From owner-freebsd-security@freebsd.org  Thu Jul  9 06:06:10 2015
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id AA6FB99567D
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Thu,  9 Jul 2015 06:06:10 +0000 (UTC)
 (envelope-from smithi@nimnet.asn.au)
Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 0A4D01E1D;
 Thu,  9 Jul 2015 06:06:09 +0000 (UTC)
 (envelope-from smithi@nimnet.asn.au)
Received: from localhost (localhost [127.0.0.1])
 by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id t695eRZx028337;
 Thu, 9 Jul 2015 15:40:28 +1000 (EST)
 (envelope-from smithi@nimnet.asn.au)
Date: Thu, 9 Jul 2015 15:40:27 +1000 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: Mark Felder <feld@freebsd.org>
cc: freebsd-security <freebsd-security@freebsd.org>
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:11.bind
In-Reply-To: <1436377752.2351289.318560673.25707A63@webmail.messagingengine.com>
Message-ID: <20150709152004.G70511@sola.nimnet.asn.au>
References: <20150707232549.4D7A31B0D@freefall.freebsd.org>
 <1436372961.2331021.318495625.381B9FCC@webmail.messagingengine.com>
 <559D5D9C.2020709@obluda.cz>
 <1436377752.2351289.318560673.25707A63@webmail.messagingengine.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jul 2015 06:06:10 -0000

On Wed, 8 Jul 2015 12:49:12 -0500, Mark Felder wrote:

 > "No workaround is available, but only systems that are manually
 > configured to enable DNSSEC validation are affected." would be a
 > reasonable statement.

Agreed.  DNSSEC may become mandatory, and while surely 'best practice', 
it's not yet required and many resolvers are not yet DNSSEC configured.

cheers, Ian