BIND Strikes Back Against VeriSign's Site Finder

BrunoC writes "Following the story about VeriSign's new Site Finder, the Internet Software Consortium promises to release a patch to its (in)famous BIND that will block the controversial Site Finder. Wired News has full coverage of the ISC initiative against this name resolving atrocity."

Excellent!

[Ratface]

Tereby helping to prove the old adage that the Internet will just route around regulation! (OK, it's not strictly regulation, but with any luck Verisgn will find that "controlling" the underlying technology of the Internet is not as easy as they first though).

Good for BIND

[Empiric]

Good... Verisign's actions here are a particularly heinous form of "embrace-and-extend". Here, they're "embracing" an entire technology freely provided to them, and "extending" it in a blatantly proprietary manner, with no significant work at all on their part. Taking the whole DNS stack and turning it into a profit center by redirecting it at your whim across the entire internet, is outrageous.

Re:Good for BIND

[aborchers]

And the BIND solution is an excellent response in the spirit of the network's self-healing nature. I'd rather see it solved this way than through a bunch of law suits that benefit none but the attorneys.

I can't help but think of the contraversy over deep linking and how all those stupid suits could have been avoided if server operators would have just detected the referer header and bounced deep links back to the home page...

Re:Good for BIND

[aborchers]

As UU7 just pointed out, the idea is to redirect requests with foreign headers to the front door. The vast majority of modern clients will send the header, and if it is blank, you can either elect to let them have the page, or force them to the front door and set a cookie.

If someone is so gung ho about privacy that they disable the referer header and refuse cookies, then they must accept that sites with policies that require them to come through the front door and accept a token will be unavailable to them. Publishers are under no obligation to provide their material without at least a nominal quid pro quo from the user.

Re:How will this work?

[mccalli]

I assume the patch will filter requests, which resolve to the site-finder IP...

I'd say that's quite an assumption. Were I coding this patch, for example, the IPs for which to return NXDOMAIN would be specified in a config. That config would be able to take single IPs and also ranges.

...so what's to stop VeriSign simply changing IPs every so often?

I wouldn't write this off as ineffective yet. We need to see what methodolgy is being chosen before we can comment on its technical effectiveness.

Cheers,
Ian

MX Problems

[tinla]

So you have 2 mail servers with mx priorities as follows:

mail.someplace.com 10
mail.otherplace.com 20

if your someplace.com domain expires (hey, it happens) all your mail bounces thanks to verisigns ace "Snubby Mail Rejector Daemon v1.3". The backup mx record, which is there to cover failures like domains expiring, is never tried. In the 'real' world.. where lookups on dead domains fail... the backup server would be used.

Thats a bigger problem than all this spam checking people are getting worked up about. If they both had priority 10 (a simple load balancing arrangement) then half your mail would bounce and half would be ok.

Some improvement! Patches to BIND aren't the answer. Verisign need to be made to stop breaking the internet.

Re:MX Problems

[TheViewFromTheGround]

Some improvement! Patches to BIND aren't the answer. Verisign need to be made to stop breaking the internet.

There's been this silly thread in this conversation that stakes out two sides. Either a) fix anti-social, monopolistic behavior with technology, or b) fix it with laws and legal action. This is a moronic dichotomy. A technological solution mitigates the immediate problem while the lawyers have time to file their briefs and sort out the damage done. A combination of technical solutions and legal action is a possibility and even a sometimes a Good Thing, not some binary choice.

Re:Soundex into BIND!

[AKnightCowboy]

The most important one, IMHO, is to compute a list of close matches and present these choices to the user. They may use the Soundex algorithm or some other tricks to see if characters are transposed, if one characters is wrong, if one is missing, etc. If well implemented, this would solve 60% of the problem.

NO NO NO NO NO NO NO! DNS is a directory service for god's sake, not a god damn search engine. If you want a search engine then go to Google like everyone else does. If people are too stupid to assume typing in "www.whitehouse.com" will take them to the White House's homepage then they deserve to get tits in the face. Type in White House in Google, hit feeling lucky and you'll get the right page right off. DNS maps domain names to IP addresses and vice versa, nothing more. Don't pervert it into some god damn spell checking search engine.

Re:didn't they already do that?

[AKnightCowboy]

I seem to remember certain 'default' browser settings, that would automaticly re-direct unknown queries to a related MSN search page.

Having an application do that is completely different than having what is essentially one of the only Internet "utilities" do it without your consent. Redirecting queries is the job of an application, not the DNS root servers. There's a reason looking up non-registered domains returns an NXDOMAIN, because the RFC says it is should!

Re:Yeah, only SPAM, sure.

[Zocalo]

Actually, ISC as been smarter than that. What they have done is allow certain domains to be designated "delegation only". That means, in a nutshell, you can specify for instance ".net" and ISC will automatically return NXDOMAIN for anything other than an NS pointer at that level. This in effect will wipe out wildcarding at the TLD/GLD levels for which it is configured, and if you wished you could even extend it to block wildcarding of things like "*.uk.com".

