diff --git a/libexec/rc/rc.subr b/libexec/rc/rc.subr
--- a/libexec/rc/rc.subr
+++ b/libexec/rc/rc.subr
@@ -65,6 +65,42 @@
 #	functions
 #	---------
 
+# _rc_verify file
+#       if VERIEXEC is active check that $file is verified
+#
+VERIEXEC="/sbin/veriexec"
+if test -s $VERIEXEC && $VERIEXEC -i active > /dev/null 2>&1; then
+_rc_verify() { $VERIEXEC -x $1; }
+else
+_rc_verify() { : ; }
+fi
+
+# indicate that we have vdot
+_VDOT_SH=:
+
+# convenience function - skip if not verified
+vdot()
+{
+	if test -s $1; then
+		if _rc_verify $1 > /dev/null 2>&1; then
+			. $1
+		else
+			return 80 # EAUTH
+		fi
+	fi
+}
+
+# for unverified files
+dot()
+{
+	if test -s $1; then
+		. $1
+	fi
+}
+
+# allow for local additions for rc.subr
+vdot /etc/rc.subr.local
+
 # list_vars pattern
 #	List variables matching glob pattern.
 # 
@@ -1426,6 +1462,13 @@
 		required_vars
 	eval unset ${_arg}_cmd ${_arg}_precmd ${_arg}_postcmd
 
+	case "$_file" in
+	*local*.d/*) ;;			# allow it
+	*)				# don't use it if we don't trust it
+		_rc_verify $_file || return
+		;;
+	esac
+
 	rc_service="$_file"
 	case "$_file" in
 	/etc/rc.d/*.sh)			# no longer allowed in the base
@@ -1479,19 +1522,24 @@
 #
 load_rc_config()
 {
-	local _name _rcvar_val _var _defval _v _msg _new _d
+	local _name _rcvar_val _var _defval _v _msg _new _d _dot
 	_name=$1
+	_dot=dot
+
+	case "$1" in
+	-v) _dot=vdot _name=$2; shift;;
+	esac
 
 	if ${_rc_conf_loaded:-false}; then
 		:
 	else
 		if [ -r /etc/defaults/rc.conf ]; then
 			debug "Sourcing /etc/defaults/rc.conf"
-			. /etc/defaults/rc.conf
+			$_dot /etc/defaults/rc.conf
 			source_rc_confs
 		elif [ -r /etc/rc.conf ]; then
 			debug "Sourcing /etc/rc.conf (/etc/defaults/rc.conf doesn't exist)."
-			. /etc/rc.conf
+			$_dot /etc/rc.conf
 		fi
 		_rc_conf_loaded=true
 	fi
@@ -1503,13 +1551,13 @@
 			_d=${_d%/rc.d}
 			if [ -f ${_d}/rc.conf.d/"$_name" ]; then
 				debug "Sourcing ${_d}/rc.conf.d/$_name"
-				. ${_d}/rc.conf.d/"$_name"
+				$_dot ${_d}/rc.conf.d/"$_name"
 			elif [ -d ${_d}/rc.conf.d/"$_name" ] ; then
 				local _rc
 				for _rc in ${_d}/rc.conf.d/"$_name"/* ; do
 					if [ -f "$_rc" ] ; then
 						debug "Sourcing $_rc"
-						. "$_rc"
+						$_dot "$_rc"
 					fi
 				done
 			fi