* [EMAIL PROTECTED] (Jack Bates) [Thu 18 Sep 2003, 16:41 CEST]:
> After all, is this the Internet or just the World Wide Web? wildcards at
> the roots are catering solely to the web and disrupting other protocols
> which require NXDOMAIN.
Wildcards anywhere are problematic. I've yet to encount
Paul Vixie wrote:
actually, i had it convincingly argued to me today that wildcards in root
or top level domains were likely to be security problems, and that domains
like .museum were the exception rather than the rule, and that bind's
configuration should permit a knob like "don't accept anythin
forwarding as requested.
--- Begin Message ---
On Thu, 18 Sep 2003, Paul Vixie wrote:
*can't post to nanog, feel free to forward it*
> actually, i had it convincingly argued to me today that wildcards in root
> or top level domains were likely to be security problems, and that domains
> like .mu
On woensdag, sep 17, 2003, at 19:32 Europe/Amsterdam, Paul Vixie wrote:
Just when I thought I had a DNS server I could point my IPv6-only
hosts
to...
that's the purpose of the f.6to4-servers.net server, and if it's not
working for you then please send "dig" results and we'll check it out.
(no
-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.4) Gecko/20030624
> > To: Paul Vixie <[EMAIL PROTECTED]>
> > Cc: [EMAIL PROTECTED]
> > Subject: Re: Root Server Operators (Re: What *are* they smoking?)
> > Sender: [EMAIL PROTECTED]
> >
> >
> > Paul
gt; To: Paul Vixie <[EMAIL PROTECTED]>
> Cc: [EMAIL PROTECTED]
> Subject: Re: Root Server Operators (Re: What *are* they smoking?)
> Sender: [EMAIL PROTECTED]
>
>
> Paul Vixie wrote:
> > no. not just because that's not how our internal hashing works, but
>
> > i don't think so. verisign is on public record as saying that the
> > reason they implemented the wildcard was to enhance the services
> > offered to the internet's eyeball population, who has apparently
> > been clamouring for this.
>
> My question is, if this was to serve some need of inte
On Wed, 17 Sep 2003, Paul Vixie wrote:
> i don't think so. verisign is on public record as saying that the reason
> they implemented the wildcard was to enhance the services offered to the
> internet's eyeball population, who has apparently been clamouring for this.
My question is, if this was
> But I think your patch is working a little too well:
>
> sequoia# host nanog.org.
> nanog.org has address 198.108.1.50
> nanog.org mail is handled (pri=0) by mail.merit.edu
> sequoia# host nanog.org. F.6TO4-SERVERS.NET
> Using domain server:
> Name: F.6TO4-SERVERS.NET
> Addresses: 2001:4f8:0:2:
Aaron Dewell wrote:
The point is, this makes a reasonable backup plan. Far from ideal, but
we're dealing with a state-supported monopoly who can do whatever they
want. Get this in place, then think about how to throw the monopolies
out. This works in the meantime. They will likely compromise t
On Wed, 17 Sep 2003, Jack Bates wrote:
> Aaron Dewell wrote:
>
> > What if there was a requirement to add something that would work as a
> > wildcard, but also be easily detected as a wildcard with one additional
> > query? thisisawildcard.*.com IN A 127.0.0.1 or something. One additional
Aaron Dewell wrote:
What if there was a requirement to add something that would work as a
wildcard, but also be easily detected as a wildcard with one additional
query? thisisawildcard.*.com IN A 127.0.0.1 or something. One additional
query, and applications can decide whether they want a wildca
On Wed, 17 Sep 2003, Jack Bates wrote:
> One method that might be considered for recursive servers as well as
> resolvers, is the ability to specify if a wildcard entry will be
> accepted or not, perhaps at any level or just at the 2nd level. Cached
> records which are wildcards could be mark
Paul Vixie wrote:
no. not just because that's not how our internal hashing works, but
because "hosted" tld's like .museum have had wildcards from day 1 and
the registrants there are perfectly comfortable with them. there's
no one-policy-fits-all when it comes to tld's, so we would not want
to off
> Something like this can be seen on www.airow.com:
> $ dig www.airow.com @a.gtld-servers.net
> ...
looks good to me, man.
