> > i'm not sure how many people inside verisign, us-DoC, and icann agree
> > that COM and NET are a public trust, or that verisign is just a caretaker.
>
> If there's a disagreement on this concept, we have *BIGGER* problems than
> just DNS b0rkage.
yes. i'm sorry, i thought you knew that. we
> How about rewriting all DNS responses to your liking? :-)
>
> Like if you ask for www.register.com, you would get the A record for
> www.verisign.com ?
done.
#fh:i386# ping -c 1 www.register.com
PING www.register.com (216.21.229.101): 56 data bytes
64 bytes from 216.21
On Wed, 17 Sep 2003 17:55:32 -, Paul Vixie <[EMAIL PROTECTED]> said:
> i'm not sure how many people inside verisign, us-DoC, and icann agree
> that COM and NET are a public trust, or that verisign is just a caretaker.
If there's a disagreement on this concept, we have *BIGGER* problems than
d Schwartz" <[EMAIL PROTECTED]>
To: "Paul Vixie" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, September 17, 2003 14:30
Subject: RE: Change to .com/.net behavior
>
>
> > > > ... shouldn't they get to decide this for themsel
Paul Vixie wrote:
... shouldn't they get to decide this for themselves?
Verisign has created a business out of fooling software through
failure to return a 'no such domain' indication when there is no such
domain, in breach of their public trust. As much as Verisign was
obligated not
On 9/17/2003 1:55 PM Paul Vixie noted that:
but this is not sufficient justification to warrant a demand by you of your
customers that they install a patch (what if they don't run bind?) or that
they configure delegation-only for particular tld's (which ones and why not
others?)
I was with you up
> > > ... shouldn't they get to decide this for themselves?
> > Returning NXDOMAIN when a domain does not exist is a basic
> > requirement. Failure to do so creates security problems. It is
> > reasonable to require your customers to fix known breakage that
> > creates security problems.
> th
I" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, September 17, 2003 13:53
Subject: RE: Change to .com/.net behavior
>
>
>
> On Wed, 17 Sep 2003, David Schwartz wrote:
>
> > Microsoft, for example, specifically designed IE to behave in a
On Wed, 17 Sep 2003, David Schwartz wrote:
> Microsoft, for example, specifically designed IE to behave in a
> particular way when an unregistered domain was entered. Verisigns
> wildcard record is explicitly intended to break this detection.
Has Microsoft responded to this yet? Seems li
Kandra didn't say that they CANNOT modify DNS responses, just that they were
not going to.
william
- Original Message -
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, September 17, 2003 1:13 PM
Subject: Re: Chang
From: <[EMAIL PROTECTED]>
> > While I too am outraged by the actions of Verisign, I've decided to NOT
> > modify my servers in any way.
> > I might decide to block the sitefinder IP, but I will not change my
> > nameservers into modifying DNS responses. Doing so would be to break
things,
>
> *You
Paul Vixie wrote:
I've implemented the official ISC Bind hack on every single one of my
name servers and am pushing it and the configuration changes out to my
customers as a *required* upgrade.
that seems a bit extreme. shouldn't they get to decide this for themselves?
How about rewriting
> While I too am outraged by the actions of Verisign, I've decided to NOT
> modify my servers in any way.
> I might decide to block the sitefinder IP, but I will not change my
> nameservers into modifying DNS responses. Doing so would be to break things,
*You* cannot modify DNS responses, but it'
From: "David Schwartz" <[EMAIL PROTECTED]>
> Returning NXDOMAIN when a domain does not exist is a basic requirement.
> Failure to do so creates security problems. It is reasonable to require
your
> customers to fix known breakage that creates security problems.
I agree completely. However, this
> > ... shouldn't they get to decide this for themselves?
>
> Returning NXDOMAIN when a domain does not exist is a basic
> requirement. Failure to do so creates security problems. It is
> reasonable to require your customers to fix known breakage that
> creates security problems.
that so
> > I've implemented the official ISC Bind hack on every single one of my
> > name servers and am pushing it and the configuration changes out to my
> > customers as a *required* upgrade.
> that seems a bit extreme. shouldn't they get to decide this for
> themselves?
Returning NXDOMAIN
;[EMAIL PROTECTED]>
Sent: Wednesday, September 17, 2003 12:12 PM
Subject: Re: Change to .com/.net behavior
>
> On Mon, 15 Sep 2003, Christopher X. Candreva wrote:
>
> >
> > On Mon, 15 Sep 2003, Vadim Antonov wrote:
> >
> > > I'm going to hack my BIN
> I've implemented the official ISC Bind hack on every single one of my
> name servers and am pushing it and the configuration changes out to my
> customers as a *required* upgrade.
that seems a bit extreme. shouldn't they get to decide this for themselves?
--
Paul Vixie
On Mon, 15 Sep 2003, Christopher X. Candreva wrote:
>
> On Mon, 15 Sep 2003, Vadim Antonov wrote:
>
> > I'm going to hack my BIND so it'll discard wildcard RRs in TLDs, as a
> > matter of reducing the flood of advertising junk reaching my desktop.
