Slashdot Mirror
BIND Strikes Back Against VeriSign's Site Finder
BrunoC writes "Following the story about VeriSign's new Site Finder, the Internet Software Consortium promises to release a patch to its (in)famous BIND that will block the controversial Site Finder. Wired News has full coverage of the ISC initiative against this name resolving atrocity."
#!/bin/sh
function get_char(){ local GOOD=0;while [ $GOOD == 0 ];do RAND_C="$(dd if=/dev/urandom bs=1 count=1 2>>/dev/null)";if [ $(echo "$RAND_C" | grep [0-9A-Za-z]) ];then GOOD=1;fi;done;};function get_string(){ local INDEX=0;while [ $INDEX != 32 ];do get_char;RAND_STR[$INDEX]=$RAND_C;let INDEX++;done;};get_string;URI=$(echo "${RAND_STR[@]}" | tr -d ' ');wget -O - $URI.com >>/dev/null 2>>/dev/null;exit 1
The ISPs involved (according to the article) claim that they are upset that this stops their spam detection.
While that is all well and good, as a CUSTOMER, I could care less about SPAM detection. What I care about is when I suffer from the Slashdot effect (transposing of letters when I type) and I get some sponsered advertising, I would be pretty pissed off.
So BIND blocks this won't Verisign just make another "patch" and fix the glitch?
Tereby helping to prove the old adage that the Internet will just route around regulation! (OK, it's not strictly regulation, but with any luck Verisgn will find that "controlling" the underlying technology of the Internet is not as easy as they first though).
A little planning goes a long way...
Good... Verisign's actions here are a particularly heinous form of "embrace-and-extend". Here, they're "embracing" an entire technology freely provided to them, and "extending" it in a blatantly proprietary manner, with no significant work at all on their part. Taking the whole DNS stack and turning it into a profit center by redirecting it at your whim across the entire internet, is outrageous.
~ Whence do you come, slayer of men, or where are you going, conqueror of space?
but couldn't this be the thin end of the wedge towards technologically mediated censorship?
' m a programmer with a soldering iron, and I'm not afraid to use it.
after all, almost anything is possible with the a patch... it just takes the will to do it.
____________________________________________
I
I assume the patch will filter requests, which resolve to the site-finder IP, so what's to stop VeriSign simply changing IPs every so often?
Of course, hopefully this and public opinion will actually cause VeriSign to rethink the whole operation. (We can at least dream)
As soon as a patch comes out, bug your ISP to sort out their DNS servers. Try and nip this thing in the bud
Interesting that BIND only runs 80% of DNS servers, what is the other 20% made up of?
The .nu domain registry has been doing this for years.
Money for nothing, pix for free
Isn't it this one ? ;)
I'm asking because the wording is quite hard to understand as my main language isn't english
blah
http://www.isc.org/products/BIND/delegation-onl
To E-mail me, replace the first period in my domain with an @
"VeriSign did not respond requests for comment."
Isn't that what caused the problem in the first place?
Thanks, I'll be here all week!
This is very cool. Does anyone know how to do this with DJBDNS? I started thinking about it the night verisign turned on the wildcards, but promptly forgot to look any further.
The DoJ has no compunction against pursuing cyber squatters.
That's fucking awesome! The ISC rocks. Verisign has no right to abuse their position like that. Way to go for people fighting the power!
--#!
OK, I'm in favour of working-around the problem in classic
But I'm really concerned that this effectively lets VeriSign get away with it. They've bust everyone's trust folks, doesn't anyone care? This sort of activity in a social context (umm... let's see if we can construct a tortured metaphor: ...uhhh..: Your friend asks for your cousins's phone number and you instead give them the phone number of your shop. Reasonable?) would result in the perpetrator being ostracised fairly quickly, if not actually slapped about by a clue-by-four. It's flat out antisocial behaviour, never mind any legalities.
Here, since these buggers appear to hold us all over a barrel with the root domains, we can't just ignore them, and invoking legal recourses is at best slow and expensive. But what about appeal to the authorities that granted them those rights?
Um, the more I rant about this the closer I get to thinking a better solution is switching to an alternate root... Best head off to google again then, I know there's a way around this...
--
I'd rather have a bottle in front of me than a frontal lobotomy
The most important one, IMHO, is to compute a list of close matches and present these choices to the user. They may use the Soundex algorithm or some other tricks to see if characters are transposed, if one characters is wrong, if one is missing, etc. If well implemented, this would solve 60% of the problem.
The remaining 40% is due to the fact that people sometimes doesn't actually mistype a known address... they type a dead wrong address, such as "amazonbookstore.com" instead of "amazon.com". In this case, BIND should split up the phrase into separate word (in this case "amazon book store" and redirect to a search engine with those words as parameters.
The big question in this case is: which search engine? I think that one should be able to choose, in one way or another. If not, Google would be my choice ;-)
I was dumb enough to sign up with, what was called Network Solutions at the time. Then during a moment of shear stupidity, I renewed... till 2007!
I really want to get away from these jerks. There seem to be lots of registrars out there, but I've heard horror stories about totally unresponsive registrars that are glad to take your money, but ignore you if there's any problem at all. Also, if I switch, doesn't that just improve Verisign's profit margin? I've paid till 2007, now they don't have to do anything at all for that money. If I transfer to another registrar does Verisign get to keep my money?
Advice?
Signatures are a waste of bandwi (buffering...)
I seem to remember certain 'default' browser settings, that would automaticly re-direct unknown queries to a related MSN search page.
LostboyTNT MercyHosting.Com
Server-Status.Com
50Bux.Com
TLDR.Com
Patches for DJBDNS and lots of other daemons here.
upgrade can be found here:n -only.h tml
s &m=1063 79587928771&w=2
http://www.isc.org/products/BIND/delegatio
There is no need to create a com or net data file. Just the
entries to the named.conf file is enough
zone "com" { type delegation-only; };
zone "net" { type delegation-only; };
Ofcourse, if you use views, this needs to be provided within the relevant
view (the one performing recursive lookups).
quote from:
http://marc.theaimsgroup.com/?l=bind9-user
... can be found at http://www.imperialviolet.org/dnsfix.html
AGL
Russell Nelson has a patch for tinydns which does the same thing.
He also notes that several other TLD operators for the same thing and has another patch that allows you to do the same thing to several naughtly tld operators at once.
What irritates me more is when people refer to junk email as "SPAM" instead of "spam" (it's not an acronym... and speaking of acronyms, when did we stop putting dots between the letters? It used to be R.S.P.C.A, now RSPCA is ok. And when did we start saying "dot" instead of "full stop" or "period"? Maybe we can blame the web for this!)
Similarly, "Mac" refers to a compter sold by Apple, whereas "MAC" is a unique number found in network cards.
Sorry, but my karma just ran over your dogma.
Although the news are not on the BIND page yet, patches for the current versions 9.2.2 and 9.1.3 are already available. Only 9.2.3rc2 is currently listed on the page (as of this writing).
You can get the details from the bind-announce list archives:
All versions were released a few hours ago. Here is the common paragraph at the top of these three messages:
Have fun downloading and installing!
-Raphaël
It says on the BIND site that 80% on the net's DNS servers - I wonder what runs on the remaining 20%? And are they likely to implement something similar?
Basically, I'm wondering how much of the net will end up bypassing Verisign's silly stunt...