; <<>> DiG 8.3 <<>> @f.6to4-servers.net www.airow.com a
; (2 servers found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status:
> > : zone "com" { type delegation-only; };
> > : zone "net" { type delegation-only; };
>
> My first reaction to this was: 'yuck'.
mine also.
> I'm not sure of the side-effects this will introduce. Anyone?
if verisign served a subdomain of com or net on the same server they use
for com or net,
On Wed, Sep 17, 2003 at 03:35:31PM +0200, Stefan Baltus wrote:
> On Wed, Sep 17, 2003 at 09:27:13AM -0400, Todd Vierling wrote:
> > On Wed, 17 Sep 2003, Paul Vixie wrote:
> > : > Anyone have a magic named.conf incantation to counter the verisign
> > : > braindamage?
> > : zone "com" { type delegat
On Wed, Sep 17, 2003 at 09:27:13AM -0400, Todd Vierling wrote:
>
> On Wed, 17 Sep 2003, Paul Vixie wrote:
>
> : > Anyone have a magic named.conf incantation to counter the verisign
> : > braindamage?
> :
> : zone "com" { type delegation-only; };
> : zone "net" { type delegation-only; };
My firs
On Wed, 17 Sep 2003, Paul Vixie wrote:
: > Anyone have a magic named.conf incantation to counter the verisign
: > braindamage?
:
: zone "com" { type delegation-only; };
: zone "net" { type delegation-only; };
What's to stop VRS from countering with:
*.com. IN A
*.com. IN NS .gtld-servers.net
On Wed, 17 Sep 2003, Sean Donelan wrote:
> What would it do to website's Keynote performance to eliminate another
> name lookup by having their www.something.com records served directly
> from Verisign's gtld-servers?
Now, that would be a real problem, considdering the person who owns
something.
On woensdag, sep 17, 2003, at 06:15 Europe/Amsterdam, Paul Vixie wrote:
I took a look at the Bind 8.3.4 code this afternoon, but couldn't
readily
find where to do it. I'll take another look later.
isc's patch is running internally. if anyone wants to try out our
public
recursive server, it's n
PROTECTED]
<[EMAIL PROTECTED]cc:
m> Subject: Re: Root Server Operators
(Re: What *are* they smoking?)
On Wed, Sep 17, 2003 at 05:13:45AM +, Paul Vixie wrote:
> therefore i believe that while they may have to change the A RR from time to
> time according to their transit contracts, verisign won't insert an NS RR
> into the sitefinder redirection. if they do, and if bind's user community
> st
On Wed, 17 Sep 2003, John Brown wrote:
> speaking as a shareholder of Verisign, I'm NOT HAPPY
> with the way they handled this wildcard deal, nor
> am I happy about them doing it all. As a *shareholder*
> I'd cast my vote that they *remove* it.
You have no control over operations of the compan
> Following Internet Standards and to improve performance for all Internet
> users, what if Verisign decided to start including other A records
> directly in the .COM/.NET zones?
>
> For example, the A records for the servers for the .COM/.NET zones?
funnily enough, that would work fine, since i
On Wed, Sep 17, 2003 at 01:39:56AM -0400, Sean Donelan wrote:
>
> I wouldn't be surprised if tomorrow, Verisign is the playing the victim
> and calling ISC the out-of-control hooligans.
Paul an out of control hooligan, say it isn't so ! :)
Actually I'd trust ISC/Vixie/ to always do the real
ri
On Wed, 17 Sep 2003, Paul Vixie wrote:
> > So, Verisign just returns a NS pointer to another name server Verisign
> > controls which then answers the queries with Verisign's "helpful" web
> > site.
> >
> > Half-life of the patch: 1 day?
>
> i don't think so. verisign is on public record as saying
Yep, it went up around 6 pm ET on Tuesday. The list was a tremendous
help, BTW. I don't think any folks who have followed these threads will
find anything especially new in the article, but it may serve as a decent
summary.
ICANN's Mary Hewitt did tell me that they'd have a statement out in a
few
SD> Date: Wed, 17 Sep 2003 00:48:09 -0400 (EDT)
SD> From: Sean Donelan
SD> So, Verisign just returns a NS pointer to another name server
SD> Verisign controls which then answers the queries with
SD> Verisign's "helpful" web site.
