Re: Bind 8.4.1 patch for blocking Verisign's new wildcard DNS record
This is a discussion on Re: Bind 8.4.1 patch for blocking Verisign's new wildcard DNS record within the Bind Users forums, part of the DNS and Related Forums category; gnews@stereo.lu (Guillaume Rischard) wrote in message news:<bk7hdt$1m8q$1@sf1.isc.org>... > Hello, > &...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
09-17-2003
|
|||
|
|||
Re: Bind 8.4.1 patch for blocking Verisign's new wildcard DNS record
gnews@stereo.lu (Guillaume Rischard) wrote in message news:<bk7hdt$1m8q$1@sf1.isc.org>...
> Hello, > > Andrew Church has published an untested patch at > http://achurch.org/bind-verisign-patch.html . Here is what he writes: > > > BIND 8 patch for Verisign stupidity > > > > This page provides a patch to BIND 8 to ignore the wildcard A record > > Verisign is now returning for unregistered .com/.net domains. It was > > cooked up over 10 minutes of pure anger and has not been properly > > tested; it would be better to be able to specify which IPs to ignore in > > the configuration file. Suggestions or improved patches are very > > much welcomed. > > > > This patch was made against BIND 8.4.1. > > Here is the acual patch: > > ---cut here--- > > --- src/bin/named/ns_resp.c.old 2003-05-30 20:52:14 +0900 > +++ src/bin/named/ns_resp.c 2003-09-16 12:09:30 +0900 > @@ -971,6 +971,15 @@ > */ > if (i < ancount) { > /* Answer section. */ > + /* HACK to kill Verisign stupidity > + * --achurch@achurch.org */ > + char IP_TO_KILL[] = {64,94,110,11}; > + if (type == ns_t_a > + && memcmp(dp->d_data, IP_TO_KILL, 4) == 0 > + ) { > + validanswer = 0; > + continue; > + } > /* > * Check for attempts to overflow the buffer in > * getnameanswer. > > ---cut here--- > > Cheers, > > Guillaume > > "Christopher X. Candreva" <chris@westnet.com> wrote in message news:<bk5ek8$2vuh$1@sf1.isc.org>... > > Verisign is now returning a wildcard record for any unregistered .net > > domain, with .com soon to follow. This is to redirect all such requests to > > their own search site. > > > > Now, the IP they are returning currently is 64.94.110.11. It just occurred > > to me, is it possible to configure bind such that any lookup that returns > > that IP returns Host not found instead ? > > > > If Verisign is determined to break DNS, perhaps we can break it back ? In a previous post (if it makes it here) I suggested another patch that provides an NXDOMAIN response. DO NOT USE that patch, it does not return a properly formatted NXDOMAIN response. I would wait for someone to come out with a cleaner solution, and I'll be working on one myself. 
|
Linear Mode