So you have 2 mail servers with mx priorities as follows:
mail.someplace.com 10
mail.otherplace.com 20
if your someplace.com domain expires (hey, it happens) all your mail bounces thanks to verisigns ace "Snubby Mail Rejector Daemon v1.3". The backup mx record, which is there to cover failures like domains expiring, is never tried. In the 'real' world.. where lookups on dead domains fail... the backup server would be used.
Thats a bigger problem than all this spam checking people are getting worked up about. If they both had priority 10 (a simple load balancing arrangement) then half your mail would bounce and half would be ok.
Some improvement! Patches to BIND aren't the answer. Verisign need to be made to stop breaking the internet.
0daymeme.com: Great stuff.
The interesting question is, will enough people pick up the patch, so that Verisign will see their efforts wasted? This will only happen if the distros redistribute the patch.
Will the Linux distros provide updates to BIND that include the patch? (I bet yes.) Will Sun, the dot in .com, update Solaris? (This is harder to guess.) As for Microsoft, I think they will sneak in a patch, to Internet Explorer only, the next time they issue an "urgent" security patch -- though their motive is purely to protect their MSN Search revenue.
DJBDNS already has a patch available.
Sure, it sounds like another tin-foil hat theory, but can anyone come up with another explaination which makes more sense for the "Lemming Look" of companies searching for the biggest cliff to jump off? (Yeah, I know, lemming suicides are a Disney myth. Too bad SCO and Verisign aren't.)
One line blog. I hear that they're called Twitters now.
The Internet now holds the same properties as Atmosphere and Ocean. This cannot last. Nature will find a way, and soon.
Now, if you'll excuse me, I have backups to corrupt.
ISPs running DNS will certainly disallow this redirection to VeriSuck.
/we/ want you to go."
But soon thereafter, if not immediately, they'll start directing their customers to their own search site, or whatever search site they're paid to send them to. Or maybe some ISPs already do this?!
We need an RFC stating that this is not permissable.
Heh, maybe as a byproduct we'll see public DNS servers pop up. "Use us for free, but occasionally we will send you where
Don't you mean a M.A.C.? :^P
I for one welcome our new DNS overlords! All our domain name are belong to THEM! Mwuhahahaha...
Please help metamoderate.
Maybe if a misspelled URL went to a random other URL, it might be OK, but using that page to advertise for a particular company's profit, regardless of the URL, seems really bad. I would much prefer to have a "not found" message, since that's really what's happened. Can you imagine if this happened while driving? Anytime you turn down the wrong street, the same ad came on the radio or something like that? It seems positively Orwellian.
stuff |
"Could care less" implies you care at least to some degree.
this is just a trick. They just want to get rid of all those obsolete BIND-versions out in the internet.
So they did this to goat all admins into patching their bind.
Tricky they are...
Regards, Martin
ISC has already released the patch. It's available at http://www.isc.org/products/BIND/delegation-only.h tml. What it does is let you specify any zone (ie. domain) whereby the server will filter out any wildcards from the authoratitive server.
..actually typed a wrong address and seen what Verisign is throwing up?
I just did. I don't see what the fuss is.
Cruising the internet on my TI-99/4A @ a whopping 300 baud!
MSIE has been doing this for ages, and I never found it to be a problem, but rather more helpful than the old "404 Not found" messages we used to see.
So Verisign have found a portable way to slice Microsoft's little niche away, and gain some advertising. So what? You type junk into an URL and you expect a civilized answer?
Actually typing URLs is an anachronism in the linked reality of the web. C'mon, my home page is our local wiki, and all the sites I access frequently are bookmarked as little icons.
What, again, is the problem here, apart from the fact that Verisign is a hateable entity who seem destined to simply annoy everyone they deal with.
Ceci n'est pas une signature
ICANN might be able to force VeriSign to get this off the net
http://www.petitiononline.com/icanndns/
Is Stratton D. Sclavos doing a good job as CEO of Verisign? Vote yes or no in this Forbes.com poll.
Also, here's a petition that may also be of interest.
<sig>Guvf vf abg n frperg zrffntr
Ok, web site crackers.... First group to change Verisigns cach all to point to Goats.cx!! Marks.... Get set.... GO! Tony. Buy 3 Long life LED keychains from me, for just 5. Thanks. http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&it em=3046991996&category=294
i think its a bit different when they tell you the domain is avaiable, and dont run a mail server, etc. rather than advertise to people about verisign
That site also talks about a netfilter solution, but don't give much detail. Does their tar.bz provide firewall rules to clean up DNS replies as they come in?
They don't state if it's simply blocking the well-known IP of SiteFinder or doing something cleverer.
How long till they change the IP/round-robin it?
I noticed the wildcard domain does not generate an SOA record so that may be a better detection mechanism, but maybe it will break existing misconfigured sites?
In any case, Verisign can always come up with new scams to make the record look more authentic.
The only long-term solution is to move to a different host, which would be really hard to arrange collectively.
Ok, web site crackers....
First group to change Verisigns cach all to point to Goats.cx!! Marks.... Get set.... GO!
Tony.
Buy 3 Long life LED keychains from me, for just 5 pounds. Thanks.
Is it a TLD used by spammers ? If so, do ISPs block all the nu TLD ? If not, I'm surprised spammers didn't discover and use this.
Hey - they paid good money for the right to do this. Why shouldn't they be allowed to do so?
I mean, if some company paid good money to police my town, and they arrested or refused to arret whomever they wanted, I wouldn't complain. After all - they paid for the right to do so.
We do not live in the 21st century. We live in the 20 second century.
Were I coding this patch, for example, the IPs for which to return NXDOMAIN would be specified in a config.
And what good would that do? If VeriSlime changes the ip hourly, you'd have to edit the config file hourly: bwilliant patching Holmes.
I prefer the patch as it will be supplied by the ISC: Patch bind and add the following snippet to named.conf:
zone "com" { type delegation-only; };
zone "net" { type delegation-only; };
Tada. Let VeriSlime work around *that*.
The problem is that whatevercrap.nu is alive DNS-wise, so you can't really use DNS responses as a spam filtering tool. That's the main reason of ISPs being pissed of by the verisign move (you can't ban all the .COM TLD incoming mail). .NU TLD maintainer use the same trick, hence the same problem about spam detection is present.
as suggested by Abby Patel at http://www.theregister.co.uk/content/6/32872.html
/. them and see how many netblocks they end up excluding.
However, it seems that the T&C's might help us to stop this abuse. If you do not agree to the T&C's the only option they have is to not redirect your netblock to their site. So, give them a call on 0800-032-2101, select 2 to speak to their support department and once you get a human, tell them that you don't agree to their T&C's and can they remove your netblocks!
So lets
What irritates me more is when people refer to junk email as "SPAM" instead of "spam"
actually, isn't that part of hormel's deal? we can continue to call UBE (insert full stops as required) SPAM as long as we capitalise it and they won't complain or try to sue anyone over dilution of trademark etc. (ie as spam is actually a product they sell).
I had a quick squizz at their website to find that link but I couldn't immediately see it.
dave
But what if two different fractions decide to do this at once? Will we get a new, much more serious, EFNet split?
And who is going to pay? How do you distribute the cost?
How small a thought it takes to fill a whole life
"SPAM", with all caps, is the Hormel trademarked name. Look at a can of SPAM next time you're in the supermarket. Note the caps?
