$Id: patch-bind-9.2.2-dickhead.diff 143 2003-09-27 09:43:25Z sam $
diff -puriN bind9-9.2.2+9.2.3rc1-old/bin/named/config.c bind9-9.2.2+9.2.3rc1/bin/named/config.c
--- bind9-9.2.2+9.2.3rc1-old/bin/named/config.c	2002-03-20 21:32:41.000000000 +0100
+++ bind9-9.2.2+9.2.3rc1/bin/named/config.c	2003-09-19 03:07:49.000000000 +0200
@@ -47,6 +47,7 @@ options {\n\
 	coresize default;\n\
 	datasize default;\n\
 	deallocate-on-exit true;\n\
+	dickheads {none;};\n\
 #	directory <none>\n\
 	dump-file \"named_dump.db\";\n\
 	fake-iquery no;\n\
diff -puriN bind9-9.2.2+9.2.3rc1-old/bin/named/include/named/server.h bind9-9.2.2+9.2.3rc1/bin/named/include/named/server.h
--- bind9-9.2.2+9.2.3rc1-old/bin/named/include/named/server.h	2001-09-04 21:38:46.000000000 +0200
+++ bind9-9.2.2+9.2.3rc1/bin/named/include/named/server.h	2003-09-19 03:05:38.000000000 +0200
@@ -49,6 +49,7 @@ struct ns_server {
 	isc_quota_t		tcpquota;
 	isc_quota_t		recursionquota;
 	dns_acl_t		*blackholeacl;
+	dns_acl_t		*dickheads;
 
         /*
 	 * Current ACL environment.  This defines the
diff -puriN bind9-9.2.2+9.2.3rc1-old/bin/named/query.c bind9-9.2.2+9.2.3rc1/bin/named/query.c
--- bind9-9.2.2+9.2.3rc1-old/bin/named/query.c	2003-05-15 08:30:15.000000000 +0200
+++ bind9-9.2.2+9.2.3rc1/bin/named/query.c	2003-09-19 09:10:47.000000000 +0200
@@ -2586,6 +2586,45 @@ query_find(ns_client_t *client, dns_fetc
 	switch (result) {
 	case ISC_R_SUCCESS:
 		/*
+		 * Check for dickheads.
+		 */
+		if (ns_g_server->dickheads
+		    && dns_rdataset_isassociated(rdataset)
+		    && dns_rdataset_first(rdataset) == ISC_R_SUCCESS) do {
+			char addrtext[ISC_NETADDR_FORMATSIZE];
+			isc_netaddr_t addr;
+			dns_rdata_t rdata;
+			int match = 0;
+
+			/* Only look for A records */
+			dns_rdata_init(&rdata);
+			dns_rdataset_current(rdataset, &rdata);
+			if (rdata.type != dns_rdatatype_a)
+				continue;
+
+			/* Did this A record return a dickhead's IP? */
+			rdata_tonetaddr(&rdata, &addr);
+			if (dns_acl_match(&addr, NULL, ns_g_server->dickheads,
+			     &ns_g_server->aclenv, &match, NULL)
+			    != ISC_R_SUCCESS || match == 0)
+				continue;
+
+			/* Dickhead found! Return NXDOMAIN */
+			isc_netaddr_format(&addr, addrtext, sizeof(addrtext));
+			ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+				      NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3),
+				      "refused dickhead answer '%s'",
+				      addrtext);
+			authoritative = ISC_FALSE;
+			client->message->rcode = dns_rcode_nxdomain;
+			query_keepname(client, fname, dbuf);
+			dns_message_addname(client->message, fname,
+					    DNS_SECTION_AUTHORITY);
+			fname = NULL;
+			goto cleanup;
+		} while (dns_rdataset_next(rdataset) == ISC_R_SUCCESS);
+
+		/*
 		 * This case is handled in the main line below.
 		 */
 		break;
diff -puriN bind9-9.2.2+9.2.3rc1-old/bin/named/server.c bind9-9.2.2+9.2.3rc1/bin/named/server.c
--- bind9-9.2.2+9.2.3rc1-old/bin/named/server.c	2003-07-25 05:31:41.000000000 +0200
+++ bind9-9.2.2+9.2.3rc1/bin/named/server.c	2003-09-19 03:05:11.000000000 +0200
@@ -1738,6 +1738,9 @@ load_configuration(const char *filename,
 		dns_dispatchmgr_setblackhole(ns_g_dispatchmgr,
 					     server->blackholeacl);
 
+	CHECK(configure_view_acl(NULL, config, "dickheads", &aclconfctx,
+				 ns_g_mctx, &server->dickheads));
+
 	obj = NULL;
 	result = ns_config_get(maps, "match-mapped-addresses", &obj);
 	INSIST(result == ISC_R_SUCCESS);
@@ -2293,6 +2296,9 @@ shutdown_server(isc_task_t *task, isc_ev
 	if (server->blackholeacl != NULL)
 		dns_acl_detach(&server->blackholeacl);
 
+	if (server->dickheads != NULL)
+		dns_acl_detach(&server->dickheads);
+
 	isc_task_endexclusive(server->task);
 
 	isc_task_detach(&server->task);
@@ -2329,6 +2335,7 @@ ns_server_create(isc_mem_t *mctx, ns_ser
 	ISC_LIST_INIT(server->viewlist);
 	server->in_roothints = NULL;
 	server->blackholeacl = NULL;
+	server->dickheads = NULL;
 
 	CHECKFATAL(dns_rootns_create(mctx, dns_rdataclass_in, NULL,
 				     &server->in_roothints),
diff -puriN bind9-9.2.2+9.2.3rc1-old/lib/isccfg/parser.c bind9-9.2.2+9.2.3rc1/lib/isccfg/parser.c
--- bind9-9.2.2+9.2.3rc1-old/lib/isccfg/parser.c	2003-07-23 08:57:55.000000000 +0200
+++ bind9-9.2.2+9.2.3rc1/lib/isccfg/parser.c	2003-09-19 03:03:45.000000000 +0200
@@ -920,6 +920,7 @@ zone_clauses[] = {
 	{ "notify-source-v6", &cfg_type_sockaddr6wild, 0 },
 	{ "also-notify", &cfg_type_portiplist, 0 },
 	{ "dialup", &cfg_type_dialuptype, 0 },
+	{ "dickheads", &cfg_type_bracketed_aml, 0 },
 	{ "forward", &cfg_type_forwardtype, 0 },
 	{ "forwarders", &cfg_type_portiplist, 0 },
 	{ "maintain-ixfr-base", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },