From owner-freebsd-security@freebsd.org Wed Jul 8 17:49:14 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5104A996D9D for ; Wed, 8 Jul 2015 17:49:14 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2692D1CD2 for ; Wed, 8 Jul 2015 17:49:13 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 4676220187 for ; Wed, 8 Jul 2015 13:49:12 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute1.internal (MEProxy); Wed, 08 Jul 2015 13:49:12 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=KgwNViUc7a5iWZE AywgHcNCz+Qw=; b=d2RZTtqUf/HeeiRf+tf5Q8QcgQxBx3azsUtNwTmVye3afPv 6URuDt+K6LmTxvDKHgKynsCJZTkH//aQOkN1W1CEO3soXhNyOACwKDIdlWyDA5mN iWthhMWp0VFueNhhZsj2kX0hO7lVeSD1BrQ4L0LkgF6VncMdAibXsSd8DzRM= Received: by web3.nyi.internal (Postfix, from userid 99) id 29BBE1012F9; Wed, 8 Jul 2015 13:49:12 -0400 (EDT) Message-Id: <1436377752.2351289.318560673.25707A63@webmail.messagingengine.com> X-Sasl-Enc: +XGO2mr+NNaqoy/PbdjxJK/+zkLkTOjkGyY3918N6Iez 1436377752 From: Mark Felder To: "freebsd-security" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-bfc056ae In-Reply-To: <559D5D9C.2020709@obluda.cz> References: <20150707232549.4D7A31B0D@freefall.freebsd.org> <1436372961.2331021.318495625.381B9FCC@webmail.messagingengine.com> <559D5D9C.2020709@obluda.cz> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:11.bind Date: Wed, 08 Jul 2015 12:49:12 -0500 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2015 17:49:14 -0000 On Wed, Jul 8, 2015, at 12:27, Dan Lukes wrote: > On 07/08/15 18:29, Mark Felder: > >> IV. Workaround > >> > >> No workaround is available, but hosts not running named(8) are not > >> vulnerable. > > > Why is no workaround available? Can't you just disable DNSSEC > > validation? > > > > dnssec-enable no; > > dnssec-validation no; > > > Well, it depend ... > > If someone is running DNSSEC validation, then turning it off is no > solution. > > You may claim either "turn off named" or "power off the computer" to be > available workaround ... > DNSSEC is not a requirement to run a DNS resolver. We have pointed out when you're not affected in other entries: https://www.freebsd.org/security/advisories/FreeBSD-SA-14:06.openssl.asc > IV. Workaround > > No workaround is available, but systems that do not use OpenSSL to implement > the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) > protocols implementation and do not use the ECDSA implementation from OpenSSL > are not vulnerable. or look at this ipv6 entry: https://www.freebsd.org/security/advisories/FreeBSD-SA-15:09.ipv6.asc > IV. Workaround > > Only systems that are manually configured to use "accept_rtadv" > ifconfig(8) flag on an interface are affected. "No workaround is available, but only systems that are manually configured to enable DNSSEC validation are affected." would be a reasonable statement.