Package: bind9 "order random_1" is applied to DO queries and consequently returns data which fails DNSSEC validation. It's also not restricted to types A and AAAA, so there's a risk of service degradation/DoS (for example, assume that a downstream cache receives a NS RRset for BIZ which only includes J.GTLD.BIZ, but the downstream cache has no IPv6 connectivity).
The easiest fix would be to remove the option. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