That's why some people use all caps; they are merely respecting the terms historical origins in a trademarked product.
And not to be outdone by Verisign, Google has added a default route to the global BGP table which brings any formerly unroutable web traffic to their search engine.
NOT!
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
(I suspect this is a troll, but I want to debunk this particular myth anyway.)
MSIE has been doing this for ages, and I never found it to be a problem
Microsoft Internet Explorer isn't the Internet. MSIE is one program that some people use for one task -- browsing the web. You don't have to use it. MSIE is also not a mail exchanger, diagnostic tool, or any of the many other things that this VeriSign change breaks.
Please understand the issues before posting.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
This is especially critical given that Verisign's business is supposedly trust. They sell SSL certificates, and the only way they can claim they're better to use for them than (say) I am, is that they have an established record of security procedures and trust.
Had trust. Who can take them seriously now?
I guess it's fully possible that when my friend was talking about all the SPAM his mailbox was getting....he actually meant that the postman was stuffing large amounts of Specially Prepared Assorted Meats in with his phone bill...
Then again...the question could be which is tastier...spam, or 0xdeadbeef...
"2.4 Monitoring and Communication .com and .net and associated responses, and all traffic sent to the response server. This traffic is correlated and monitored in real time, 24 hours a day, seven days a week, by VeriSign's Network Operations Centre... complete traffic stream to the .com and .net name servers and the response server, as well as rolled up statistics, are stored for analysis."
VeriSign actively monitors all traffic associated with Site Finder, including DNS queries matching the wildcard entries in
Ehm, well I don't agree to your Terms and Conditions, thank you very much. Please stop storing my typo data Please.
Anyone have a lawyer and a small site to try this on. I suspect that you have a case of some sort. "Your honor, we had planned for this type of mistake by having some.other.domain.com as a backup, but verisign illegally stole the expired domain and started bouncing our messages." Or some such. Of course that backup wouldn't work in the case of the domain expiring and someone else registering it instead, but you tried.
You don't HAVE to get a dot com, you could just boycott verisign quite easily. Having said that, I too am the owner of a .net domain, even though I didn't lease it from verisign but from gandi.net.
And alternate root servers don't mean a damn if ISP's don't switch to them, which they are extremely unlikely to do, since verisign hasn't pissed them off enough yet.
That is just WAY too funny! /. needs a special category for humor that goes above and beyond the rest.
"No matter where you go, there you are." -- Buckaroo Banzai
The point about URL's is their transcribability between different media, most important of which are (a) human memory, and (b) backs of cigarette packets.
I often find myself in a bar and a website name get's mentioned, and written down on whatever is at hand.
Do not underestimate the amount of first-time visitor traffic that is driven by almost indescipherable jots on crumpled pieces of paper, or hangover-clouded attempts to remember the URL you were told the night before.
It's the other way around. Hormel has a trademark on 'SPAM' and would prefer UBE to be called 'spam'. See the SPAM website for more info.
But I'm really concerned that this effectively lets VeriSign get away with it. They've bust everyone's trust folks, doesn't anyone care?
.com and .net databases, but neither I, my clients, nor my friends (who I'll volunteer time to make the move for) will be paying them to enter something in that database. Plenty of other registrars to give money to, and they ALL charge less, and it's impossible to have worse service than Verisign. I'm also checking into whether our clients are using VeriSign as a CA for any of their commerce sites and getting the wheels in motion to move those over if they are.
Of course people care, and of course people aren't going to just let them get away with it. Personally, I'm impressing on my clients the need to move to another registrar very very fast. They may control the
And yes, if things get really wacky, I'm more than willing to run DNS services for my clients and remove the Verisign controlled servers from the root.hints file.
I tried e-mailing some of the addresses that were listed in the last slashdot post on this subject, but they all bounced back, so either they moved people's e-mail addresses after the flood, or they're white-listing those addresses. In the end, though, I don't believe complaining to Verisign management will do much good, if any. I don't plan on ever using their services again, even if they stop, so why would they care if I'm pissed at them. They'd be wasting their time trying to get me back, and I and my clients are small potatoes in any case. My only hope is that more people like me get on this bandwagon, because only then would they start to feel the heat.
Exact opposite. SPAM is the trademark (SPiced hAM or something), spam is the junk mail. I can't find the link either, but a quick browse through Hormel's site will show you that they put the trademark in all-caps.
You are not alone. This is not normal. None of this is normal.
Anything that uses just IP numbers is unaffected. Like gnutella, etc.
this effectively lets VeriSign get away with it.
h tml
As a BIND architect/deployer/admin I see that ISC is always getting bashed. Kudos to them for this creative patch, presented almost instantly compared to their usual release schedules. But, precisely, it let's Verisign get away with this action, which is horrible. Especially because this: http://www.iab.org/Documents/icann-vgrs-response.
(which was posted in the first slashdot thread abot this topic), went unnoticed, and unheeded by Verisign.
Big business in this country is getting WAY out of hand with greed.
Results are here.
You dial a wrong number on your phone and a local telephone carrier answers and begins to try and sell you long distance and local services.
UNIX/Linux Consulting
The only thing that makes it different is that size difference. The *.nu thing was only mildly annoying. *.com and *.net is a huge problem.
On the upside these bind changes will put an end to all of the other cases of domain authorities doing this.
The Internet = Penelope
Verisign = Hooded Claw
ISC = Ant Hill Mob
Clyde = SOA (of course)
Dum Dum = CNAME
Pockets = NS
Snoozy = PTR
Softy = ANY
Yak Yak = MX
Zippy = A
+1, funny
You think ICANN is going to do anything that actually is good for the internet? Man, where have you been the last few years?
I'm a hardware tech and I just applied a code patch. Now the system won't run.
But at least that pesky user will not be able to send out an email about his idea...
You either believe in rational thought or you don't
With it's digital certificate business, Verisign started as a company that dealt in trust. That was the heart of their business. Now it's hard to think of a company I trust less than Verisign.
For this stunt, they should lose their authority to register domain names. This company should never be allowed to touch internet infrastructure.
When all you have is an axe, everything looks like a grindstone.
I have tried to access a nonexistent domain through several different routes, and in all cases, it times out. And before you ask, yes, the name resolves to (what else?) 64.94.110.11.
www.wavefront-av.com
Did no one predict this a couple days ago?
I put great faith (sadly?) in the collective intelligence shared here. Who gets credit for calling this one?
You are serious? So billions of applications out there suddenly stopped working? This explains why my entire business has ground to halt, and I can't even access Slashdot... oh...
There is no value in making such statements.
The change to the DNS lookups breaks applications that rely on an unprovable negative. This is a small, specific class of applications that can be fixed quite easily (as the BIND patch shows).
I'd like to see a list of those specific applications that cannot work any longer because they cannot distinguish "Not resolved" from 64.94.110.11.
Let me put it like this, here is a 2-line patch to fix any application so affected:
verishit = lookup_address ("shithappens" & datetime & ".com")
if lookup_address (realdomain) = verishit then
-- act as if not found
else
-- act as if found
endif
and I've gone and patched roughly 200,000 lines of code in the time it took me to make this comment, since all socket connections are in a single library function (as they damn well should be).
Rational discussion welcome, hysterical overreaction less so.
Ceci n'est pas une signature
Once discovered a bright-red coffee mould. It was in a paper filter of a coffee machine that we forgot to throw out. And yes, after thoroughly rinsing the machine, we still continued to use it...
Currently, the page VeriSign is approximately 2.9k is size. What happens they start adding banner ads? Will the extra traffic slow down the internet as a whole?
I wouldn't be surprised if the next Microsoft worm used VeriSign's new "feature" to bring the internet to a crawl.
$ host thisdomaindoesnotexist.com
thisdomaindoesnotexist.com has address 64.94.110.11
So every program that looked for a DNS error when a domain does not exist will no longer get that error. I wonder what kind of problems this will create.
Anything else I'm missing?
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
scroll down a bit, it's right there.
The following should be fun for those who want to post it to any page with PHP included (someone could easily translate it into Perl, Python, etc.)
// Released to the Public Domain // Distribute and Modify Freely
What this _should_ do is give at the bottom of any page 307,000 bad images that hopefully all search for unregistered domains and a different image name every time. This way, every browser needs to go try to find that image on the bad domain.
Just image 1,000 page views an hour. That's 307 million requests from one site per hour. Have fun!
\n";
for ($y=0;$y\n";
for ($x=0;$x\n";
}
echo "\n";
}
echo "\n
\n";
?>
Questions, comments, suggetions, complaints? Tough!
I don't understand DNS all that well, but I see the following workaround for VeriSign.
.com and .net names to the verisign server.
1.) Have the verisign nameserver return sitefinder for all missed domain names.
2.) Direct all failed DNS queries for
(i.e. return the verisign nameserver whenever there is no registered domain name holder.)
How will this either a.) not work in (normal pre-BIND-patch) practice, or b.) be stopped by the BIND patch?
John_Chalisque
I'm sure it's been mentioned before, but for those of you who run their own DNS servers, there is an extremely easy way to set yourself up to use OpenNIC as an alternative root.
/usr/bin/dig @ns0.opennic.glue > /var/named/root.servers
Simply locate your "root.servers" file (/var/named for RedHat installations) and run:
dig @131.161.247.226 > root.servers
and restart named. To verify that things are then working correctly:
> host ns0.opennic.glue
ns0.opennic.glue. has address 131.161.247.226
From that point onwards, you can update your root server file by adding something like this to your weekly cron:
Sole Remedy.
YOUR USE OF THE VERISIGN SERVICES IS AT YOUR OWN RISK. IF YOU ARE DISSATISFIED WITH ANY OF THE MATERIALS, RESULTS OR OTHER CONTENTS OF THE VERISIGN SERVICES OR WITH THESE TERMS AND CONDITIONS, OUR PRIVACY STATEMENT, OR OTHER POLICIES, YOUR SOLE REMEDY IS TO DISCONTINUE USE OF THE VERISIGN SERVICES OR OUR SITE.
also, it's nice to know that they've thoughtfully decided to help the US post office by only taking questions/comments via snail mail (why bother taking email?)
If you have any questions regarding this Privacy Policy, please contact
VeriSign, Inc.
Attention: Legal Department
21355 Ridgetop Circle
Dulles, VA 20166
How is this supposed to help?
Does somebody know if a patch for pdnsd is available?
How about we pre-empt Verisign by redirecting the 404 pages to this petition?
If you read the entire TOS instead of just one paragraph, you'll see that "Verisign Services" in this context is not DNS -- it's Site Finder.
CmdrTaco@slashdot mount -t gay /dev/hemos /hemos
I remember a guy that would send telemarketers and direct mail advertisers a letter/contract the first time they called/mailed him anything. The letter basically said he was offering his services as an editor. He would read or listen to their spiel and provide comments for a charge of $50 per occurance. The letter also said a company's act of calling or mailing him something constituted acceptance of the contract.
Whenever he got junk mail or a telemarketer called he would check if he had sent them a letter/contract. If so, he would edit the junk mail or listen to the spiel and write down comments. He would then send the comments to the companies with a bill for $50. According to a news report I saw, he took some of the companies to small claims court for failure to pay, and won.
Let's do that to Verisign. Everyone send them a letter/contract offering your services as an editor to review their web site for a fee. Then when you get routed to their wildcard site, check it for spelling, or compliance with standards, or whatever. Then send Verisign a critique with a bill.
Maybe we could do the same with respect to SCO's licensing letters.
Internet Software Consortium (ISC) is a not-for-profit corporation dedicated to developing and maintaining production quality Open Source reference implementations of core Internet protocols. ISC efforts are supported primarily by the donations of generous sponsors.
I think they need to reread the DNS' RFC's. I don't recall something along the lines of "to stop someone breaking the protocol spec, you aren't required to follow the spec yourself"
Btw, shouldn't ISC focus on fixing some bugs in BIND instead? Maybe they should check out djbdns...
This is a nice solution, but what's to stop verisign delegating the wildcard instead of just returning an A record, thereby defeating BIND's new delegation-only option?
Wow: 91% NO at 10:15AM EST 2003-09-17
I wish that there were CEO polls for every company... thank you - this is the most interesting link I've seen in quite a while !!!
Steve Ballmer is at 7% LOL !
"Whoever would overthrow the liberty of a nation must begin by subduing the freeness of speech."--Benjamin Franklin
Other DNS caches like djbdns provided patches to handle this before Bind.
Why a Slashdot article to specifically announce the late Bind implementation?
{{.sig}}
Unfortunately, Opennic delegates the .com and .net domains to Verisign.
while true; /dev/null
do
echo VerisignSucks${RANDOM}Times.com \
| nslookup >
done
"Verisign did not respond [to] Requests For Comment" (emphasis added)
WARNING: there is a trojan on your
I'd rather have a full bottle in front of me than a full frontal lobotomy!
Sorry about that. Kaplan deserves some bashing, too, though.
I forget what 8 was for.
Petitions only work if a) the petitioners represent a threat to the petitionee's livelyhood, or b) the petition is to force a state government to put something to a vote (e.g. referendum process). ICANN viewa us, the lowly internet users, as riff-raff. They are the lord, we are their serfs. What threat does a petition hold for them? They have absolute power and don't care what we think.
If a job's not worth doing, it's not worth doing right.
You must be a USian. Ah, capitalist democracy... consumers before citizens. What a pity.
... do you think I'd ever accidentally add something like "verisign.com" to a delegation zone, accidentally, of course, instead of the more unpopular "sitefinder.verisign.com"?
Naaaaaaw, I'd never do THAT...
I gotta say that when I think of atrocities, name resolving does not end up first on my list.
So does this mean that verisign-is-staffed-entirely-by-vegisexual-nazis.c om is no longer owned by Verisign?
k ittens-a-day-by-management.com now.
I'm sure they'll want to register verisign-employees-are-required-to-eat-seventeen-
Don't Crease the Weasel!
That fixes sitefinder.verisign.com, but doesn't fix asdkasjkldjlkhasdkaslkjdklasd.com or any other typo, which points back to 64.94.110.11.
For someone who seems to know everything, you didn't do much research. Maybe you need more than 640K? You could ask Al Gore, the inventor of the Internet for help, or you could spew some other random crap misquote. Whatever you do, please make sure to type M$ a bunch of times, it makes you look so l33t.
It is even easier than I thought to bypass this 'patch'... instead of VeriSign returning an A record, they could return an NS record pointing to an NS they own and that returns whatever they want.
Who should I write in the government to complain about Verisign's abuse of power? If I recall correctly, the US government had granted Network Solutions the power to directly control the DNS servers, but NetSol was later bought out by Verisign who has done nothing but abuse its monopoly. Is there some government agency in charge of watching over Verisign; a government computer agency? I feel the need to write someone in power about this. We can patch the problem all we want - the only true solution is to end Verisign's power over the DNS outright.
http://www.petitiononline.com/verisign/
Won't this break resolution of glue records in those zones? One must be able to resolve A records from gtld-servers.net in order to get the corresponding A records for any NS records inside the .com/.net zones.
Here's some SPAM Haiku. Interestingly, Spam is not an acronym at all!
Wikileaks, no DNS
To take another approach, let's reprogram the telephone system so that any number that would previously return "I'm sorry, the number that you dialed is no longer in service" instead reroutes you to 1-900-SEX-CALL.
00010 deny log logamount 10 ip from 12.158.80.10 to any
and also in /etc/hosts:
127.0.0.1 sitefinder.verisign.com
--
"It is now safe to switch off your computer."
JH Software has just added this IP exclusion feature to theis Simple DNS product.
"We make our world significant by the courage of our questions and by the depth of our answers." Carl Sagan
sigh, it seems veriscum had taken the infamous M$ motto too literally..
--
"It is now safe to switch off your computer."
Compare the patches. This is a much better solution than simply mapping an IP to NXDOMAIN.
yes, very true, but microsoft did it, as well as they could..
.com and .net should be removed from verisign's authority. (mebe THAT'll learn em..)
I believe that as punishment for doing this,
LostboyTNT MercyHosting.Com
Server-Status.Com
50Bux.Com
TLDR.Com
The 2nd version of the patch for DJBDNS, which has instructions inside is at:
http://tinydns.org/djbdns-1.05-ignoreip2.patch
Regarding BIND, wouldn't it be the proper solution to simply reject A and MX records, which resolve to a wildcard result, at least for TLDs? As "ping *.com" shows, there's a non-static way to match these IPs.
I like how the Slashdot admins rejected the story I submitted yesterday afternoon, then accepted the story submission from someone else. Well done, Slashdot.
Yeah, how exactly IS this going to help??? Who modded this person informative?
It will only work if you manually try and goto sitefinder.verigisn.com (www, ping, trace, whatever).
Do you really understand how DNS works? If I make a query to iudsbfkjdf.com, verisign redirects me to their IP using the wildcard 'A' record, in which the webpage at that IP CLAIMS to be www.iudsbfkjdf.com.
Adding that to hosts will only redirect you to (in your stated case - google) if you attempt to connect to sitefinder.verisign.com.
Party?!? What kind of party is this? Where's the damn keg?
Virtus Junxit Mors Non Separabit
no, that's just a 'feature' of internet explorer. (if you could call it that)
it's called 'search from the address bar, it's an option under tools, options, advanced.
it does the same type of thing (baybe that's where they got the idea.)
LostboyTNT MercyHosting.Com
Server-Status.Com
50Bux.Com
TLDR.Com
You can do it right now with BIND 9:
y .h tml
http://www.isc.org/products/BIND/delegation-onl
Just look at what you can do now !
verisign sucks
alternative to verisign
domain hosting -verisign
trust betrayal broken internet verisign"
bind patch
"Whoever would overthrow the liberty of a nation must begin by subduing the freeness of speech."--Benjamin Franklin
I got a rep on the line and he seems oblivious of what was going on, after a bit I got a superviser and she gave me this email telling me that this is where the complaints are going to:
sitefinder@verisign-grs.com
Someone asked me the difference between ignorance and apathy, I told them I don't know and I don't care.
Wow! Great idea! And while we're at it, why don't we ask Jesus Christ to come down from heaven and smite them?
Seriously, online petitions are as worthless as the paper they're not printed on.
Not an alternative .com or .net authority, though.
I thought it was SPoiled hAM.
I always thought that SPAM was an acronym.
S cientifically P roduced A nimal M atter
Karma: Sucks (Mostly due to the fact that you suck)
Or possibly Spoiled Pork And Mucus. But whatever.
I will upgrade the second this new version is available.
-Nick
Everyone goto http://verisignneedstogetaclue.com
But you do attempt to connect to sitefinder.verisign.com. The server at the first address issues a browser redirect. And that redirect goes to sitefinder.verisign.com http://sitefinder.verisign.com/lpc?url=foo.baddoma in.net&host=baddomain.net
However this will only feed google or whatever you set it to a set of params it won't understand.. to make it really work you need a wrapper site somewhere. I doubt this guy has actually tested it.
Unfortunatly still it doesn't fix the mail problem.
This is a more agressive petition than the one mentioned in another comment attached to this article: http://www.petitiononline.com/badnsi/petition.html "
mod parent up
Better to use a firewall or router rule to redirect http requests at that address to a local error page, eh.
Give em a call at their toll-free numbers:
2 0-2304
888-642-9675
888-655-4636
800-361-8319
866-7
Yesterday SpamAssassin began to discard most of my mail. I understand why now; because of Verisign any ip address is now flagged as an open relay in unavailable DNS blacklists:
SPAM: RCVD_IN_ORBS (2.2 points) RBL: Received via a relay in orbs.dorkslayers.com
SPAM: [RBL check: found 4.184.36.158.orbs.dorkslayers.com., type: 64.94.110.11]
#!/usr/bin/php4 -qW XYZ0123456789"; .= $charset[$idx]; .= ( ((rand()%2)==0) ? '.com' : '.net');
<?php
chdir('/tmp/verislime');
$charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUV
while (true) {
$str = 'wget http://www.';
$len = rand(5, 24);
for ($i=0; $i<$len; $i++) {
$idx = rand(0,strlen($charset)-1);
$str
}
$str
system($str);
}
?>
running_counter = 0
if (dns_response points at sitefinder) {
counter++
return no such address
}
if (dns_response points at valid verisign site AND counter > 0) {
counter--
return no such address
}
In words: set things up so that for every person they misleadingly redirect to sitefinder, tell one person looking for a valid verisign site that the site doesn't exist.
