On Wed, Jul 8, 2015, at 12:27, Dan Lukes wrote: > On 07/08/15 18:29, Mark Felder: > >> IV. Workaround > >> > >> No workaround is available, but hosts not running named(8) are not > >> vulnerable. > > > Why is no workaround available? Can't you just disable DNSSEC > > validation? > > > > dnssec-enable no; > > dnssec-validation no; > > > Well, it depend ... > > If someone is running DNSSEC validation, then turning it off is no > solution. > > You may claim either "turn off named" or "power off the computer" to be > available workaround ... >
DNSSEC is not a requirement to run a DNS resolver. We have pointed out when you're not affected in other entries: https://www.freebsd.org/security/advisories/FreeBSD-SA-14:06.openssl.asc > IV. Workaround > > No workaround is available, but systems that do not use OpenSSL to implement > the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) > protocols implementation and do not use the ECDSA implementation from OpenSSL > are not vulnerable. or look at this ipv6 entry: https://www.freebsd.org/security/advisories/FreeBSD-SA-15:09.ipv6.asc > IV. Workaround > > Only systems that are manually configured to use "accept_rtadv" > ifconfig(8) flag on an interface are affected. "No workaround is available, but only systems that are manually configured to enable DNSSEC validation are affected." would be a reasonable statement. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
