Any workarounds for Verisign .com/.net highjacking?
John Polstra
jdp at polstra.com
Tue Sep 16 14:53:08 PDT 2003
On 16-Sep-2003 Dan Langille wrote:
> On 16 Sep 2003 at 10:23, Clifton Royston wrote:
>
>> In the meantime I'm trying to figure out if there's some simple hack
>> to disregard these wildcard A records, short of requesting zone
>> transfers of the root nameservers (e.g. via peering with
>> f.root-servers.net) and purging those records out of the zone before
>> loading it. Any ideas, either under djbdns or Bind 9?
>
> Sorry, only for bind8, as was posted to my local LUG list:
>
> http://achurch.org/bind-verisign-patch.html
I think the patch will cause named to leak memory, though, unless you
add a call "db_detach(&dp);" somewhere before the continue. I think
the corrected patch should look like this:
Index: ns_resp.c
===================================================================
RCS file: /home/ncvs/src/contrib/bind/bin/named/ns_resp.c,v
retrieving revision 1.1.1.2.2.10
diff -u -r1.1.1.2.2.10 ns_resp.c
--- ns_resp.c 25 Aug 2003 21:07:49 -0000 1.1.1.2.2.10
+++ ns_resp.c 16 Sep 2003 21:37:56 -0000
@@ -955,6 +955,16 @@
type = dp->d_type;
if (i < ancount) {
/* Answer section. */
+ /* HACK to kill Verisign stupidity
+ * --achurch at achurch.org
+ * see http://www.imperialviolet.org/dnsfix.html */
+ static char IP_TO_KILL[] = {64,94,110,11};
+ if (type == ns_t_a &&
+ memcmp(dp->d_data, IP_TO_KILL, 4) == 0) {
+ db_detach(&dp);
+ validanswer = 0;
+ continue;
+ }
/*
* Check for attempts to overflow the buffer in
* getnameanswer.
That's just from looking at the nearby code. I haven't tested it
extensively.
I have notified the original author of the patch about this.
John
More information about the freebsd-hackers
mailing list