As a follow-up to the story from yesterday on the BIND DNS server updates (as a result of the OpenSSL signature validation bug)... It is difficult to tell whether the default BIND9 configuration turns on DNSSEC support by default.  I reviewed the BIND documentation and the CHANGES file today.  It certainly appears that the default settings for DNSSEC have been recently changed in the 9.6.0b1 and 9.5.0a1 releases.  If you are running BIND DNS servers with DNSSEC, then you probably care that signatures check-out and you need to patch regardless of what the default settings are.  Otherwise, this isn't an exploitation bug and you don't need to patch immediately.