Re: [BIND] CVE-2015-5477: An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure

[Solar Designer <solar () openwall com>]

On Tue, Jul 28, 2015 at 11:52:53PM -0400, Michael McNally wrote:
> A deliberately constructed packet can exploit an error in the
> handling of queries for TKEY records, permitting denial of service.

As an attack surface reduction measure for a subset of builds/users,
would it make sense to exclude the corresponding code and functionality
from --without-openssl builds (which effectively lack DNSSEC support
anyway, and often deliberately so)?  If so, I wish this had been done by
now, thereby mitigating this bug for those builds and users, but perhaps
it still makes sense to do so now (upstream?) in case there are more
bugs "like this" in code that is DNSSEC-related yet doesn't directly
depend on OpenSSL (hence, isn't excluded in --without-openssl builds
yet).  Security aside, this would also reduce the (binary) code size.

Alexander