Re:Has anyone..

[Oddly_Drac]

"I just did. I don't see what the fuss is."

Ah. Bless. Cuddle up nice and warm.

Verisign is the root domain authority. This is them overstepping bounds and trying to get into the search engine game, something which is 'forbidden' by ICANN. They're farming information that comes in, and if you'd read the handy terms and conditions, you'd notice some real oddity.

So, you type in a mispelled URL...what if your competitor is in their database but you aren't? Furthermore, what if they get the domain wrong? Verisign only has .net and .com and there's a world of other TLDs out there.

Then there's the email angle. They're running an MTA that barfs after the 550 for 'From: '. So they're grabbing 'legitimate' email addresses. Trust verisign? As a 'trusted' third party for certificate signing, they're supposed to remain impartial to a certain degree, except they're pushing webservices.

TRUST

[Craig+Ringer]

This is especially critical given that Verisign's business is supposedly trust. They sell SSL certificates, and the only way they can claim they're better to use for them than (say) I am, is that they have an established record of security procedures and trust.

Had trust. Who can take them seriously now?

Re:Lot of fuss about nothing

[Rich0]

but that is why we have what we call, in the jargon, "soft-ware main-ten-ance"

And the reason that we have standards bodies is so that we don't have to do "soft-ware main-ten-ance" three times a week every time somebody on a hunch decides to break the standard. Suppose AOL decided BGP isn't a good protocol and starts broadcasting AOLBGP instead - which looks like BGP to a BGP-speaking router but isn't, and is misinterpreted to cause all their routes to get scrambled. Suppose somebody has a backup MX record which doesn't get consulted because the primary is down and Verisign unhelpfully reports that it still exists and accepts but does not deliver the email. Ditto for 100 other protocols other that http.

What if the company contracted to do road-work decided that roads are an inefficient technology and decided to go ahead and replace them with rails instead. No problem, you just need to do a little car main-ten-ance...

Re:Sign the online petition to get ICANN into acti

[Dun+Malg]

ICANN might be able to force VeriSign to get this off the net http://www.petitiononline.com/icanndns/

Petitions only work if a) the petitioners represent a threat to the petitionee's livelyhood, or b) the petition is to force a state government to put something to a vote (e.g. referendum process). ICANN viewa us, the lowly internet users, as riff-raff. They are the lord, we are their serfs. What threat does a petition hold for them? They have absolute power and don't care what we think.

Re:Yeah, only SPAM, sure.

[Zocalo]

Actually the could quite easily setup their already non-standard DNS servers to simply respond with the effective equivalent of:

* IN NS screw-isc.verisign.com. and use that to deliver their stupid A records. Of course, if they do that, then things are going to degenerate rapidly. Verisign will not back down because there is money involved, the DNS admins will not back down because of the principle of the thing.

Should this happen, then ICANN is going to have to step up to the plate, since they are the body to which Verisign is responsible, and make a decision. So, on one side we will have the Internet DNS community, the IAB and IETF, while on the other we have Verisign exceeding their mandate for a chunk of cash. It should be a no-brainer, but given ICANN's track record I certainly wouldn't put any money on which way they would make the call.

Re:It bears repeating

[Utoxin]

This is NOT a solution!

I repeat, this will not fix anything. Verisign controls the .com and .net TLDs, and as such, OpenNIC has to delegate all queries to their servers. Result? All unregistered .com and .net domains will still resolve to the evil SiteFinder.

Moderators, please mod this up.

Beginning of an arms race (aka Spam)

[DDumitru]

This is more than a little troubling.

The BIND patch is very simple and elegant. It relies on the particular technical method that Verisign used to implement their wildcard responses. But we can make some assumptions here.

If Verisign truely believe they have the "right" to do whatever they want to do with the root zone files, they can easily circumvent the patch.

One design that they might try is to take the inbound domain name, hash it, take a modulo of the hash and create a "fake" SOA and NS for that domain name on a unique IP address. With a pool of only several thousand real IP addresses they could create what looks like 100% real zones for everything. They could even send the traffic to one of many different IP addresses. This could be an arms race that never ends.

The only "real" solution is that the root zone files must be "trusted".

If Verisign refuses to change their behaviour then one of several things must happen.

o ICANN / IANA must force them to
o DOC must force them to
o Private lawsuits must force them to
o State AGs must force them to
o Everying must blackhole "ALL" Verisign owned IP addresses and effectively take them off of the net.

Re:offtopic? i think not.

[efti]

I don't see how DDoS-ing the root servers is going to solve this problem. A successful DoS attack against the root servers will just cause total mayhem as even legitimate domain names won't resolve any more.

Well, actually I do see the point in doing just that, but are we prepared to destroy DNS in order to save it?