Bind 8.4.1 patch for blocking Verisign's new wildcard DNS record

Guillaume Rischard gnews at stereo.lu
Tue Sep 16 08:56:16 UTC 2003


Hello,

Andrew Church has published an untested patch at 
http://achurch.org/bind-verisign-patch.html . Here is what he writes:

> BIND 8 patch for Verisign stupidity
> 
> This page provides a patch to BIND 8 to ignore the wildcard A record
> Verisign is now returning for unregistered .com/.net domains.  It was
> cooked up over 10 minutes of pure anger and has not been properly
> tested; it would be better to be able to specify which IPs to ignore in
> the configuration file.  Suggestions or improved patches are very
> much welcomed.  
> 
> This patch was made against BIND 8.4.1.

Here is the acual patch:

---cut here---

--- src/bin/named/ns_resp.c.old	2003-05-30 20:52:14 +0900
+++ src/bin/named/ns_resp.c	2003-09-16 12:09:30 +0900
@@ -971,6 +971,15 @@
 */
 		if (i < ancount) {
 			/* Answer section. */
+			/* HACK to kill Verisign stupidity
+			 *   --achurch at achurch.org */
+			char IP_TO_KILL[] = {64,94,110,11};
+			if (type == ns_t_a
+			 && memcmp(dp->d_data, IP_TO_KILL, 4) == 0
+			) {
+				validanswer = 0;
+				continue;
+			}
 			/*
 			 * Check for attempts to overflow the buffer in
 			 * getnameanswer.

---cut here---

Cheers,

Guillaume

"Christopher X. Candreva" <chris at westnet.com> wrote in message news:<bk5ek8$2vuh$1 at sf1.isc.org>...
> Verisign is now returning a wildcard record for any unregistered .net
> domain, with .com soon to follow.  This is to redirect all such requests to
> their own search site.
> 
> Now, the IP they are returning currently is 64.94.110.11. It just occurred
> to me, is it possible to configure bind such that any lookup that returns
> that IP returns Host not found  instead ?
> 
> If Verisign is determined to break DNS, perhaps we can break it back ?


More information about the bind-users mailing list