From owner-freebsd-hackers@FreeBSD.ORG  Tue Sep 16 14:53:08 2003
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7AC3016A4B3
	for <freebsd-hackers@freebsd.org>;
	Tue, 16 Sep 2003 14:53:08 -0700 (PDT)
Received: from blake.polstra.com (mail.polstra.com [206.213.73.132])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 085D343FBD
	for <freebsd-hackers@freebsd.org>;
	Tue, 16 Sep 2003 14:53:07 -0700 (PDT)	(envelope-from jdp@polstra.com)
Received: from strings.polstra.com (strings.polstra.com [206.213.73.20])
	by blake.polstra.com (8.12.9/8.12.9) with ESMTP id h8GLr4Zj068132;
	Tue, 16 Sep 2003 14:53:04 -0700 (PDT)
	(envelope-from jdp@polstra.com)
Message-ID: <XFMail.20030916145304.jdp@polstra.com>
X-Mailer: XFMail 1.5.4 on FreeBSD
X-Priority: 3 (Normal)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
In-Reply-To: <3F673E27.29338.6E87ACC@localhost>
Date: Tue, 16 Sep 2003 14:53:04 -0700 (PDT)
From: John Polstra <jdp@polstra.com>
To: Dan Langille <dan@langille.org>
X-Bogosity: No, tests=bogofilter, spamicity=0.495708, version=0.14.5
cc: freebsd-hackers@freebsd.org
cc: Clifton Royston <cliftonr@lava.net>
Subject: Re: Any workarounds for Verisign .com/.net highjacking?
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Sep 2003 21:53:08 -0000

On 16-Sep-2003 Dan Langille wrote:
> On 16 Sep 2003 at 10:23, Clifton Royston wrote:
> 
>>   In the meantime I'm trying to figure out if there's some simple hack
>> to disregard these wildcard A records, short of requesting zone
>> transfers of the root nameservers (e.g. via peering with
>> f.root-servers.net) and purging those records out of the zone before
>> loading it.  Any ideas, either under djbdns or Bind 9?
> 
> Sorry, only for bind8, as was posted to my local LUG list:
> 
> http://achurch.org/bind-verisign-patch.html

I think the patch will cause named to leak memory, though, unless you
add a call "db_detach(&dp);" somewhere before the continue.  I think
the corrected patch should look like this:

Index: ns_resp.c
===================================================================
RCS file: /home/ncvs/src/contrib/bind/bin/named/ns_resp.c,v
retrieving revision 1.1.1.2.2.10
diff -u -r1.1.1.2.2.10 ns_resp.c
--- ns_resp.c   25 Aug 2003 21:07:49 -0000      1.1.1.2.2.10
+++ ns_resp.c   16 Sep 2003 21:37:56 -0000
@@ -955,6 +955,16 @@
                type = dp->d_type;
                if (i < ancount) {
                        /* Answer section. */
+                       /* HACK to kill Verisign stupidity
+                        *   --achurch@achurch.org
+                        *   see http://www.imperialviolet.org/dnsfix.html */
+                       static char IP_TO_KILL[] = {64,94,110,11};
+                       if (type == ns_t_a &&
+                           memcmp(dp->d_data, IP_TO_KILL, 4) == 0) {
+                               db_detach(&dp);
+                               validanswer = 0;
+                               continue;
+                       }
                        /*
                         * Check for attempts to overflow the buffer in
                         * getnameanswer.


That's just from looking at the nearby code.  I haven't tested it
extensively.

I have notified the original author of the patch about this.

John