Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 28984 - djbdns patch to block Verisign's sitefinder fiasco - return NXDOMAIN when an address resolve to certain ips.
Summary: djbdns patch to block Verisign's sitefinder fiasco - return NXDOMAIN when an ...
Status: RESOLVED WONTFIX
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High enhancement (vote)
Assignee: Jared H. Hudson (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-09-17 07:41 UTC by Dave Love
Modified: 2003-10-24 10:59 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Ebuild including ipignore patch (djbdns-1.05-r9.ebuild,2.05 KB, text/plain)
2003-09-17 07:44 UTC, Dave Love
Details
ignore ip patch (djbdns-1.05-ignoreip2.patch,3.66 KB, patch)
2003-09-17 07:46 UTC, Dave Love
Details | Diff
Documentation file for setting up dnscache/root/ignoreip (IGNOREIP2,1.42 KB, text/plain)
2003-09-17 07:47 UTC, Dave Love
Details
revised ebuild to download & install patch (djbdns-1.05-r9.ebuild,2.03 KB, text/plain)
2003-09-17 10:37 UTC, Scott Alfter
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Dave Love 2003-09-17 07:41:32 UTC
Verisign recently added wildcard A records for the .com and .net domains, so
lookups of invalid domains no longer fail.  This is playing havoc with my spam
blocking software, among other things.  

This patch adds a new control file listing (dnscache/root/ignoreip).  Any query
that returns an A record to an ip listed in this file will be treated as failure.

This patch isn't perfect as it relies on blocking particular IPs. I prefer
Bind's implementation of delegation-only domains, but I'm not familiar enough
with djbdns's code to implement it right now.


Reproducible: Always
Steps to Reproduce:
1.Try and connect to a non-existent site in the .net domain (www.asdfasfdafdas.net)
2. 
3.

Actual Results:  
You'll end up at Verisign's sitefinder website, which offers you the chance to
by the domain.

Expected Results:  
The query will fail, as it always has in the past.
Comment 1 Dave Love 2003-09-17 07:44:47 UTC
Created attachment 17890 [details]
Ebuild including ipignore patch

The ipignore patch must come before the fwdzone patch or it won't apply.
Comment 2 Dave Love 2003-09-17 07:46:20 UTC
Created attachment 17891 [details, diff]
ignore ip patch

Patch which adds the ability to ignore A records revolving to a given list of
ips
Comment 3 Dave Love 2003-09-17 07:47:03 UTC
Created attachment 17892 [details]
Documentation file for setting up dnscache/root/ignoreip
Comment 4 Scott Alfter 2003-09-17 10:37:48 UTC
Created attachment 17896 [details]
revised ebuild to download & install patch
Comment 5 Frank Zschockelt 2003-09-19 09:30:00 UTC
fefe has updated his ipv6 patch for djbdns, too.
It comes now with an IPv6 version of Russ Nelson's Verisign civil disobedience patch.

-> http://fefe.de/
Comment 6 Frank Zschockelt 2003-09-19 09:32:14 UTC
fefe has updated his ipv6 patch for djbdns, too.
It comes now with an IPv6 version of Russ Nelson's Verisign civil disobedience patch.

-> http://fefe.de/
Comment 7 Arcady Genkin (RETIRED) gentoo-dev 2003-09-19 12:47:40 UTC
When we update the ebuild, it may also be useful to include J.P. Larocque's script that (allegedly, I haven't tried it yet) dynamically builds a list of IP addresses that need to be ignored.  There is a link to the script from the instructions in the patch itself, but, in case it saves someone some time, here is a copy-and-paste job:

    J.P. Larocque contributes a script which updates root/ignoreip:
    http://ely.ath.cx/~piranha/software/ignoreip-update/ignoreip-update-0.1
Comment 8 Jared H. Hudson (RETIRED) gentoo-dev 2003-10-24 10:59:55 UTC
Seems like this isn't needed now that verisign changed.