diff -c -r -x configure bind9-9.2.2-old/acconfig.h bind9-9.2.2/acconfig.h
*** bind9-9.2.2-old/acconfig.h	Tue Oct 23 12:28:07 2001
--- bind9-9.2.2/acconfig.h	Tue Sep 16 21:51:58 2003
***************
*** 129,131 ****
--- 129,134 ----
  
  /* define if you have strerror in the C library. */
  #undef HAVE_STRERROR
+ 
+ /* NX-HACK support  */
+ #undef ENABLE_NX_HACK
Only in bind9-9.2.2/bin/named: .query.c.swo
diff -c -r -x configure bind9-9.2.2-old/bin/named/config.c bind9-9.2.2/bin/named/config.c
*** bind9-9.2.2-old/bin/named/config.c	Thu Mar 21 08:32:41 2002
--- bind9-9.2.2/bin/named/config.c	Tue Sep 16 13:30:32 2003
***************
*** 64,69 ****
--- 64,74 ----
  #	pid-file \"" NS_LOCALSTATEDIR "/named.pid\"; /* or /lwresd.pid */\n\
  	port 53;\n\
  "
+ #ifdef ENABLE_NX_HACK
+ "\
+ #	nx-hack {none;};\n\
+ "
+ #endif
  #ifdef PATH_RANDOMDEV
  "\
  	random-device \"" PATH_RANDOMDEV "\";\n\
diff -c -r -x configure bind9-9.2.2-old/bin/named/include/named/server.h bind9-9.2.2/bin/named/include/named/server.h
*** bind9-9.2.2-old/bin/named/include/named/server.h	Wed Sep  5 07:38:46 2001
--- bind9-9.2.2/bin/named/include/named/server.h	Tue Sep 16 13:34:29 2003
***************
*** 49,54 ****
--- 49,57 ----
  	isc_quota_t		tcpquota;
  	isc_quota_t		recursionquota;
  	dns_acl_t		*blackholeacl;
+ #ifdef ENABLE_NX_HACK
+ 	dns_acl_t		*nxhackacl;
+ #endif
  
          /*
  	 * Current ACL environment.  This defines the
diff -c -r -x configure bind9-9.2.2-old/bin/named/query.c bind9-9.2.2/bin/named/query.c
*** bind9-9.2.2-old/bin/named/query.c	Mon Feb 17 20:05:04 2003
--- bind9-9.2.2/bin/named/query.c	Wed Sep 17 10:47:38 2003
***************
*** 139,144 ****
--- 139,148 ----
  static void
  synth_rev_respond(ns_client_t *client, dns_byaddrevent_t *bevent);
  
+ #ifdef ENABLE_NX_HACK
+ int rdataset_a_matches_acl(dns_rdataset_t *rdataset);
+ #endif
+ 
  /*
   * Increment query statistics counters.
   */
***************
*** 2344,2349 ****
--- 2348,2391 ----
  	dns_message_setsortorder(client->message, order, order_arg);
  }
  
+ #ifdef ENABLE_NX_HACK
+ /* Scans the rdata list for an A record that
+  * matches the nx-hack ACL
+  */
+ int rdataset_a_matches_acl(dns_rdataset_t *rdataset) {
+ 
+ 	isc_netaddr_t addr;
+ 	dns_rdata_t rdata;
+ 
+ 	/* Iterate over rdataset and find "a" type rdata */
+ 	
+ 	int result = dns_rdataset_first(rdataset);
+ 	for (; result == ISC_R_SUCCESS; result = dns_rdataset_next(rdataset)) {
+ 		
+ 		dns_rdata_init(&rdata);
+ 		dns_rdataset_current(rdataset, &rdata);
+ 
+ 		/* Not interested in other types (yet :/) */
+ 		if (rdata.type != dns_rdatatype_a) { continue; }
+ 		
+ 		/* If we get here we've found an A record */
+ 		int match = 0;
+ 
+ 		/* Yay for utility functions! rdata_to_net_addr */
+ 		rdata_tonetaddr(&rdata, &addr);
+ 		
+ 		if (dns_acl_match(&addr, NULL, ns_g_server->nxhackacl, &ns_g_server->aclenv,&match, NULL) == ISC_R_SUCCESS && match > 0) {
+ 			return -1;
+ 		}
+ 	}
+ 	
+ 	return 0;
+ 
+ };
+ #endif
+ 
+ 
+ 
  /*
   * Do the bulk of query processing for the current query of 'client'.
   * If 'event' is non-NULL, we are returning from recursion and 'qtype'
***************
*** 2570,2579 ****
--- 2612,2644 ----
  		}
  	}
  