Queries for random zones make a nice starting point.
Eddy
--
Br
At 05:26 PM 16-09-03 -0400, Damian Gerow wrote:
Declan (of news.com) has indicated that he's working on something, and I'm
waiting to hear back from the editors at lightreading.com. I have full
faith that Declan will not only put out a technically accurate piece, but
one that is easily digestible
> So, Verisign just returns a NS pointer to another name server Verisign
> controls which then answers the queries with Verisign's "helpful" web
> site.
>
> Half-life of the patch: 1 day?
i don't think so. verisign is on public record as saying that the reason
they implemented the wildcard was
> Can you also program something to do this for all root zones,
> i.e. something like 'zone ".*" { type deligation-only; };'
no. not just because that's not how our internal hashing works, but
because "hosted" tld's like .museum have had wildcards from day 1 and
the registrants there are perfect
Can you also program something to do this for all root zones, i.e. something
like 'zone ".*" { type deligation-only; };'
And make it default configuration for new bind releases...
On 17 Sep 2003, Paul Vixie wrote:
>
> > Anyone have a magic named.conf incantation to counter the verisign
> > b
On 17 Sep 2003, Paul Vixie wrote:
> > Anyone have a magic named.conf incantation to counter the verisign
> > braindamage?
>
> zone "com" { type delegation-only; };
> zone "net" { type delegation-only; };
>
> > Or does this require a patch to bind?
>
> yes, it does. to be released shortly.
With e
> Anyone have a magic named.conf incantation to counter the verisign
> braindamage?
zone "com" { type delegation-only; };
zone "net" { type delegation-only; };
> Or does this require a patch to bind?
yes, it does. to be released shortly.
--
Paul Vixie
> [dot-net, dot-com] is arguably not a valid zone file. Therefore, any
> root server operators should refuse the improper zone file.
that's nonsequitur. root server operators do not carry the dot-com or
dot-net zone files. therefore there will never be an opportunity to
refuse (or accept) it.
> I took a look at the Bind 8.3.4 code this afternoon, but couldn't readily
> find where to do it. I'll take another look later.
isc's patch is running internally. if anyone wants to try out our public
recursive server, it's name is F.6TO4-SERVERS.NET, and it's running the patch.
(we'll release
DL> Date: Tue, 16 Sep 2003 21:20:08 -0400 (EDT)
DL> From: David Lesher
DL> Verisign Move to Mean More Spam
DL>
DL> Will that do for a hook?
s,to,could, and I'll bite. Gotta keep it factual.
Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
Bandwidth, consulting, e-commerce, h
Speaking on Deep Background, the Press Secretary whispered:
>
> Right now, I really can't think of a headline that
> the NY Times or CNN could run that would make ordinary people understand
> what's going on and encourage them to bring pressure on Verisign.
Verisign Move to Mean More
> Here is one solution - replace all of your root.cache files with:
1) it doesn't solve the problem of the .com and .net registry handing out
addresses
2) It creates whole new sets of problems
Please continue to go off and skulk in a corner
On Tue, 16 Sep 2003, Damian Gerow wrote:
> Declan (of news.com) has indicated that he's working on something, and I'm
> waiting to hear back from the editors at lightreading.com. I have full
> faith that Declan will not only put out a technically accurate piece, but
> one that is easily digestib
Thus spake Christopher X. Candreva ([EMAIL PROTECTED]) [16/09/03 17:24]:
> > On the other hand, a headline of "Internet Providers Worldwide block access
> > to Verisign in Effort to Protect the Public" is very easily understood.
>
> I was contacted a little while ago by a reporter from the Wall S
On Tue, 16 Sep 2003, Eric Gauthier wrote:
> On the other hand, a headline of "Internet Providers Worldwide block access
> to Verisign in Effort to Protect the Public" is very easily understood.
I was contacted a little while ago by a reporter from the Wall Street
Journal, based on my Nanog posts
At 12:07 PM 9/16/2003, Rich Braun wrote:
VeriSign stands to gain financially, take a look at this excerpt from an AP
news blurb published yesterday:
...
