Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 16 Sep 2003 14:53:04 -0700 (PDT)
From:      John Polstra <jdp@polstra.com>
To:        Dan Langille <dan@langille.org>
Cc:        Clifton Royston <cliftonr@lava.net>
Subject:   Re: Any workarounds for Verisign .com/.net highjacking?
Message-ID:  <XFMail.20030916145304.jdp@polstra.com>
In-Reply-To: <3F673E27.29338.6E87ACC@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 16-Sep-2003 Dan Langille wrote:
> On 16 Sep 2003 at 10:23, Clifton Royston wrote:
> 
>>   In the meantime I'm trying to figure out if there's some simple hack
>> to disregard these wildcard A records, short of requesting zone
>> transfers of the root nameservers (e.g. via peering with
>> f.root-servers.net) and purging those records out of the zone before
>> loading it.  Any ideas, either under djbdns or Bind 9?
> 
> Sorry, only for bind8, as was posted to my local LUG list:
> 
> http://achurch.org/bind-verisign-patch.html

I think the patch will cause named to leak memory, though, unless you
add a call "db_detach(&dp);" somewhere before the continue.  I think
the corrected patch should look like this:

Index: ns_resp.c
===================================================================
RCS file: /home/ncvs/src/contrib/bind/bin/named/ns_resp.c,v
retrieving revision 1.1.1.2.2.10
diff -u -r1.1.1.2.2.10 ns_resp.c
--- ns_resp.c   25 Aug 2003 21:07:49 -0000      1.1.1.2.2.10
+++ ns_resp.c   16 Sep 2003 21:37:56 -0000
@@ -955,6 +955,16 @@
                type = dp->d_type;
                if (i < ancount) {
                        /* Answer section. */
+                       /* HACK to kill Verisign stupidity
+                        *   --achurch@achurch.org
+                        *   see http://www.imperialviolet.org/dnsfix.html */
+                       static char IP_TO_KILL[] = {64,94,110,11};
+                       if (type == ns_t_a &&
+                           memcmp(dp->d_data, IP_TO_KILL, 4) == 0) {
+                               db_detach(&dp);
+                               validanswer = 0;
+                               continue;
+                       }
                        /*
                         * Check for attempts to overflow the buffer in
                         * getnameanswer.


That's just from looking at the nearby code.  I haven't tested it
extensively.

I have notified the original author of the patch about this.

John

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.20030916145304.jdp>