On 2015-07-08 10:49, Mark Felder wrote:
DNSSEC is not a requirement to run a DNS resolver.
It is requirement if you're using DANE or other technologies where the trust model relies on authenticated DNS. I've always understood the term "workaround" to mean "mitigate the problem without a loss of feature/functionality". Because "turn off DNSSEC" doesn't universally meet that definition, it's not really a workaround.
For example, a workaround for vulnerabilities in the base BIND that's already fixed in ports is to disable the in-base version and install the port.
_______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