Anyone find out any details of the contracts which VeriSign has apparently
signed to profit from this little venture?
No, but check this out:
ht
> > $ host does.really-not-exist.net
> > does.really-not-exist.net has address 64.94.110.11
> >
> > $ host 64.94.110.11
> > 11.110.94.64.IN-ADDR.ARPA domain name pointer sitefinder-idn.verisign.com
>
> Simply inject a route for 64.94.110.11/32 in your favorite IGP, route it
> to a box and alias
Damian,
You wrote:
Damian> But any journalists snooping around sure could help out
Damian> a bit, at least by indicating that there /is/ a
Damian> problem with this decision,
Damian> and that Operators are still trying to figure out a) *why* it happened, and
Damian> b) the best way to 'fix' it.
<[EMAIL PROTECTED]> 9/16/03 2:18:58 PM >>>
>
>
>Just came across this:
>
>http://www.washingtonpost.com/wp-dyn/articles/A996-2003Sep12.html
>
Interesting and well-written. And ICANN had no comment.
John
--
http://www.iab.org/Documents/icann-vgrs-response.html
"Robert A. Hayden" <[EMAIL PROTECTED]> 9/16/03 2:07:08 PM >>>
>
>On Tue, 16 Sep 2003, Damian Gerow wrote:
>> How about, 'Internet Operators Across North America Struggle to Deal
with
>> Impact of Business Decision: Internet Functionality Worldwide
>> Tampered With by Verisign'? There doesn't
On Tue, 16 Sep 2003, Rich Braun wrote:
> VeriSign stands to gain financially, take a look at this excerpt from an AP
> news blurb published yesterday:
> [...]
> Anyone find out any details of the contracts which VeriSign has apparently
> signed to profit from this little venture?
It looks like O
Just came across this:
http://www.washingtonpost.com/wp-dyn/articles/A996-2003Sep12.html
Anyone have a magic named.conf incantation to counter the verisign
braindamage? Or does this require a patch to bind?
-Dan
--
[-] Omae no subete no kichi wa ore no mono da. [-]
On Tue, 16 Sep 2003 22:48:43 +0300 (IDT)
Hank Nussbacher <[EMAIL PROTECTED]> wrote:
> > Verisign is a business and its goal is to make money.More importantly,
> > its a publically traded company whose goal is to make its stock value go up.
> > So, if we're interested in having them listen, we shoul
On Tue, 16 Sep 2003, Damian Gerow wrote:
> How about, 'Internet Operators Across North America Struggle to Deal with
> Impact of Business Decision: Internet Functionality Worldwide
> Tampered With by Verisign'? There doesn't really appear to be a unified
> decision to do one thing, there's a lot
On Tue, 16 Sep 2003, Eric Gauthier wrote:
> Verisign is a business and its goal is to make money.More importantly,
> its a publically traded company whose goal is to make its stock value go up.
> So, if we're interested in having them listen, we should be targeting
> their stock value.Right now,
Thus spake Eric Gauthier ([EMAIL PROTECTED]) [16/09/03 13:49]:
> I'm sure that 5, 10, or 50 phone calls from Nanog-ers to the FTC, Congress,
> Dept of Commerce, ICANN, the US Post Office, or any other large organization
> will be completely ignored in the likely wash of everyday phone calls. We
On Tue, 16 Sep 2003, Mark Jeftovic wrote:
> > It's very amusing to see people on *this* list asking *who* gave control
> > to them. Who else configures your customers DNS settings?
>
> My customers.
End users don't figure out DNS settings on their own, either a network
operator picks what roots
VeriSign stands to gain financially, take a look at this excerpt from an AP
news blurb published yesterday:
> Ben Turner, VeriSign's vice president for naming services, described the
service
> as a way to "improve overall usability of the Internet."
>
> People mistype ".com" and ".net" names some
On Tue, 16 Sep 2003 13:31:19 EDT, Eric Gauthier said:
> it. I'm a stupid network engineer that typically leaves the money stuff up
> to my finance geek friends, but even I know that (well most of the time):
>
> Bad Press == Stock Go Down
I wish this explained SCO's stock price... ;)
pg
On Tue, 2003-09-16 at 18:50, William Allen Simpson wrote:
> > Please note that the people running the root nameservsers are a different
> > set from the people who run the .com and .net nameservers.