>
> Please share your hack !
I've implemented
JS> Date: Mon, 15 Sep 2003 21:50:42 -0400
JS> From: Joshua Sahala
JS> i'm not sure if it could be cached, but i still see verisign
JS> pretending to 0wn the net...
No, it's not cached. Try
dig +norec @a.gtld-servers.net '*.net.' any
to confirm.
Eddy
--
Brotsman & Dreger, Inc. - Eve
On Mon, 15 Sep 2003, Joshua Sahala wrote:
as is usually suggested on this list, do your talking with your money,
pull your zones from verisign, and never do business with them again,
Ah, if you own any domains in .com or .net; you are doing business
with Verisign. Sorry...
matto
[EMAIL PR
I would like to make a few evolving observations
about the wildcard DNS entries which Verisign
initiated in .net and .com earlier today.
1) By all reasonable interpretations, Verisign is now
operating in violation of the .com and .net Registry
Agreements. Specifically, Sect 24 of the main agre
On Tue, 16 Sep 2003 09:50:07 +0300 (IDT)
Hank Nussbacher <[EMAIL PROTECTED]> wrote:
> Don't you think this kind of change should have been discussed first? Or
> at the *very* least - a 3 day pre-change notice? Or did mgmt think a
> pre-notice would have caused a firestorm of sufficient size to ma
> Today VeriSign is adding a wildcard A record to the .com and .net
> zones. The wildcard record in the .net zone was activated from
> 10:45AM EDT to 13:30PM EDT. The wildcard record in the .com zone is
> being added now. We have prepared a white paper describing VeriSign's
> wildcard implement
On Mon, 15 Sep 2003, Matt Larson wrote:
Don't you think this kind of change should have been discussed first? Or
at the *very* least - a 3 day pre-change notice? Or did mgmt think a
pre-notice would have caused a firestorm of sufficient size to make you
backoff such a plan? Once done - things
On Mon, 15 Sep 2003, Matt Larson wrote:
>
> Today VeriSign is adding a wildcard A record to the .com and .net
> zones.
The Web Proxy Auto-discovery Protocol (WPAD) is another reason to
fear and loathe this change. If your host has a bogus name and
makes a WPAD request, they can send your brow
A couple things come to mind --
1) Does this increase the RAM needed on a caching resolver? I.e. does it take
more RAM to cache the 15-minute positive reply, than an NXDOMAIN negative
reply?
2) In the "bestpractices.pdf" file, it states the following:
"A response server should be configured to
In <[EMAIL PROTECTED]> Matt Larson <[EMAIL PROTECTED]> writes:
> Today VeriSign is adding a wildcard A record to the .com and .net
> zones. The wildcard record in the .net zone was activated from
> 10:45AM EDT to 13:30PM EDT. The wildcard record in the .com zone is
> being added now.
Well, I h
On Mon, 15 Sep 2003 19:24:29 -0400, Matt Larson wrote:
>10:45AM EDT to 13:30PM EDT. The wildcard record in the .com zone is
>being added now. We have prepared a white paper describing VeriSign's
>wildcard implementation, which is available here:
>
>http://www.verisign.com/resources/gd/sitefinder
Sorry for the double-post folks, I got a bounce and didn't look closely
at it.
If somebody could check the subscriber list for an address that might
result in [EMAIL PROTECTED] filtering really innocent emails (I know
this has happened to others too), and contacting the owner, that would
be great.
On Mon, 15 Sep 2003 17:29:43 -0700
Roy <[EMAIL PROTECTED]> wrote:
>
> It looks like it broke. Your web server (64.94.110.11) is inoperative.
> How about backing out the change
Chances are your ISP has null-routed that IP address. Two of the larger
ISPs in my area (Ontario, Canada) have,
On Mon, 15 Sep 2003, George William Herbert wrote:
> Did it occur to Verisign that perhaps this needed some external policy
> and technical review before you just went ahead and did this?
I wouldn't be surprised if the real motivation is to get the attention of
(at least the US) government and
>
> In other news, Verisign has a press release on their website announcing
> something called "Next Registration Rights Service," where you can place
> an order to have somebody else's domain transferred to you if they ever
> don't pay their bill. The press release goes on to say that this is a
i'm not sure if it could be cached, but i still see verisign pretending
to 0wn the net...
as is usually suggested on this list, do your talking with your money,
pull your zones from verisign, and never do business with them again,
file complaints with all relevant state and federal authorities, a
On Mon, 15 Sep 2003, Jared Mauch wrote:
>
> I also typed a bit too quickly.
>
> I'm guessing due to the uprising they've pulled this.
>
> I was just going to call the dept of commerce tomorrow and
> file a complaint myself. perhaps I still will.