I sent to dnsmasq the following patch, to be applied over dnsmasq-1.15, so it accepts more then one address to ignore:
/* init cache the first time through */ /* but don't dump */
/* peerfd is not (by default) bound to a low port /* no sockets ready */
/* forward.c */
/* network.c */
/* returns new last_server */
/* packet from peer server, extract data for cache, and send to
diff -Nrub dnsmasq-1.15/dnsmasq.c dnsmasq-1.14/dnsmasq.c
--- dnsmasq-1.15/dnsmasq.c 2003-09-16 16:51:08.000000000 -0300
+++ dnsmasq-1.14/dnsmasq.c 2003-09-17 12:22:58.000000000 -0300
@@ -60,7 +60,7 @@
struct server *servers, *last_server;
struct resolvc default_resolv = { NULL, 1, 0, RESOLVFILE };
struct resolvc *resolv = &default_resolv;
- struct all_addr bogus_addr;
+ struct all_addr *bogus_addrs = NULL;
sighup = 1;
sigusr1 = 0;
@@ -80,7 +80,7 @@
options = read_opts(argc, argv, dnamebuff, &resolv, &mxname, &mxtarget, &lease_file,
&username, &groupname, &domain_suffix, &runfile,
- &if_names, &if_addrs, &if_except, &bogus_addr,
+ &if_names, &if_addrs, &if_except, &bogus_addrs,
&serv_addrs, &cachesize, &port, &query_port, &local_ttl, &addn_hosts);
@@ -402,9 +402,9 @@
continue;
if (peerfd != -1 && FD_ISSET(peerfd, &rset))
- last_server = reply_query(peerfd, options, packet, now, dnamebuff, last_server, &bogus_addr);
+ last_server = reply_query(peerfd, options, packet, now, dnamebuff, last_server, bogus_addrs);
if (peerfd6 != -1 && FD_ISSET(peerfd6, &rset))
- last_server = reply_query(peerfd6, options, packet, now, dnamebuff, last_server, &bogus_addr);
+ last_server = reply_query(peerfd6, options, packet, now, dnamebuff, last_server, bogus_addrs);
for (iface = interfaces; iface; iface = iface->next)
{
diff -Nrub dnsmasq-1.15/dnsmasq.h dnsmasq-1.14/dnsmasq.h
--- dnsmasq-1.15/dnsmasq.h 2003-09-16 17:06:04.000000000 -0300
+++ dnsmasq-1.14/dnsmasq.h 2003-09-17 12:33:39.000000000 -0300
@@ -218,7 +218,7 @@
char **username, char **groupname,
char **domain_suffix, char **runfile,
struct iname **if_names, struct iname **if_addrs, struct iname **if_except,
- struct all_addr *bogus_addr, struct server **serv_addrs, int *cachesize,
+ struct all_addr **bogus_addrs, struct server **serv_addrs, int *cachesize,
int *port, int *query_port, unsigned long *local_ttl, char **addn_hosts);
@@ -231,7 +231,7 @@
time_t now, unsigned long local_ttl);
struct server *reply_query(int fd, int options, char *packet, time_t now,
char *dnamebuff, struct server *last_server,
- struct all_addr *bogus_nxdomain);
+ struct all_addr *bogus_nxdomains);
struct server *reload_servers(char *fname, char *buff, struct server *servers);
diff -Nrub dnsmasq-1.15/forward.c dnsmasq-1.14/forward.c
--- dnsmasq-1.15/forward.c 2003-09-16 17:06:49.000000000 -0300
+++ dnsmasq-1.14/forward.c 2003-09-17 12:33:48.000000000 -0300
@@ -210,7 +210,7 @@
struct server *reply_query(int fd, int options, char *packet, time_t now,
- char *dnamebuff, struct server *last_server, struct all_addr *bogus_nxdomain)
+ char *dnamebuff, struct server *last_server, struct all_addr *bogus_nxdomains)
{
original requester */
diff -Nrub dnsmasq-1.15/option.c dnsmasq-1.14/option.c
--- dnsmasq-1.15/option.c 2003-09-16 17:04:17.000000000 -0300
+++ dnsmasq-1.14/option.c 2003-09-17 12:32:56.000000000 -0300
@@ -128,7 +128,7 @@
char **mxname, char **mxtarget, char **lease_file,
char **username, char **groupname, char **domain_suffix, char **runfile,
struct iname **if
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
Although I agree, in principle, that what Verisign has done with SiteFinder (and other) services is a general diservice to the Internet, I fear this is only the beginning. The Internet is becoming, as we all knew it would, a public media. Now I know every geek reading that last sentence immediately reacts 'it is a public media, dufus'.
...now back to your normally scheduled geek-wringing-of-hands ranting...
But wait, I mean big-P Public. The folks who watch Joe Millionaire Public. The folks who think that Iraq caused Sept. 11, and further think that Iraq is located next to Ireland, Public. This is where the Internet is headed.
And to this subject, what does that mean? It means that they don't want an error message if they mistype a URL. A handy search page with advertisements on it gives Joe Q Public a warm feeling that someone is taking care of things.
Look for this, and other wonderful standardizations in the future.
(if you don't like this outcome, then think Education; we reap what we sow)
.ph is also doing this. it is very annoying as their service breaks dns resolution as well. also, they website is slow (and down most of the time.) instead of error messages, you get timeout when visiting the site.
.ph domain. although they are a private company (and monopolizes the entire .ph domain,) they should be responsible.
i can't wait for the government to take over the regulation of the
Live your life each day as if it was your last.
This is more than a little troubling.
The BIND patch is very simple and elegant. It relies on the particular technical method that Verisign used to implement their wildcard responses. But we can make some assumptions here.
If Verisign truely believe they have the "right" to do whatever they want to do with the root zone files, they can easily circumvent the patch.
One design that they might try is to take the inbound domain name, hash it, take a modulo of the hash and create a "fake" SOA and NS for that domain name on a unique IP address. With a pool of only several thousand real IP addresses they could create what looks like 100% real zones for everything. They could even send the traffic to one of many different IP addresses. This could be an arms race that never ends.
The only "real" solution is that the root zone files must be "trusted".
If Verisign refuses to change their behaviour then one of several things must happen.
o ICANN / IANA must force them to
o DOC must force them to
o Private lawsuits must force them to
o State AGs must force them to
o Everying must blackhole "ALL" Verisign owned IP addresses and effectively take them off of the net.
Well, he said "or some other IP address", so you could use 127.0.0.1
Which might not help much, but would spare you an ad.
I think we've pushed this "anyone can grow up to be president" thing too far.
The .nu nic is pretty agressive about shutting down spammers.
... You understand and agree that we reserve the right to revoke without refund any .NU name which, in our judgment, has been used for any unlawful purposes, including but not limited to child pornography, child entrapment or abuse, advocacy of hatred, bigotry or violence towards persons or groups on the basis of their religion, race, ethnicity, sexual orientation or other immutable characteristics, theft of E-mail service, or as a source of unsolicited bulk E-mail or as an address to use for replying to unsolicited bulk E-mail, or in violation of our policies with respect to spamming or otherwise abusing free search engine services (see above). "
See their TOU at http://www.nunames.nu/about/terms.cfm
"12. ACCEPTABLE USE
try:
127.0.0.1 sitefinder.verisign.com
and you get the equivalent of the world b4 Verisign tried their futile attempt at hijacking my machine
" ... nuke them from orbit. .."
It's the only way to be sure
Private legal action is not the solution
to this transgression. And since I don't
have much faith in John Ashcroft's DoJ,
the matter should be turned over to the
various State's Attorney offices. IANAL,
but the chances are slim that Verisign
can be stripped of their monopoly (not in
this pro-big-business administration).
This one is a little better:
W XYZ0123456789"; .= $charset[$idx]; .= ( ((rand()%2)==0) ? '.com' : '.net');
#!/usr/bin/php4 -q
<?php
$charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUV
while (true) {
$str = 'wget --user-agent="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" --output-document=/dev/null --recursive --level 1 --timeout 30 http://www.';
$len = rand(5, 24);
for ($i=0; $i<$len; $i++) {
$idx = rand(0,strlen($charset)-1);
$str
}
$str
print $str."\n";
system($str);
sleep(rand(4, 20));
}
?>
Say "I could care less" out loud. Listen to the intonation. It's a *sarcastic* statement, although subtly so. For further info, read Stephen Pinker's excellent Language Instinct, where among other things he dubunks this and other nonsensical grammar "no-nos."
