FreeBSD Security Advisory FreeBSD-SA-15:11.bind
Mark Felder
feld at FreeBSD.org
Wed Jul 8 17:49:14 UTC 2015
On Wed, Jul 8, 2015, at 12:27, Dan Lukes wrote:
> On 07/08/15 18:29, Mark Felder:
> >> IV. Workaround
> >>
> >> No workaround is available, but hosts not running named(8) are not
> >> vulnerable.
>
> > Why is no workaround available? Can't you just disable DNSSEC
> > validation?
> >
> > dnssec-enable no;
> > dnssec-validation no;
>
>
> Well, it depend ...
>
> If someone is running DNSSEC validation, then turning it off is no
> solution.
>
> You may claim either "turn off named" or "power off the computer" to be
> available workaround ...
>
DNSSEC is not a requirement to run a DNS resolver. We have pointed out
when you're not affected in other entries:
https://www.freebsd.org/security/advisories/FreeBSD-SA-14:06.openssl.asc
> IV. Workaround
>
> No workaround is available, but systems that do not use OpenSSL to implement
> the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
> protocols implementation and do not use the ECDSA implementation from OpenSSL
> are not vulnerable.
or look at this ipv6 entry:
https://www.freebsd.org/security/advisories/FreeBSD-SA-15:09.ipv6.asc
> IV. Workaround
>
> Only systems that are manually configured to use "accept_rtadv"
> ifconfig(8) flag on an interface are affected.
"No workaround is available, but only systems that are manually
configured to enable DNSSEC validation are affected." would be a
reasonable statement.
More information about the freebsd-security
mailing list