Yakov Shafranovich writes:
> Just to follow up on this - I just spoke to an engineer at Verisign
> and he informed me that the SMTP daemon is being replaced in a few
> hours with an RFC-compliant one. As for not giving a warning - this
> came from a higher policy level at Verisign and he is just an
ECTED]
Subject: Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To
Us]
At 2:14 PM +0200 9/18/03, Francis Dupont wrote:
>=> IMHO it should reject SMTP connection from the beginning with the
>521 greeting described in RFC 1846...
People are unhappy about VeriSign breaking the rules
On Thu, 18 Sep 2003, Keith Moore wrote:
> this breaks anything that assumes (quite reasonably)
> that query to a a nonexistent domain will return NXDOMAIN.
That an invalid assumption to make. It was not made "quite reasonably",
but rather was made quite irrationally. In many or most cases, it was
On Thu, 18 Sep 2003 09:22:15 -0700
Paul Hoffman / IMC <[EMAIL PROTECTED]> wrote:
> At 2:14 PM +0200 9/18/03, Francis Dupont wrote:
> >=> IMHO it should reject SMTP connection from the beginning with
> >the 521 greeting described in RFC 1846...
>
> People are unhappy about VeriSign breaking the ru
At 2:14 PM +0200 9/18/03, Francis Dupont wrote:
=> IMHO it should reject SMTP connection from the beginning with
the 521 greeting described in RFC 1846...
People are unhappy about VeriSign breaking the rules. But here you
are proposing that they follow an *experimental* RFC whose rules were
not a
In your previous mail you wrote:
People, have you been reading the posts? The stubby SMTP daemon is not
an SMTP server, it is simply a program that returns the following set of
responses TO ANYTHING THAT IS PASSED TO IT.
=> IMHO it should reject SMTP connection from the beginning w
Carl;
> http://www.isc.org/products/BIND/delegation-only.html
As I just post to DNSOP WG ML (detailed discussion should be done
there), it is not an effective protection against synthesised (from
wildcared NS, in this case) NS and synthesised (from scratch) child
zone contents.
A protection is t
Paul Vixie <[EMAIL PROTECTED]> writes:
>> By the way, what about .museum?
>
> .museum does not delegate all of its subdomains.
>
> not all tld's are delegation-only.
I know. I have to admit that (as someone who grew up under .de) I
would never have thought of the delegation-only approach. 8-)
lied would have this functionality
>
> Bill
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul
> Vixie
> Sent: Tuesday, September 16, 2003 7:33 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Fwd: [Asrg] Verisign: All Your Misspelling A
EMAIL PROTECTED] On Behalf Of Paul
Vixie
Sent: Tuesday, September 16, 2003 7:33 PM
To: [EMAIL PROTECTED]
Subject: Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To
Us]
> It is worth noting that if we are to "pass judgement against" Verisign
> there are at least half-
Title: RE: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
Those are application layer specific techniques that can be customised (i.e. I have a choice, if only by choosing another product), not a lower layer enforcement where I do not have a choice (or must rely on a `hack
> % Blech.
> %
> % If it's Tuesday, this must be .belgium?
> %
> % A non-starter. *MAYBE* if it were a different RR with different semantics.
>
> This may be exactly what we get w/ a patch from ISC.
> If BIND is offically tweeked so that some zone cuts are
> allowed to exerci
% On Wed, 17 Sep 2003 00:00:14 EDT, Keith Moore said:
%
% > then again, do we really want different ways of reporting errors for
% > different zones in the DNS? would apps then want to special-case
% > certain zones to interpret their results differently than the others?
%
% Blech.
%
% If it'
On Wed, 17 Sep 2003 00:00:14 EDT, Keith Moore said:
> then again, do we really want different ways of reporting errors for
> different zones in the DNS? would apps then want to special-case
> certain zones to interpret their results differently than the others?
Blech.
If it's Tuesday, this mu
interesting point. if we created a new gTLD and announced that it would be
wildcarded from day one, it wouldn't be used in the same way as the other
gTLDs.
then again, do we really want different ways of reporting errors for
different zones in the DNS? would apps then want to special-case
cert
> It is worth noting that if we are to "pass judgement against" Verisign
> there are at least half-dozen other TLDs that blazed the trail. We just
> overlooked them because of their size as compared to .NET and .COM.
when people started beating on my phone ringer about wildcards yesterday
evening
So the question boils down to: Are they owners of .com, or merely
caretakers?
An excellent question! But that is a discussion that belongs with
ICANN, not the IETF.
Nearly my reaction as well. Note, using the concept of "ownership"
has/will get quite some la
> An excellent question! But that is a discussion that belongs with
> ICANN, not the IETF.
>
> Jim
Jim,
that would be true if the ICANN were functioning and this event is just
proof that the ICANN does not function.
the mission of ICANN (my paraphrase) is "Technical Administration of
Internet
On Tue, 16 Sep 2003, Vernon Schryver wrote:
> > From: James M Galvin <[EMAIL PROTECTED]>
>
> > ...
