From owner-freebsd-security@freebsd.org  Wed Jul  8 18:34:31 2015
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5A4D4995B70
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Wed,  8 Jul 2015 18:34:31 +0000 (UTC)
 (envelope-from list_freebsd@bluerosetech.com)
Received: from luigi.brtsvcs.net (luigi.brtsvcs.net
 [IPv6:2607:fc50:1000:1f00::2])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 3C3B71219;
 Wed,  8 Jul 2015 18:34:31 +0000 (UTC)
 (envelope-from list_freebsd@bluerosetech.com)
Received: from chombo.houseloki.net (unknown
 [IPv6:2601:1c2:d02:2605:21c:c0ff:fe7f:96ee])
 by luigi.brtsvcs.net (Postfix) with ESMTPS id 65FAE2D4FC0;
 Wed,  8 Jul 2015 18:34:23 +0000 (UTC)
Received: from [IPv6:2601:1c2:d02:2605:baca:3aff:fe83:bd29] (unknown
 [IPv6:2601:1c2:d02:2605:baca:3aff:fe83:bd29])
 by chombo.houseloki.net (Postfix) with ESMTPSA id BEF228BB;
 Wed,  8 Jul 2015 11:34:21 -0700 (PDT)
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:11.bind
To: Mark Felder <feld@FreeBSD.org>,
 freebsd-security <freebsd-security@freebsd.org>
References: <20150707232549.4D7A31B0D@freefall.freebsd.org>
 <1436372961.2331021.318495625.381B9FCC@webmail.messagingengine.com>
 <559D5D9C.2020709@obluda.cz>
 <1436377752.2351289.318560673.25707A63@webmail.messagingengine.com>
From: Mel Pilgrim <list_freebsd@bluerosetech.com>
Message-ID: <559D6D24.6000709@bluerosetech.com>
Date: Wed, 8 Jul 2015 11:34:12 -0700
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101
 Thunderbird/38.0.1
MIME-Version: 1.0
In-Reply-To: <1436377752.2351289.318560673.25707A63@webmail.messagingengine.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jul 2015 18:34:31 -0000

On 2015-07-08 10:49, Mark Felder wrote:
> DNSSEC is not a requirement to run a DNS resolver.

It is requirement if you're using DANE or other technologies where the 
trust model relies on authenticated DNS.  I've always understood the 
term "workaround" to mean "mitigate the problem without a loss of 
feature/functionality".  Because "turn off DNSSEC" doesn't universally 
meet that definition, it's not really a workaround.

For example, a workaround for vulnerabilities in the base BIND that's 
already fixed in ports is to disable the in-base version and install the 
port.