Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 08 Jul 2015 12:49:12 -0500
From:      Mark Felder <feld@FreeBSD.org>
To:        "freebsd-security" <freebsd-security@freebsd.org>
Subject:   Re: FreeBSD Security Advisory FreeBSD-SA-15:11.bind
Message-ID:  <1436377752.2351289.318560673.25707A63@webmail.messagingengine.com>
In-Reply-To: <559D5D9C.2020709@obluda.cz>
References:  <20150707232549.4D7A31B0D@freefall.freebsd.org> <1436372961.2331021.318495625.381B9FCC@webmail.messagingengine.com> <559D5D9C.2020709@obluda.cz>
next in thread | previous in thread | raw e-mail | index | archive | help 


On Wed, Jul 8, 2015, at 12:27, Dan Lukes wrote:
> On 07/08/15 18:29, Mark Felder:
> >> IV.  Workaround
> >>
> >> No workaround is available, but hosts not running named(8) are not
> >> vulnerable.
> 
> > Why is no workaround available? Can't you just disable DNSSEC
> > validation?
> >
> > dnssec-enable no;
> > dnssec-validation no;
> 
> 
> Well, it depend ...
> 
> If someone is running DNSSEC validation, then turning it off is no
> solution.
> 
> You may claim either "turn off named" or "power off the computer" to be 
> available workaround ...
> 

DNSSEC is not a requirement to run a DNS resolver. We have pointed out
when you're not affected in other entries:

https://www.freebsd.org/security/advisories/FreeBSD-SA-14:06.openssl.asc

> IV.  Workaround
> 
> No workaround is available, but systems that do not use OpenSSL to implement
> the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
> protocols implementation and do not use the ECDSA implementation from OpenSSL
> are not vulnerable.

or look at this ipv6 entry:

https://www.freebsd.org/security/advisories/FreeBSD-SA-15:09.ipv6.asc

> IV.  Workaround
> 
> Only systems that are manually configured to use "accept_rtadv"
> ifconfig(8) flag on an interface are affected.

"No workaround is available, but only systems that are manually
configured to enable DNSSEC validation are affected." would be a
reasonable statement.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1436377752.2351289.318560673.25707A63>