> > Correct me if I'm wrong, the principle disruption -- and I want to
> > emphasize disruption here -- I've seen is that a particular spam
> > indicator no longer works as expected. Is there more
On Tue, 16 Sep 2003 [EMAIL PROTECTED] wrote:
> But what exactly is the "screw" here?
Verisign was (as far as I knew) given *stewardship* of the .com and
.net zones as a public trust. I don't see anywhere they were given
the right to use their stewardship to try to make money sel
> By the way, what about .museum?
.museum does not delegate all of its subdomains.
not all tld's are delegation-only.
--
Paul Vixie
> only the app (not the entire network) needs to know which port to
> use, and this doesn't require that every port be assigned to a
> specific app.
>
> You can't have it both ways. Either the app is so widespread that the
> port in use is at least a de facto standard or it is a "de j
Jim writes:
> Correct me if I'm wrong, the principle disruption -- and I want to
> emphasize disruption here -- I've seen is that a particular spam
> indicator no longer works as expected. Is there more to this than that?
You could make many random DNS requests of a DNS server and flush the cach
On Tue, 16 Sep 2003 15:19:47 EDT, James M Galvin said:
> But what exactly is the "screw" here?
Verisign was (as far as I knew) given *stewardship* of the .com and .net zones
as a public trust. I don't see anywhere they were given the right to use their
stewardship to try to make money selling ty
> From: James M Galvin <[EMAIL PROTECTED]>
> ...
> Correct me if I'm wrong, the principle disruption -- and I want to
> emphasize disruption here -- I've seen is that a particular spam
> indicator no longer works as expected. Is there more to this than that?
> ...
The list I've seen is:
- fail
On Tue, 16 Sep 2003, Keith Moore wrote:
> their mistake is in assuming that they can respond appropriately
> for all ports - particularly when the association of applications
> with known ports is only advisory, and many ports are open for
> arbitrary use.
>
Just to follow up on this - I just spoke to an engineer at Verisign and
he informed me that the SMTP daemon is being replaced in a few hours
with an RFC-compliant one. As for not giving a warning - this came from
a higher policy level at Verisign and he is just an engineer.
Yakov
Yakov Shafran
> their mistake is in assuming that they can respond appropriately
> for all ports - particularly when the association of applications
> with known ports is only advisory, and many ports are open for
> arbitrary use.
>
> Agreed but this is overstating the issue since interoperabili
> IMHO it was irresponsible of them to do this without several months
> advance notice to allow authors of automated systems which depended on
> NXDOMAIN queries to notice this and without a stable documented way to
> reconstitute the NXDOMAIN they're suppressing.
IMHO it would be irresponsible to
-BEGIN PGP SIGNED MESSAGE-
> "Dean" == Dean Anderson <[EMAIL PROTECTED]> writes:
Dean> Is it any worse than IE taking you to msn search when a domain
Dean> doesn't
Dean> resolve? Or worse than Mozilla taking you to Netscape, duplicating a
Dean> Google search, and ope
James M Galvin wrote:
On Tue, 16 Sep 2003, Keith Moore wrote:
verisign is masking the difference between a valid domain and
NXDOMAIN for all protocols, all users, and all software.
If you read the Verisign documentation (which is quite excellent by the
way) on what they did and what they r
On Tue, 16 Sep 2003, Vernon Schryver wrote:
> If AOL and Microsoft don't immediately make releases of IE and Netscape
> that treat 64.94.110.11 the same as they treated an NXDOMAIN (and
Semantically, you'd want to treat 'arbitarynonexistentdomain.com' as
NXDOMAIN if the 'A' record matches the 'A'
On Tue, 16 Sep 2003, Bill Sommerfeld wrote:
IMHO it was irresponsible of them to do this without several months
advance notice to allow authors of automated systems which depended
on NXDOMAIN queries to notice this and without a stable documented
way to reconstitute the NXDOMAIN t
On Tue, 16 Sep 2003, Keith Moore wrote:
their mistake is in assuming that they can respond appropriately for
all ports - particularly when the association of applications with
known ports is only advisory, and many ports are open for arbitrary
use.
Agreed but this is overstating
> From: [EMAIL PROTECTED]
> Out of curiosity, where did Verisign get the right to have the advertising monopoly
> for all the eyeballs they'll attract with this?
What eyeballs? I doubt I'm among the first 1,000,000 people to adjust
junk pop-op or other defenses to treat sitefinder.verisign.com
Valdis writes:
> Out of curiosity, where did Verisign get the right
> to have the advertising monopoly for all the eyeballs
> they'll attract with this?
They didn't.
And there's even a way for individuals to stop it: Type an incorrect
spelling for a famous trademark. When Verisign puts up its
Andrew writes:
> What Verisign has done pre-empts that choice for everyone.