+ 
+ 
+ 
   resume:
  	CTRACE("query_find: resume");
  	switch (result) {
  	case ISC_R_SUCCESS:
+ #ifdef ENABLE_NX_HACK
+ 
+ 		/* If it matches the ACL, we set nxdomain, keep the
+ 		 * name but ignore the rdataset (thus leaving the retrieved
+ 		 * A record out of the resultset), rdataset gets
+ 		 * cleaned up in cleanup.
+ 		 */
+ 		
+ 		if (ns_g_server->nxhackacl && rdataset_a_matches_acl(rdataset)) {
+ 			authoritative = ISC_FALSE;
+ 			/* Set to no such domain */
+ 			client->message->rcode = dns_rcode_nxdomain;
+ 			query_keepname(client, fname, dbuf);
+ 			dns_message_addname(client->message, fname,
+ 					    DNS_SECTION_AUTHORITY);
+ 			fname = NULL;
+ 			goto cleanup;
+ 		}
+ #endif
+ 
  		/*
  		 * This case is handled in the main line below.
  		 */
***************
*** 3164,3169 ****
--- 3229,3236 ----
  		 * because it's already in the answer.
  		 */
  		INSIST(rdataset == NULL);
+ 
+ 		
  	}
  
   addauth:
diff -c -r -x configure bind9-9.2.2-old/bin/named/server.c bind9-9.2.2/bin/named/server.c
*** bind9-9.2.2-old/bin/named/server.c	Tue Feb 18 16:27:58 2003
--- bind9-9.2.2/bin/named/server.c	Tue Sep 16 22:42:37 2003
***************
*** 1722,1727 ****
--- 1722,1733 ----
  		dns_dispatchmgr_setblackhole(ns_g_dispatchmgr,
  					     server->blackholeacl);
  
+ 	#ifdef ENABLE_NX_HACK
+ 		CHECK(configure_view_acl(NULL, config, "nx-hack", &aclconfctx,
+ 				 ns_g_mctx, &server->nxhackacl));
+ 	#endif
+ 
+ 	
  	obj = NULL;
  	result = ns_config_get(maps, "match-mapped-addresses", &obj);
  	INSIST(result == ISC_R_SUCCESS);
***************
*** 2269,2274 ****
--- 2275,2285 ----
  	if (server->blackholeacl != NULL)
  		dns_acl_detach(&server->blackholeacl);
  
+ #ifdef ENABLE_NX_HACK
+ 	if (server->nxhackacl != NULL)
+ 		dns_acl_detach(&server->nxhackacl);
+ #endif
+ 
  	isc_task_endexclusive(server->task);
  
  	isc_task_detach(&server->task);
***************
*** 2305,2310 ****
--- 2316,2324 ----
  	ISC_LIST_INIT(server->viewlist);
  	server->in_roothints = NULL;
  	server->blackholeacl = NULL;
+ #ifdef ENABLE_NX_HACK
+ 	server->nxhackacl = NULL;
+ #endif
  
  	CHECKFATAL(dns_rootns_create(mctx, dns_rdataclass_in, NULL,
  				     &server->in_roothints), 
diff -c -r -x configure bind9-9.2.2-old/configure.in bind9-9.2.2/configure.in
*** bind9-9.2.2-old/configure.in	Mon Feb 17 20:05:01 2003
--- bind9-9.2.2/configure.in	Tue Sep 16 22:14:20 2003
***************
*** 929,934 ****
--- 929,950 ----
  esac
  
  #
+ # Anti-verisign NX domain list hack
+ #
+ 
+ AC_ARG_ENABLE(nx_hack,
+ 	[  --enable-nx-hack		enable nx-hack list [default=no]])
+ 
+ case "$enable_nx_hack" in
+ 	yes)
+ 		AC_DEFINE(ENABLE_NX_HACK)
+ 		;;
+ 	no|'')
+ 		;;
+ esac
+ 
+ 
+ #
  # Here begins a very long section to determine the system's networking
  # capabilities.  The order of the tests is signficant.
  #
***************
*** 1583,1588 ****
--- 1599,1605 ----
  		;;
  esac
  
+ 
  #
  # The following sections deal with tools used for formatting
  # the documentation.  They are all optional, unless you are
diff -c -r -x configure bind9-9.2.2-old/debian/rules bind9-9.2.2/debian/rules
*** bind9-9.2.2-old/debian/rules	Wed Sep 17 10:01:52 2003
--- bind9-9.2.2/debian/rules	Tue Sep 16 22:08:04 2003
***************
*** 22,28 ****
  		--enable-static \
  		--with-openssl=/usr \
  		--with-gnu-ld \
! 		--enable-ipv6
  	touch configure-stamp
  
  build: configure-stamp build-stamp
--- 22,29 ----
  		--enable-static \
  		--with-openssl=/usr \
  		--with-gnu-ld \
! 		--enable-ipv6 \
! 		--enable-nx-hack=yes
  	touch configure-stamp
  
  build: configure-stamp build-stamp
diff -c -r -x configure bind9-9.2.2-old/lib/isccfg/parser.c bind9-9.2.2/lib/isccfg/parser.c
*** bind9-9.2.2-old/lib/isccfg/parser.c	Mon Feb 17 20:05:10 2003
--- bind9-9.2.2/lib/isccfg/parser.c	Tue Sep 16 22:43:33 2003
***************
*** 852,857 ****
--- 852,860 ----
  	{ "use-id-pool", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
  	{ "use-ixfr", &cfg_type_boolean, 0 },
  	{ "version", &cfg_type_qstring, 0 },
+ #ifdef ENABLE_NX_HACK
+ 	{ "nx-hack", &cfg_type_bracketed_aml, 0 }, /* nx-hack option for nx-nosuchdomain'ing domains */
+ #endif
  	{ NULL, NULL, 0 }
  };