8VpUWEt3a98ineCZlqN61j/j1eY9Ym24Hm7M+0tGATnttDyQZ0re NJc7BoDW7eJypGmShhzBjOLOp+hNDWg7N+hEKQfO2Pe6fPhXNrQIe60SClQI= Received: by web3.nyi.internal (Postfix, from userid 99) id D323C100669; Wed, 8 Jul 2015 12:29:21 -0400 (EDT) Message-Id: <1436372961.2331021.318495625.381B9FCC@webmail.messagingengine.com> X-Sasl-Enc: WaNSAcOgpTl5JvSOWXTwB1NtfTOifSIa5R+H/pTdMz8D 1436372961 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-bfc056ae Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:11.bind Date: Wed, 08 Jul 2015 11:29:21 -0500 In-Reply-To: <20150707232549.4D7A31B0D@freefall.freebsd.org> References: <20150707232549.4D7A31B0D@freefall.freebsd.org> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2015 16:29:44 -0000 On Tue, Jul 7, 2015, at 18:25, FreeBSD Security Advisories wrote: > > IV. Workaround > > No workaround is available, but hosts not running named(8) are not > vulnerable. > Why is no workaround available? Can't you just disable DNSSEC validation? dnssec-enable no; dnssec-validation no; In fact, don't they have to be explicitly enabled anyway?