> >
> True, these days, at least in part.
>
> Since the latest zone for .net (and maybe .com acc
> Since the latest zone for .net (and maybe .com according to the
> announcement) contains data that
> * indicates existance for domains that actually do not exist, and
> * incorrect addresses for domains that exist, but are not using the
>name service of netSOL cum verisign,
> it is ar
Once upon a time, John Palmer <[EMAIL PROTECTED]> said:
> Here is one solution - replace all of your root.cache files with:
>
> (root) nameserver = C.ROOT-SERVERS.ORSC
Since the ORSC servers still refer com and net to the GTLD servers, this
will have no impact on the issue at hand.
--
Chris A
Bruce Campbell wrote:
>
> On Tue, 16 Sep 2003, Matthew Kaufman wrote:
>
> > record. Great. Just what we need... To be in an escalating war with the
> > people running the root nameservers.
>
> Please note that the people running the root nameservsers are a different
> set from the people who ru
On Tue, 16 Sep 2003, Greg Maxwell wrote:
>
> On Tue, 16 Sep 2003, Haesu wrote:
>
> > I must ask the subject again. What in the name of < censored > *are* they smoking?
> > Who exclusively gave them the right to own the 'net and decide which domain points
> > to where?
> > Completely unacceptabl
s Strom" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Tuesday, September 16, 2003 11:23
Subject: Re: What *are* they smoking?
>
> On Tue, 16 Sep 2003, Haesu wrote:
>
> > I must ask the subject again. What in the name of < censored > *are* they smoking?
>
On Tue, 16 Sep 2003, Haesu wrote:
> I must ask the subject again. What in the name of < censored > *are* they smoking?
> Who exclusively gave them the right to own the 'net and decide which domain points
> to where?
> Completely unacceptable.
It's very amusing to see people on *this* list aski
On Tue, 16 Sep 2003, Matthew Kaufman wrote:
> record. Great. Just what we need... To be in an escalating war with the
> people running the root nameservers.
Please note that the people running the root nameservsers are a different
set from the people who run the .com and .net nameservers.
Pleas
Just noticed this: verisign is redirecting queries for dorkslayers.com's
old RBL, even though dorkslayers.com is a registered and active domain.
It just has no name servers.
So it seems they're doing this to billing-active domains as well.
On Tue, 16 Sep 2003, Sabri Berisha wrote:
>
> On Tue,
> Just noticed this: verisign is redirecting queries for dorkslayers.com's
> old RBL, even though dorkslayers.com is a registered and active domain.
> It just has no name servers.
I must ask the subject again. What in the name of < censored > *are* they smoking? Who
exclusively gave them the ri
omas Lund
> Sent: Monday, September 15, 2003 6:14 PM
> To: Chris Adams
> Cc: [EMAIL PROTECTED]
> Subject: Re: What *are* they smoking?
>
>
>
> On Mon, 15 Sep 2003, Chris Adams wrote:
>
> > It appears that the most reliable way to detect a wildcard response
On Tue, Sep 16, 2003 at 12:56:57AM +0200, Niels Bakker wrote:
>
> A wildcard A record in the net TLD.
>
> $ host does.really-not-exist.net
> does.really-not-exist.net has address 64.94.110.11
>
> $ host 64.94.110.11
> 11.110.94.64.IN-ADDR.ARPA domain name pointer sitefinder-idn.verisign.com
Si
At 12:46 AM 16/09/2003, [EMAIL PROTECTED] wrote:
On Tue, 16 Sep 2003 14:31:53 +1000, Matthew Sullivan said:
> Worse than that - it's a fixed sequence of responses...
>
> $ telnet akdjflasdf.com 25
> Trying 64.94.110.11...
> Connected to akdjflasdf.com.
> Escape character is '^]'.
> 220 snubby4-wce
Miquel van Smoorenburg([EMAIL PROTECTED])@2003.09.16 08:43:26 +:
>
> Oh yes, top of the line:
>
[...]
