From owner-freebsd-hackers@FreeBSD.ORG  Tue Sep 16 13:58:10 2003
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F01E816A4B3
	for <freebsd-hackers@freebsd.org>;
	Tue, 16 Sep 2003 13:58:10 -0700 (PDT)
Received: from smtp4.server.rpi.edu (smtp4.server.rpi.edu [128.113.2.4])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E335143F3F
	for <freebsd-hackers@freebsd.org>;
	Tue, 16 Sep 2003 13:58:09 -0700 (PDT)	(envelope-from drosih@rpi.edu)
Received: from [128.113.24.47] (gilead.netel.rpi.edu [128.113.24.47])
	by smtp4.server.rpi.edu (8.12.9/8.12.9) with ESMTP id h8GKw7Zc011529;
	Tue, 16 Sep 2003 16:58:08 -0400
Mime-Version: 1.0
X-Sender: drosih@mail.rpi.edu
Message-Id: <p0521060ebb8d285d36eb@[128.113.24.47]>
In-Reply-To: <20030916102356.A11571@lava.net>
References: <20030916102356.A11571@lava.net>
Date: Tue, 16 Sep 2003 16:58:06 -0400
To: Clifton Royston <cliftonr@lava.net>, freebsd-hackers@freebsd.org
From: Garance A Drosihn <drosih@rpi.edu>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
X-Scanned-By: CanIt (www . canit . ca)
Subject: Re: Any workarounds for Verisign .com/.net highjacking?
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Sep 2003 20:58:11 -0000

At 10:23 AM -1000 9/16/03, Clifton Royston wrote:
>   In the meantime I'm trying to figure out if there's some
>simple hack to disregard these wildcard A records, short of
>requesting zone transfers of the root nameservers (e.g. via
>peering with f.root-servers.net) and purging those records
>out of the zone before loading it.
>
>Any ideas, either under djbdns or Bind 9?

The story at
http://daily.daemonnews.org/view_story.php3?story_id=4068

notes that there is a patch for dnscache at:
http://tinydns.org/djbdns-1.05-ignoreip.patch

someone also posted a likely update for bind 9 to slashdot:
http://slashdot.org/comments.pl?sid=78637&cid=6973033

(also available in a uuencoded version at:
http://slashdot.org/comments.pl?sid=78637&cid=6972991
)

I have no idea of how well either of these work.  Use your
own discretion at applying them.

-- 
Garance Alistair Drosehn            =   gad@gilead.netel.rpi.edu
Senior Systems Programmer           or  gad@freebsd.org
Rensselaer Polytechnic Institute    or  drosih@rpi.edu