FreeBSD Security Advisory FreeBSD-SA-15:11.bind
Mel Pilgrim
list_freebsd at bluerosetech.com
Wed Jul 8 18:34:31 UTC 2015
On 2015-07-08 10:49, Mark Felder wrote:
> DNSSEC is not a requirement to run a DNS resolver.
It is requirement if you're using DANE or other technologies where the
trust model relies on authenticated DNS. I've always understood the
term "workaround" to mean "mitigate the problem without a loss of
feature/functionality". Because "turn off DNSSEC" doesn't universally
meet that definition, it's not really a workaround.
For example, a workaround for vulnerabilities in the base BIND that's
already fixed in ports is to disable the in-base version and install the
port.
More information about the freebsd-security
mailing list