Mike, even better: it's answering in an unconditional mode!
---
[EMAIL PROTECTED]:datasink[2]% telnet jhsdfajjkasfjkjkasf.net 25
Trying 64.94.110.11...
Connected to jhsdfajjkasfjkjkasf.net
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tuesday 16 Sep 2003 6:41 am, John Brown wrote:
> we've burned a AS for this, ICK
Yup - and 2 /24's
#show ip bgp regexp _30060$
Network Next HopMetric LocPrf Weight Path
*>i12.158.80.0/24 xxx.xxx.xxx.xxx 305
In article <[EMAIL PROTECTED]>,
Christopher X. Candreva <[EMAIL PROTECTED]> wrote:
>This also blows away the whole idea of rejeting mail from non-existant
>domains -- never mind all the bounces to these non-existant domains when the
>spammers get ahold of them. Boy, I hope they have a good mail se
Subject: Re: What *are* they smoking? Date: Tue, Sep 16, 2003 at 03:13:49AM +0200
Quoting Tomas Lund ([EMAIL PROTECTED]):
>
> On Mon, 15 Sep 2003, Chris Adams wrote:
>
> > It appears that the most reliable way to detect a wildcard response for
> > 'somedomain.tld
In the immortal words of Wayne E. Bouchard ([EMAIL PROTECTED]):
> So then now instead of mail to misspelled domains, instead of
> bouncing, now goes to /dev/null and you have no idea that your
> critically important piece of information didn't get through?
You _hope_ it goes to /dev/null.
It mig
EBD> Date: Tue, 16 Sep 2003 05:32:50 + (GMT)
EBD> From: E.B. Dreger
EBD> I'd actually go for keeping the A RR for '*.net.' and
EBD> '*.com.' in an authoritative NS's cache. If any other A RR
s,authoritative,resolver,
Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
Bandwidth
On Tue, Sep 16, 2003 at 05:32:50AM +, E.B. Dreger wrote:
>
> Until then, I guess it's time to null route and check for
> circumvention. Is AS30060 used for anything legitimate?
we've burned a AS for this, ICK
based on the ASNAME, its seems a nice little route-map
/dev/null will be real eas
PWG> Date: Mon, 15 Sep 2003 19:40:33 -0400
PWG> From: Patrick W. Gilmore
PWG> Anyone wanna patch BIND such that replies of that IP addy
PWG> are replaced with NXDOMAIN? That solves the web site and
PWG> the spam problem, and all others, all at once.
I'd actually go for keeping the A RR for '*.
On Tue, 16 Sep 2003 14:31:53 +1000, Matthew Sullivan said:
> Worse than that - it's a fixed sequence of responses...
>
> $ telnet akdjflasdf.com 25
> Trying 64.94.110.11...
> Connected to akdjflasdf.com.
> Escape character is '^]'.
> 220 snubby4-wceast Snubby Mail Rejector Daemon v1.3 ready
> sdf
Patrick W. Gilmore wrote:
-- On Tuesday, September 16, 2003 00:56 +0200
-- Niels Bakker <[EMAIL PROTECTED]> supposedly wrote:
A wildcard A record in the net TLD.
$ host does.really-not-exist.net
does.really-not-exist.net has address 64.94.110.11
$ host 64.94.110.11
11.110.94.64.IN-ADDR.ARPA domai
Speaking on Deep Background, the Press Secretary whispered:
>
>
>
> I abandoned them a long time ago, but the big question is, how
> can we get rid of them as root servers operators? Sounds like
> time to push for more independent servers, and a truly separate
> company to handle the root serv
On Mon, 15 Sep 2003, George William Herbert wrote:
> This is sufficiently technically and business slimy that
> I would null-route that IP, personally.
Or direct it to a local server and collect the profit yourself.
> Yep, and it'll be coming soon to .com. All your typo domain are belong
> to Verisign.
Ever get tempted to have a 'wet ops' NANOG team?
There was an article, easily overlooked, in the NY Times this
morning. Link below. (free, registration required.)
http://www.nytimes.com/2003/09/15/technology/15MISS.html
This action does call into question Verisign's ability
to operate with public, nee international, infrastructure
interests.
