On Tue, Jul 7, 2015, at 18:25, FreeBSD Security Advisories wrote:> > IV. Workaround > > No workaround is available, but hosts not running named(8) are not > vulnerable. >Why is no workaround available? Can't you just disable DNSSEC validation? dnssec-enable no; dnssec-validation no; In fact, don't they have to be explicitly enabled anyway?
On 07/08/15 18:29, Mark Felder:>> IV. Workaround >> >> No workaround is available, but hosts not running named(8) are not >> vulnerable.> Why is no workaround available? Can't you just disable DNSSEC > validation? > > dnssec-enable no; > dnssec-validation no;Well, it depend ... If someone is running DNSSEC validation, then turning it off is no solution. You may claim either "turn off named" or "power off the computer" to be available workaround ... Just my $0.02 Dan