RE: [Exim] Verisign pulls a fast one

Top Page
Delete this message
Reply to this message
Author: exim
Date:  
To: exim-users
Subject: RE: [Exim] Verisign pulls a fast one
For a whole bunch of patches/fixes for VeriSign I found this nice site
once google updated ;)
There are 2 1/2 ways to "fix" BIND - in not to nice to nicest... OK.. So
my favourite could actually be not very nice, but it works on my systems
;)

Preference #3
Click later: http://www.imperialviolet.org/dnsfix.html

It has a link to a slashdot article with a patch for BIND 9.2.2 that
fixed the evilness by searching for a hardcoded IP (sitefinder) in the
return message. Unfortunalty this patch has been fuddled by /. so I had
to manually patch it. I've got a "new" working version of this patch
now.
It's code for code straight from the article and credit goes to the
"Anonymous Coward" who posted it ;)

Mirror of patch: http://verisignsux.linuxwan.net/bind-9.2.2-patch1

Preference #2 - pretty much debian only (easy to get around).
This option is _much_ better in that it provides an easy way to change
the ditched IP's in the form of a normal BIND acl. This site what linked
off the above slashdot article but the owner had restricted access to
those not coming from /. (Not all that hard to get around but I imagine
his server is having a "bad time" now).
For that reason, I'd recommend visiting his site some other day. Thank
you to phirate for this really well written patch.
Click later: http://phirate.exorsus.net/b2/index.php?m=200309#38

Mirror of patch: http://verisignsux.linuxwan.net/bind9.patch

Instructions from site:

1. patch the source tree
2. run "autoreconf" in the root of the source (necessary to rebuild
configure, there are ways around it if you don't have autoreconf
installed but the easiest solution is to install it (package autoconf
for debian users))
3. ./configure with at least --enable-nx-hack (plus your normal stuff)
4. add a line in your bind options config like so:

nx-hack { 64.94.110.11; };

You can add additional IP addresses in the normal ACL form as you see
fit, or change the current one if Verisign attempts to dodge it or
whatever.

Preference #1
I'm a slackware user so a debian package patch was a little annoying. I
also don't know have m4 installed on my systems which means that
autoreconf will not work. Anyway, I hacked the hack patch (I'm sorry).
It now patches the virgin source of bind-9.2.2 with only a few
differences to the above install.

Phriate's patch hacked: http://verisignsux.linuxwan.net/bind9.patch.v2

Instructions:
1. patch

If you have autoreconf and it _works_ just use it and skip the following
and use the instructions above.

If autoreconf doesn't love you, you will have to set a -D define on
either ./configure or make. Just depends if you know if your BIND config
uses the variable STD_CDEFINES. If it doesn't stick it in ./configure,
if you don't know, stick it in make once you know.

2. (configure) OK, here's where autoconf shows up how useful it is.
Somehow, -DENABLE_NX_HACK needs to be added to all the Makefiles. This
can be done in a few ways. So long as you know that your normal compile
doesn't use STD_CDEFINES, you can use it on the cmd line -
STD_CDEFINES="-DENABLE_NX_HACK" ./configure <normal ops>

3. (make) The alternative to this is once you have ./configured, go into
the Makefile and find what STD_CDEFINES is set to (inside the top 150
lines of the makefile.. Just search for it). You can then add this value
to the make. eg. make STD_CDEFINES="-DENABLE_NX_HACK <any other fines>"

4. add nx-hack acl type line as #2


Sorry if this is totally the wrong place to put this but this has made
the world sane for me once again ;)

Yeah, no warranty or anything.

Ted.