Package: bind9 "order random_1" is applied to DO queries and consequently returns data which fails DNSSEC validation. It's also not restricted to types A and AAAA, so there's a risk of service degradation/DoS (for example, assume that a downstream cache receives a NS RRset for BIZ which only includes J.GTLD.BIZ, but the downstream cache has no IPv6 connectivity).
The easiest fix would be to remove the option. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
