From owner-freebsd-hackers@FreeBSD.ORG Wed Sep 24 09:39:06 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 34AE016A4B3 for ; Wed, 24 Sep 2003 09:39:06 -0700 (PDT) Received: from dastardly.newsbastards.org.72.27.172.IN-addr.ARPA.NOSPAM.dyndns.dk (B76a1.pppool.de [213.7.118.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0A54B43FAF for ; Wed, 24 Sep 2003 09:38:48 -0700 (PDT) (envelope-from bounce@NOSPAM.dyndns.dk) Received: from Mail.NOSPAM.DynDNS.dK (ipv6.NOSPAM.dyndns.dk [2002:d507:76a1:0:220:afff:fed4:dbcb]) (8.11.6/8.11.6-SPAMMERS-DeLiGHt) with ESMTP id h8OGY2402789 verified NO) for ; Wed, 24 Sep 2003 18:34:04 +0200 (CEST) (envelope-from bounce@NOSPAM.dyndns.dk) Received: (from beer@localhost) by Mail.NOSPAM.DynDNS.dK (8.11.6/FNORD) id h8OGY2D02788; Wed, 24 Sep 2003 18:34:02 +0200 (CEST) (envelope-from bounce@NOSPAM.dyndns.dk) Date: Wed, 24 Sep 2003 18:34:02 +0200 (CEST) Message-Id: <200309241634.h8OGY2D02788@Mail.NOSPAM.DynDNS.dK> X-Authentication-Warning: localhost.newsbastards.org.72.27.172.IN-addr.A: beer set sender to bounce@NOSPAM.dyndns.dk using -f X-Authentication-Warning: localhost.newsbastards.org.72.27.172.IN-addr.A: Processed from queue /tmp X-Authentication-Warning: localhost.newsbastards.org.72.27.172.IN-addr.A: Processed by beer with -C /etc/mail/sendmail.cf-LOCAL From: Barry Bouwsma References: <20030916102356.A11571@lava.net> <20030919100922.GV79731@freepuppy.bellavista.cz> To: freebsd-hackers@freebsd.org Subject: Re: Any workarounds for Verisign .com/.net highjacking? X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 16:39:06 -0000 [obligatory From: address is IPv6-only; to obtain IPv4-mailable address, remove hostname part. Even then no guarantee mail won't bounce -- I follow the list archives in my copious offline time] > > > In the meantime I'm trying to figure out if there's some > > >simple hack to disregard these wildcard A records, short of > > I have no idea of how well either of these work. Use your > > own discretion at applying them. > djbdns-1.05-ignoreip2.patch seems to work very well here, on three A stupid question, no less, since I see this being discussed here -- is it correct that the ISC BIND patch does not work with a nameserver that's set up as a forward-only box? I've applied the patch to a random BIND successfully, but I'm configured as forward-only for the domains I don't dish out, being on the unpleasant end of a PPP dial-in and trying to do my part to keep the root nameservers' load down. I nab the ISP-provided DNS addresses during the PPP handshake, configure them as forwarders (plus one or two backups) and restart named, but still I was able to resolve a made-up com domain to the Usual Address. This tells me I need to use the DNS machines of an ISP with Clue as static forwarder addresses, not those provided by ISP-of-the-day (and the last ISP seemed to give horribly broken machines anyway), if this reaches a point where I actually want to do something about these wildcards. Provided the ISP allows outgoing DNS queries too. Thanks, Barry Bouwsma