Bind 8.4.1 patch for blocking Verisign's new wildcard DNS record
Clayton Braun
vvarm at hotmail.com
Wed Sep 17 16:10:41 UTC 2003
gnews at stereo.lu (Guillaume Rischard) wrote in message news:<bk7hdt$1m8q$1 at sf1.isc.org>...
> Hello,
>
> Andrew Church has published an untested patch at
> http://achurch.org/bind-verisign-patch.html . Here is what he writes:
>
> > BIND 8 patch for Verisign stupidity
> >
> > This page provides a patch to BIND 8 to ignore the wildcard A record
> > Verisign is now returning for unregistered .com/.net domains. It was
> > cooked up over 10 minutes of pure anger and has not been properly
> > tested; it would be better to be able to specify which IPs to ignore in
> > the configuration file. Suggestions or improved patches are very
> > much welcomed.
> >
> > This patch was made against BIND 8.4.1.
>
> Here is the acual patch:
>
> ---cut here---
>
> --- src/bin/named/ns_resp.c.old 2003-05-30 20:52:14 +0900
> +++ src/bin/named/ns_resp.c 2003-09-16 12:09:30 +0900
> @@ -971,6 +971,15 @@
> */
> if (i < ancount) {
> /* Answer section. */
> + /* HACK to kill Verisign stupidity
> + * --achurch at achurch.org */
> + char IP_TO_KILL[] = {64,94,110,11};
> + if (type == ns_t_a
> + && memcmp(dp->d_data, IP_TO_KILL, 4) == 0
> + ) {
> + validanswer = 0;
> + continue;
> + }
> /*
> * Check for attempts to overflow the buffer in
> * getnameanswer.
>
> ---cut here---
>
> Cheers,
>
> Guillaume
>
> "Christopher X. Candreva" <chris at westnet.com> wrote in message news:<bk5ek8$2vuh$1 at sf1.isc.org>...
> > Verisign is now returning a wildcard record for any unregistered .net
> > domain, with .com soon to follow. This is to redirect all such requests to
> > their own search site.
> >
> > Now, the IP they are returning currently is 64.94.110.11. It just occurred
> > to me, is it possible to configure bind such that any lookup that returns
> > that IP returns Host not found instead ?
> >
> > If Verisign is determined to break DNS, perhaps we can break it back ?
In a previous post (if it makes it here) I suggested another patch
that provides an NXDOMAIN response. DO NOT USE that patch, it does
not return a properly formatted NXDOMAIN response. I would wait for
someone to come out with a cleaner solution, and I'll be working on
one myself.
More information about the bind-users
mailing list