Bind 8.4.1 patch for blocking Verisign's new wildcard DNS record

Clayton Braun vvarm at hotmail.com
Wed Sep 17 10:18:04 UTC 2003 

Here's another version of the patch that returns NXDOMAIN.  This
should be applied to version 8.4.1.

--- ns_resp.c.orig      Wed Sep 17 03:15:10 2003
+++ ns_resp.c   Wed Sep 17 04:54:45 2003
@@ -308,6 +308,7 @@
        DST_KEY *key;
        int expect_cname;
        int pass = 0;
+       int wasCaught = 0;

        nameserIncr(from, nssRcvdR);
        nsp[0] = NULL;
@@ -971,6 +972,17 @@
 */
                if (i < ancount) {
                        /* Answer section. */
+
+                       /* Beginning of anti-Verisign catch */
+                       char catchIp[] = { 64, 94, 110, 11 };
+                       if (type == ns_t_a && memcmp(dp->d_data,
catchIp, 4) == 0)
+                       {
+                               db_detach(&dp);
+                               wasCaught = 1;
+                               break;
+                       }
+                       /* End of anti-Verisign catch - Golgi Group */
+
                        /*
                         * Check for attempts to overflow the buffer
in
                         * getnameanswer.
@@ -1210,6 +1222,12 @@
                return;
        }

+       if(wasCaught == 1)
+       {
+               hp->rcode = NXDOMAIN;
+               goto return_msg;
+       }
+
        /*
         * We might want to cache this negative answer.
         *


Good luck,
Clay

gnews at stereo.lu (Guillaume Rischard) wrote in message news:<bk7hdt$1m8q$1 at sf1.isc.org>...
> Hello,
> 
> Andrew Church has published an untested patch at 
> http://achurch.org/bind-verisign-patch.html . Here is what he writes:
> 
> > BIND 8 patch for Verisign stupidity
> > 
> > This page provides a patch to BIND 8 to ignore the wildcard A record
> > Verisign is now returning for unregistered .com/.net domains.  It was
> > cooked up over 10 minutes of pure anger and has not been properly
> > tested; it would be better to be able to specify which IPs to ignore in
> > the configuration file.  Suggestions or improved patches are very
> > much welcomed.  
> > 
> > This patch was made against BIND 8.4.1.
> 
> Here is the acual patch:
> 
> ---cut here---
> 
> --- src/bin/named/ns_resp.c.old	2003-05-30 20:52:14 +0900
> +++ src/bin/named/ns_resp.c	2003-09-16 12:09:30 +0900
> @@ -971,6 +971,15 @@
>  */
>  		if (i < ancount) {
>  			/* Answer section. */
> +			/* HACK to kill Verisign stupidity
> +			 *   --achurch at achurch.org */
> +			char IP_TO_KILL[] = {64,94,110,11};
> +			if (type == ns_t_a
> +			 && memcmp(dp->d_data, IP_TO_KILL, 4) == 0
> +			) {
> +				validanswer = 0;
> +				continue;
> +			}
>  			/*
>  			 * Check for attempts to overflow the buffer in
>  			 * getnameanswer.
> 
> ---cut here---
> 
> Cheers,
> 
> Guillaume
> 
> "Christopher X. Candreva" <chris at westnet.com> wrote in message news:<bk5ek8$2vuh$1 at sf1.isc.org>...
> > Verisign is now returning a wildcard record for any unregistered .net
> > domain, with .com soon to follow.  This is to redirect all such requests to
> > their own search site.
> > 
> > Now, the IP they are returning currently is 64.94.110.11. It just occurred
> > to me, is it possible to configure bind such that any lookup that returns
> > that IP returns Host not found  instead ?
> > 
> > If Verisign is determined to break DNS, perhaps we can break it back ?

More information about the bind-users mailing list