There's a simple way to stop Verisign: Type a domain name corresponding to
a registered trademark (or a near spelling of a registered trademark), for a
domain that isn't registered. When Verisign comes up with its own p
On Tue, 16 Sep 2003 09:24:27 EDT, Keith Moore said:
> verisign is masking the difference between a valid domain and NXDOMAIN for
> all protocols, all users, and all software.
Out of curiosity, where did Verisign get the right to have the advertising monopoly
for all the eyeballs they'll attract w
> If you read the Verisign documentation (which is quite excellent by the
> way) on what they did and what they recommend you will see that they
> thought about this.
I stopped reading the PDF when I saw the "Verisign Proprietary"
labels.
> It is left as an exercise to the reader as to which is m
> verisign is masking the difference between a valid domain and
> NXDOMAIN for all protocols, all users, and all software.
>
> If you read the Verisign documentation (which is quite excellent by the
> way) on what they did and what they recommend you will see that they
> thought about this
On Tue, 16 Sep 2003, Keith Moore wrote:
verisign is masking the difference between a valid domain and
NXDOMAIN for all protocols, all users, and all software.
If you read the Verisign documentation (which is quite excellent by the
way) on what they did and what they recommend you will se
Dean Anderson wrote:
>
> Is it any worse than IE taking you to msn search when a domain doesn't
> resolve?
Look on the bright side - everything now resolves.
cheers,
gja
"
<[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Tuesday, September 16, 2003 8:18 AM
Subject: Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To
Us]
> Dean Anderson wrote:
> >Is it any worse than IE taking you to msn search when a domain
doesn't
> >r
> Is it any worse than IE taking you to msn search when a domain doesn't
> resolve?
yes. if an app that interfaces to humans masks the difference between an
invalid domain and a valid one, it only affects people who use that particluar
app. however for other apps the difference between an inval
Dean Anderson wrote:
>Is it any worse than IE taking you to msn search when a domain doesn't
>resolve? Or worse than Mozilla taking you to Netscape, duplicating a
>Google search, and opening a sidebar (and a netscape search) you didn't
>want?
Yes, it is worse. Much worse. There is a fundamental
Is it any worse than IE taking you to msn search when a domain doesn't
resolve? Or worse than Mozilla taking you to Netscape, duplicating a
Google search, and opening a sidebar (and a netscape search) you didn't
want?
I think it isn't.
And people shouldn't be using Reverse DNS for spam checks, e
By-the-way, Neulevel (.us and .biz) did an "experiment" along these
lines
back in May of this year. It was short lived. At the time I thought
it
was a bad thing, and I still do. And at the time I wrote and sent to
the
ICANN board an evaluation of the risks of that "experiment."
.nu have been
On dinsdag, sep 16, 2003, at 12:25 Europe/Amsterdam, Karl Auerbach
wrote:
1. Via ICANN, instruct Verisign to remove the wildcard.
It isn't clear that this power is vested in ICANN. There is a
complicated
arrangement of Cooperative Agreements, MOUs, CRADAs, and Purchase
Orders
that exist betwe
On Tue, 16 Sep 2003, Zefram wrote:
> ... I suggest the following courses of action, to be taken
> in parallel and immediately:
> 1. Via ICANN, instruct Verisign to remove the wildcard.
It isn't clear that this power is vested in ICANN. There is a complicated
arrangement of Cooperative Agreeme
Zefram <[EMAIL PROTECTED]> writes:
> 1. Via ICANN, instruct Verisign to remove the wildcard.
By the way, what about .museum?
>>Today VeriSign is adding a wildcard A record to the .com and .net
>>zones.
This is, as already noted, very dangerous. We in the IETF must work to
put a stop to this attempt to turn the DNS into a directory service,
and quickly. I suggest the following courses of action, to be taken
in parallel
Because noone can stop them doing it, apparently...
On Tue, Sep 16, 2003 at 12:43:35AM -0400, Keith Moore wrote:
> so now verisign is deliberately misrepresenting DNS results.
>
> why are these people allowed to live?
so now verisign is deliberately misrepresenting DNS results.
why are these people allowed to live?
This is outrageous, both in breaking DNS, and in abusing monopoly
power.
Other references:
http://gnso.icann.org/mailing-lists/archives/ga/msg00311.html
http://www.icann.org/correspondence/lynn-message-to-iab-06jan03.htm
http://www.merit.edu/mail.archives/nanog/2003-01/msg00050.html
What can
I am forwarding this message from the ASRG list. If you haven't heard it
yet, Verisign has activated their "typos" DNS service for .COM and .NET.
Original Message
Subject: [Asrg] Verisign: All Your Misspelling Are Belong To Us
Date: Tue, 16 Sep 2003 03:10:52 +0200
From: Brad Kno
55 matches
Mail list logo