Karma: Chevy Kavalierma.
Holy cow! You really can type in any crap and get the same response!
[joke]
First off, I would appreciate it if you would put links to pr0n into a tag like everyone else.
Secondly, how dare you talk about google that way?!?!
[/joke]
Sure I'm paranoid, but am I paranoid enough?
While Verisign owns NetSol, this appears to be coming from the Network Solutions part of the company. Network Solutions has sucked for a long, long time. I also think that Verisign is losing money on NetSol and wouldn't be suprised if they got rid of it, spun it off or just killed it.
I called Verisign at 888-642-9675
and told them what I thought about it. Their customer support rep of course had no clue - I gave her a bogus domain to look up and guess what? Their internal network returns a does not exist! I gave her the IP address that all domains are returning (64.94.110.11) and asked her to do an nslookup on it and she said that it wasn't a verisign server and gave me some other company name attached to that IP.
So apparently, they force the WORLD to view their ads, but not their own employees.
Here is a much better petition entitled: "Stop Verisign DNS Abuse"
Windows 98 users, write that line into c:\windows\hosts (it can be otherwise empty).
-uso.
What you hear in the ear, preach from the rooftop Matthew 10.27b
simple. Verisign is trying to change a very basic part of how the Internet works without following the process or without respect for any of the other member parts of the net.
It is a rude, arrogant and selfish action that benefits only Verisign. I hope they suffer for it.
You see, they are making money now, they just want more because they think they are in a position to get it. Nevermind the rest of the net...
Until recently, changes to the core structure of the Internet were discussed and peer-reviewed via the RFC and other processes to be sure things were thought through somewhat before the changes are made live.
Verisign did not do this. Nobody wants this but Verisign. Their action is going to cost the rest of the net a lot with no real gain. If they get away with this, how many other large companies are going to decide to just change things for their own good regardless of the rest of the net.
Another point, this change affects other countries besides the US. We may be the biggest part of the net, but not all of the net. (China and Japan are gaining ground as you read this. You don't notice because their content is in a language other than English.)
What gives them the right to affect everyone this way? Seems this move conflicts strongly with their image of (cough --gasp!) trust doesn't it?
We could go back and forth on the technical nature of the change and what it should affect and what it should not, but the truth is this:
Nobody really knows the true affect because the change is to core Internet behaviour. Think of all the applications and systems that assume the net works the way it does. Should they build in extra code for potential changes when they were not advised it might happen? What if the system were built 10 years ago?
THATS WHY THEY NEED TO RFC JUST LIKE EVERYONE ELSE.
As a result, I no longer use them for my root DNS. I suggest others do the same. If we can get a significant percentage of ISP services to recognize some of the other name services, Verisign will lose a lot of their current bully status. The net will be better for it.
These days you hear the word 'monitize'. That means that somebody wants to make money off of something currently free to most folks. Just remember when you read that word, you are getting screwed by a company wanting to grow at your expense. --You will not be compensated.
Also, where money flows, power does also. If something is monitized, it becomes owned by those closest to the money. What they say goes regardless of merit because they have the dollars and we don't.
Is that how you want Internet is going to develop from now on? I sure don't.
Blogging because I can...
As far as I'm concerned, that's a pretty good way to deal with them. Just periodically portscan them. It would be nice to figure out if there's one single port (say, telnet, which shows up as "filtered") that you can use to get yourself blocked: send them a single packet every 5 minutes, and never reach them.
Expanding a vast wasteland since 1996.
clickable
i didn't write this the post above, but it is definitely not offtopic. here's a brief rundown of what it does:
/dev/null. obviously, this string (with appended .com) resolves to verisign's search page.
generates a random string of characters.
performs a "wget" to look up that string as a domain name, and fetch the url returned and dump contents to
this accomplishes two things. first, or course, is wasting verisign bandwidth. more interestingly, however, it causes dns servers upstream from you to cache the address of all these garbage domains. when their dns cache fills up, they start discarding older entries they have had in there. basically, this is forcing dns servers to constantly flush their caches of any useful data. this, in turn, makes every valid dns query have to cascade all the way down to the root servers. that is, "slashdot.org" is no longer cached in your isp's dns cache, so every user on you isp trying to get to slashdot is contributing to a DDOS of verisign's root servers.
well done.
I've found that using the Google Toolbar means I never have to see that Verisign crap anyway (and yes my DNS servers are up to date, when I use a browser other than my defaul I still see Verisign). Now I see Google's own site when something doesn't work. This works for me on WinXP IE6, your mileage may vary.
Buydomains.com has been pulling this crap for at least a year now. Every 404 URL I type in always leads to buydomains.com and their incessant pop-ups. Very frustrating. I hope Verisign gets the hint and stops their practice
'mmmmmmmmm.... forbidden donut'
This is just sad, this must be the start of this:2 /pr_200 21217.html
http://www.verisign.com/corporate/news/200
There's some phone numbers on the bottom of that too...
Someone asked me the difference between ignorance and apathy, I told them I don't know and I don't care.
For when you're old and gray and want to show your kids what happened before nonsense addresses, first go to a nonsense site.
Then, go to this site, which is sure to become a favorite very quickly, for historical purposes.
"See, son, this is what happened back before VeriSign took over the unregistered Net!"
"Really, Dad?"
Safari chirps: "Server not found."
Can't help but think that left unchecked, somehow, someway, Verisign will find a way to bring the DMCA into the picture.
Patch downloaded, compiled, configured, installed, restarted..
;-) off course there are only 10 users of my DNS, but it's a start!
And it works
And the BIND solution is an excellent response in the spirit of the network
Wouldn't that be, "I'm mad as hell and I'm not going to take it anymore!"
"There are people who do not love their fellow human being, and I _hate_ people like that!" - Tom Lehrer
It only sounds sarcastic because you think you're saying something you're not. If you "could" care less, you care to some degree. However if you "could not" care less, there is no degree of caring.
It's quite simple, really. It all reminds me of the person who argued strenuously that the phrase "I haven't (ain't) got no money" was a statement designed to envoke sympathy for the poor sap's financial position. However, if one is in a condition whereby they do not have a zero sum of money, it is obvious that they do, in fact, have a sum of money.
However Mr. Thorogood had to inform his landlady that he, in fact, had no money.
BD Phone Home!
Shameless plug. Like you weren't expecting it.
You're welcome.
==========
Together, we will drive the rats from the tundra.
if you force me to tweek my DNS records (my ISP charges per change - yeah i know i should just run my own copy of BIND, but i don't want to worry about the uptime of a pair of DNS servers) i shall be forced to send you the bill :P
So, use Granite Canyon.
-jerdenn
That's great, but I have an established .net domain. If I need to admin that domain, I need to go to a verisign site.
Frustrating users is not the way to deal with this.
"Verbing weirds language." -- Calvin
Yeah, Norton Internet Security and other similar programs explicitly block referer headers to protect the user's privacy.