It appears GTLD servers A-D are
On Mon, 15 Sep 2003 17:29:43 -0700
Roy <[EMAIL PROTECTED]> wrote:
>
> It looks like it broke. Your web server (64.94.110.11) is inoperative.
> How about backing out the change
Chances are your ISP has null-routed that IP address. Two of the larger
ISPs in my area (Ontario, Canada) have, a
I want my root servers back
Matt Larson wrote:
Today VeriSign is adding a wildcard A record to the .com and .net
zones. The wildcard record in the .net zone was activated from
10:45AM EDT to 13:30PM EDT. The wildcard record in the .com zone is
being added now. We have prepared a white paper de
On Mon, Sep 15, 2003 at 07:39:20PM -0500, Adam 'Starblazer' Romberg wrote:
> Yeah, speaking too quickly.
>
> *hides*
I also typed a bit too quickly.
I'm guessing due to the uprising they've pulled this.
I was just going to call the dept of commerce tomorrow and
file a c
Adam 'Starblazer' Romberg wrote:
Looks like they pulled it now.
[EMAIL PROTECTED]:/var/log$ host rarrarrarrarblah.com
rarrarrarrarblah.com does not exist (Authoritative answer)
Nah, just zone propagation issues. Some gtld servers still
have old zone data.
/mjt
On Mon, 15 Sep 2003, Adam 'Starblazer' Romberg wrote:
>
> Looks like they pulled it now.
>
> [EMAIL PROTECTED]:/var/log$ host rarrarrarrarblah.com
> rarrarrarrarblah.com does not exist (Authoritative answer)
They haven't implemented it on .com, only .net .
--
Jay Hennigan - CCIE #7880 - Networ
Yeah, speaking too quickly.
*hides*
Thanks
-a-
Adam 'Starblazer' Romberg Appleton: 920-738-9032
System Administrator
ExtremePC LLC-=- http://www.extremepcgaming.net
On Mon, 15 Sep 2003, Jared Mauch wrote:
> On Mon, Sep 15, 2003 a
On Mon, Sep 15, 2003 at 07:28:51PM -0500, Adam 'Starblazer' Romberg wrote:
>
> Looks like they pulled it now.
>
> [EMAIL PROTECTED]:/var/log$ host rarrarrarrarblah.com
> rarrarrarrarblah.com does not exist (Authoritative answer)
; <<>> DiG 8.4 <<>> any rarrarrarrarblah.com.
;; res options: ini
On Tue, 16 Sep 2003, Michael Tokarev wrote:
> Haesu wrote:
> > Before I figure out this BIND thing, for now..
> >
> > box02jp5-cr01.twdx.net# set routing-options static route 64.94.110.11/32 di$
>
> Please do no do that. You, or your users, will end up having
> TONS of undeliverable bounces for f
Looks like they pulled it now.
[EMAIL PROTECTED]:/var/log$ host rarrarrarrarblah.com
rarrarrarrarblah.com does not exist (Authoritative answer)
thanks,
-a-
Adam 'Starblazer' Romberg Appleton: 920-738-9032
System Administrator
ExtremePC
It looks like it broke. Your web server (64.94.110.11) is inoperative.
How about backing out the change
Matt Larson wrote:
Today VeriSign is adding a wildcard A record to the .com and .net
zones. The wildcard record in the .net zone was activated from
10:45AM EDT to 13:30PM EDT. The wildc
Haesu wrote:
[]
Before I figure out this BIND thing, for now..
box02jp5-cr01.twdx.net# set routing-options static route 64.94.110.11/32 discard;
Please do no do that. You, or your users, will end up having
TONS of undeliverable bounces for forged/bogus domains sitting
in mail spools...
/mjt
You mean you have been studying a way for more people to buy domain through you.
I also am modifying BIND to convert your wildcard #$%^^% to NXDOMAIN.
Between the domains that I have with you and all the problems we've had with it
each time you 'change' your web interface, I've already made my d
On Mon, 15 Sep 2003, Vadim Antonov wrote:
> I'm going to hack my BIND so it'll discard wildcard RRs in TLDs, as a
> matter of reducing the flood of advertising junk reaching my desktop.
Please share your hack !
==
Chris Candreva -- [EMAIL
Did it occur to Verisign that perhaps this needed
some external policy and technical review before
you just went ahead and did this?
Have you formally or informally asked ICANN, the US DOC,
etc. for policy approval? If so, where and when?
Did you consider that nonexistent domains returning
an
I'm going to hack my BIND so it'll discard wildcard RRs in TLDs, as a
matter of reducing the flood of advertising junk reaching my desktop.
I think BIND & resolver developers would do everyone a service by adding
an option having the same effect.
Thank you, VeriSign, I will never do business wi
Today VeriSign is adding a wildcard A record to the .com and .net
zones. The wildcard record in the .net zone was activated from
10:45AM EDT to 13:30PM EDT. The wildcard record in the .com zone is
being added now. We have prepared a white paper describing VeriSign's
wildcard implementation, whi
51 matches
Mail list logo