From owner-freebsd-security@freebsd.org  Wed Jul  8 17:28:01 2015
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id A735199685D
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Wed,  8 Jul 2015 17:28:01 +0000 (UTC) (envelope-from dan@obluda.cz)
Received: from smtp1.ms.mff.cuni.cz (smtp1.ms.mff.cuni.cz
 [IPv6:2001:718:1e03:801::4])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 3AD3D1D03;
 Wed,  8 Jul 2015 17:28:00 +0000 (UTC) (envelope-from dan@obluda.cz)
X-SubmittedBy: id 100000045929 subject
 /C=CZ/O=Univerzita+20Karlova+20v+20Praze/CN=Dan+20Lukes/unstructuredName=100000045929
 issued by
 /C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA+20Personal+20CA+202
 auth type TLS.MFF
Received: from kgw.obluda.cz ([194.108.204.138]) (authenticated)
 by smtp1.ms.mff.cuni.cz (8.14.9/8.14.9) with ESMTP id t68HRuGW067364
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=OK);
 Wed, 8 Jul 2015 19:27:58 +0200 (CEST) (envelope-from dan@obluda.cz)
Message-ID: <559D5D9C.2020709@obluda.cz>
Date: Wed, 08 Jul 2015 19:27:56 +0200
From: Dan Lukes <dan@obluda.cz>
Reply-To: freebsd-security <freebsd-security@freebsd.org>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26.1
MIME-Version: 1.0
To: Mark Felder <feld@FreeBSD.org>
CC: freebsd-security <freebsd-security@freebsd.org>
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:11.bind
References: <20150707232549.4D7A31B0D@freefall.freebsd.org>
 <1436372961.2331021.318495625.381B9FCC@webmail.messagingengine.com>
In-Reply-To: <1436372961.2331021.318495625.381B9FCC@webmail.messagingengine.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jul 2015 17:28:01 -0000

On 07/08/15 18:29, Mark Felder:
>> IV.  Workaround
>>
>> No workaround is available, but hosts not running named(8) are not
>> vulnerable.

> Why is no workaround available? Can't you just disable DNSSEC
> validation?
>
> dnssec-enable no;
> dnssec-validation no;


Well, it depend ...

If someone is running DNSSEC validation, then turning it off is no solution.

You may claim either "turn off named" or "power off the computer" to be 
available workaround ...

Just my $0.02

Dan