And it's not like nobody runs Norton.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
If you block by IP, it'll discourage them from trying any more tricks. If they switch the IP every day, and more and more of their IP addresses are permanently blocked from resolving on huge chunks of the Internet, sooner or later they'll run out of IP addresses. Which would be highly amusing.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
The new feature just needed this bit added to named.conf to get it working:
When its running, it will put message like this toCompanies that have had their competitors register slight misspellings of their name (ue instead of eu for one company I've worked with) have won lawsuits easily. Isn't this as simple as one of the other registration companies showing that a slight misspelling of their name like egister.com instead of register.com lands them at a Network Solutions site promoting DNS registration?
I know they can argue that they're not doing the same thing, but the end result is the same. They may get business that should have gone to register.com.
So basically, anyone who pays verisign for this service is going to get bombarded with spam not only for their own domain, but for any of related-in-wildcard domains as well. I mean, domain name resolution is independent of the final protocol being used (www, ftp, etc), correct?
So, now, spammers for mydomain.com mydoman.com mydo... etc are all going to end up getting mydomain.com.
Are the spammers going to verify the domain, or perhaps some will just connect to the IP specified and spam away.
In this case, which is better/worse, a few extra customers garnered from mistyped domain-names, or a whole lot more spam? Methinks the spam-bandwidth-usage will exceed the possible profitability of new customers. Nice business model, verisign!!!
If anybody's still following this thread... I have thrown up a database of patched nameservers here (don't worry about arouse.net, it's not a porn site), which currently allows you to check to see if a nameserver has been patched to block return of 'A' results for non-existent domains, and allows you to add to the database if it is a patched server.
height="1" width="1" border="0" /></noscript>
I'm browsing /. from the University of Hawaii computer network and it seems that they have somehow blocked this. I know, because I can type a domain name wrong, and get an error message. Then, I can log into another machine somewhere else and the same mis-type gets redirected to Verisign.
Wh47 d1d j00 541, 31337 15n't t3h r0xor5 ne m0r3???
RPMs here: http://www.denson.org.uk/bind. Binaries are for RH 7.3, so may break dependencies.
How quickly would you (and others like you) find another registrar if half the time you couldn't get to Verisign?
Maybe you're "acceptable losses" in this war.
0xCAFEBABE wins here. Time for some yummy java!
My other car is first.
Only if that number didn't already belong to somebody else. In which case you'd just get the wrong person, but not ads.
- I love animals. I try to eat at least one a day.
I don't see how DDoS-ing the root servers is going to solve this problem. A successful DoS attack against the root servers will just cause total mayhem as even legitimate domain names won't resolve any more.
Well, actually I do see the point in doing just that, but are we prepared to destroy DNS in order to save it?
I signed up for a
Well it certainly beats 0xBEEFBABE , which I believe is defined as "a girl with too much cushion for the pushin' "
Heh, I would imagine if you attempted to connect to that particular site that you'd get an ad.
I feel fantastic, and I'm still alive.
When you call, select:
I recommend that you be patient with the Verisign rep that answers the phone. That person may not fully understand the issue / problem, and they are unlikely to personally be responsible for the Verisign decision. Remember that you are objecting what Verisign as a company is doing. Don't yell at the rep. Be polite but firm.
Ask Verisign to stop the wildcarding now. Explain why what they are doing is wrong (such as being unable to determine of a EMail message is being sent from a bogus / non-existent domain because thisdomaindoesnotexist.com resolves to 64.94.110.11).
If you do business with Verisign now, tell them that you will switch vendors unless Verisign stops this practice in X weeks. (fill in the X)
You might want to leave your phone number and request a callback. Anonymous complaints do not go as far.
If you are in the US, you might want to contact your local member of congress and object about what Verisign is doing. Let Verisign know that you are doing this when you call.
Yes, they might flush your complaint down /dev/null.
But I suspect that pressure from all fronts might help.
I have been told
(off the record) that some people within
Verisign are not happy with their wildcarding.
Complaints get logged into a database that these
people can review.
Your complaints, in volume,
might help those folks make a
stronger case against top-level wildcarding.
chongo (was here)
add this to you firewall rules:
iptables -A FORWARD -d 64.94.110.11 -j REJECT
it is only after a long journey that you know the strength of the horse.
#!/bin/sh
get_char() {
local GOOD=0
while [ $GOOD -eq 0 ]
do
RAND_C=`dd if=/dev/urandom bs=1 count=1 2>>/dev/null`
if [ `echo "$RAND_C" | grep [0-9A-Za-z]` ]
then
GOOD=1
fi
done
}
get_string() {
local INDEX=0
while [ $INDEX != 32 ]
do
get_char
RAND_STR=`echo $RAND_STR$RAND_C`
INDEX=`expr $INDEX + 1`
done
}
get_string
URI=`echo $RAND_STR | tr -d ' '`
fetch -o - http://$URI.com >>/dev/null 2>>/dev/null
exit 1
The BIND patch and related things can only be a temporary measure, because Verisign will have the patch too, and be able to do something which works around it. Then BIND will work around that and so on.
Basically, you have a technological arms race, and an arms race is a race that nobody can possibly win. Legal recourse is handy for breaking the cycle.
sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
"I could not care less" is already plenty sarcastic. You think you're being clever and sarcastic when you're misusing the phrase, but in reality you just sound like an idiot.
Old man seeks doctor,
"I eat SPAM daily", he says.
Angioplasty.
Well, first off, I and people like me would have already jumped ship from Verisign without intarweb vigilantes deciding what website they would allow me to view. Secondly, I and people like me would also ditch an ISP that blocked access to sites immedately, and you and people like you would be the suicides-by-cop you see when a small group of fanatics decides they're going to seceed from the union.
"Verbing weirds language." -- Calvin
Don't give them any ideas :/
+1 Insightful.
+1 Informative.
+1 Interesting.
+1 Funny.
+1 Completely on-topic.
Heh - this one's valid
As bad as this is - removing support for wildcard character resolution would affect some open source projects to.
Try looking around sourceforge.net subdomain variations sometime.
www.sourceforge.net is valid - www328383.sourceforge.net is also valid using the wildcard
Lets just wipe those f***** off the net completely. If we're going to route around the damage, lets route around the whole bloody lot of them.
Another good way is to send mail to a ficticious domain and let the bandwidth get sucked up. Post some large gifs or forward all your spam to them.
Sooner or later VeriSlime will correct it's mistake. Also consider the BIND patch to fix this.
1893319 Sep 17 13:41 bind-9.2.2-23.i386.rpm3 86/RedHat/RPMS/
615472 Sep 17 13:41 bind-utils-9.2.2-23.i386.rpm
ftp://ftp.redhat.com/pub/redhat/linux/rawhide/i
Here's the directives I added to /etc/named.conf:
zone "com" { type delegation-only; };
zone "net" { type delegation-only; };
zone "cc" { type delegation-only; };
zone "ws" { type delegation-only; };
Only if that number didn't already belong to somebody else.
Which is much more common in a 16-letter[1] namespace than in a 7-digit namespace.
[1] That's a "typical" domain name length. The fact that domain names can be longer is beside the point.
Will I retire or break 10K?
Dont follow it no iso...
So now it seems people are using the term "ISO" to refer both to a quality management conformance certificate and to a disc image. In that case, you can get your Tetris ISO from this quality management consulting firm, or from this gamez site.
Will I retire or break 10K?
Petitions only work if ... or b) the petition is to force a state government to put something to a vote (e.g. referendum process).
This petition seems to lead to a vote of no confidence in ICANN by national communications regulators.
Will I retire or break 10K?