On Mon, 15 Sep 2003, Alex Lambert wrote:
> "The information provided through the VeriSign Services is not
> necessarily complete and may be supplied by VeriSign's commericial
> licensors, advertisers or others."
>
> There's something immoral about *shoving it down our throats*, then,
> VeriSign.
-
> > From: "Patrick W. Gilmore" <[EMAIL PROTECTED]>
> > Date: Monday, September 15, 2003 7:34 pm
> > Subject: Re: What *are* they smoking?
> >
> > >
> > > No, it accepts if the from domain exists - but only if it *REALLY*
> > >
It's bad enough now; it could be even worse. They could respond on
port 443, too, with a legitimate-seeming certificate -- they're
*Verisign*, the leading certficate authority.
In the security world, we call this a man- (or monkey-)in-the-middle
attack, for which the standard defense is crypto
I abandoned them a long time ago, but the big question is, how
can we get rid of them as root servers operators? Sounds like
time to push for more independent servers, and a truly separate
company to handle the root server portion of .com/.net. They
could still exist as a registrar, but with th
On Mon, 15 Sep 2003 17:45:26 -0700
Fred Baker <[EMAIL PROTECTED]> wrote:
> At 04:18 PM 9/15/2003, Jeroen Massar wrote:
> >Even worse of this is that you can't verify domain names under .net
> >any more for 'existence' as every .net domain suddenly has a A record
> >and then can be used for spamming
On Tue, 16 Sep 2003, Johnny Eriksson wrote:
> idea for next virus: after reproducing itself, construct a random domain
> name ending in .net and ddos it at a low rate for a day or so. if the
> faked up domain is someones real one, you get a small number of packets
> to that domain. if a large n
"The information provided through the VeriSign Services is not
necessarily complete and may be supplied by VeriSign's commericial
licensors, advertisers or others."
There's something immoral about *shoving it down our throats*, then,
VeriSign.
apl
Adam 'Starblazer' Romberg wrote:
Can they r
On Mon, 15 Sep 2003, Chris Adams wrote:
> It appears that the most reliable way to detect a wildcard response for
> 'somedomain.tld' is to query for '*.tld'; if the results match, then
> 'somedomain.tld' doesn't really exist.
Just make up a number of fake domains and resolve them. If they return
- Original Message -
From: "Patrick W. Gilmore" <[EMAIL PROTECTED]>
Date: Monday, September 15, 2003 7:34 pm
Subject: Re: What *are* they smoking?
>
> No, it accepts if the from domain exists - but only if it *REALLY*
> exists.
Anyone want to guess what
At 04:18 PM 9/15/2003, Jeroen Massar wrote:
Even worse of this is that you can't verify domain names under .net
any more for 'existence' as every .net domain suddenly has a A record
and then can be used for spamming...
so, every spammer in the world spams versign. The down side of this is ...
what
FYI: A quick look shows 14 TLDs that appear to have wildcard records:
ac
cc
com
cx
mp
museum
net
nu
ph
pw
sh
tk
tm
ws
The following TLDs answer for '*.tld' but do not appear to have wildcard
records:
bz
cn
tw
It appears that the most reliable way to detect a wildcard response for
'somedomain.t
http://www.verisign.com/corporate/about/contact/index.html
Give 'em hell.
apl
Niels Bakker wrote:
A wildcard A record in the net TLD.
$ host does.really-not-exist.net
does.really-not-exist.net has address 64.94.110.11
$ host 64.94.110.11
11.110.94.64.IN-ADDR.ARPA domain name pointer sitefinde
"Jeroen Massar" <[EMAIL PROTECTED]> wrote:
> Any kiddie group already planning to "take down" the advert server ?
> It's just 1 IP to take out a *lot* of domains, anything you can mistype ;)
> "Look mommy we took down .net, now you see it now you..."
idea for next virus: after reproducing itself
Can they realistically enforce a TOS on a site like that, and how can they
provide a remedy for it?
I, for one, do not agree to their terms of service.
Thanks
-a-
Adam 'Starblazer' Romberg Appleton: 920-738-9032
System Administrator
Extr
1 - 100 of 122 matches
Mail list logo