Slashdot Mirror

← Back to Stories (view on slashdot.org)

BIND Strikes Back Against VeriSign's Site Finder

Posted by timothy on from the checks-and-balances dept.

BrunoC writes "Following the story about VeriSign's new Site Finder, the Internet Software Consortium promises to release a patch to its (in)famous BIND that will block the controversial Site Finder. Wired News has full coverage of the ISC initiative against this name resolving atrocity."

13 of 582 comments (clear)

  1. Excellent! by Ratface · · Score: 4, Insightful

    Tereby helping to prove the old adage that the Internet will just route around regulation! (OK, it's not strictly regulation, but with any luck Verisgn will find that "controlling" the underlying technology of the Internet is not as easy as they first though).

    --

    A little planning goes a long way...
  2. Good for BIND by Empiric · · Score: 5, Insightful

    Good... Verisign's actions here are a particularly heinous form of "embrace-and-extend". Here, they're "embracing" an entire technology freely provided to them, and "extending" it in a blatantly proprietary manner, with no significant work at all on their part. Taking the whole DNS stack and turning it into a profit center by redirecting it at your whim across the entire internet, is outrageous.

    --
    ~ Whence do you come, slayer of men, or where are you going, conqueror of space?
    1. Re:Good for BIND by aborchers · · Score: 5, Insightful

      And the BIND solution is an excellent response in the spirit of the network's self-healing nature. I'd rather see it solved this way than through a bunch of law suits that benefit none but the attorneys.

      I can't help but think of the contraversy over deep linking and how all those stupid suits could have been avoided if server operators would have just detected the referer header and bounced deep links back to the home page...

      --
      Trouble making decisions? Just flip for it.
    2. Re:Good for BIND by aborchers · · Score: 5, Insightful

      As UU7 just pointed out, the idea is to redirect requests with foreign headers to the front door. The vast majority of modern clients will send the header, and if it is blank, you can either elect to let them have the page, or force them to the front door and set a cookie.

      If someone is so gung ho about privacy that they disable the referer header and refuse cookies, then they must accept that sites with policies that require them to come through the front door and accept a token will be unavailable to them. Publishers are under no obligation to provide their material without at least a nominal quid pro quo from the user.

      --
      Trouble making decisions? Just flip for it.
  3. Re:How will this work? by mccalli · · Score: 4, Insightful
    I assume the patch will filter requests, which resolve to the site-finder IP...

    I'd say that's quite an assumption. Were I coding this patch, for example, the IPs for which to return NXDOMAIN would be specified in a config. That config would be able to take single IPs and also ranges.

    ...so what's to stop VeriSign simply changing IPs every so often?

    I wouldn't write this off as ineffective yet. We need to see what methodolgy is being chosen before we can comment on its technical effectiveness.

    Cheers,
    Ian

  4. MX Problems by tinla · · Score: 5, Insightful


    So you have 2 mail servers with mx priorities as follows:

    mail.someplace.com 10
    mail.otherplace.com 20

    if your someplace.com domain expires (hey, it happens) all your mail bounces thanks to verisigns ace "Snubby Mail Rejector Daemon v1.3". The backup mx record, which is there to cover failures like domains expiring, is never tried. In the 'real' world.. where lookups on dead domains fail... the backup server would be used.

    Thats a bigger problem than all this spam checking people are getting worked up about. If they both had priority 10 (a simple load balancing arrangement) then half your mail would bounce and half would be ok.

    Some improvement! Patches to BIND aren't the answer. Verisign need to be made to stop breaking the internet.

    --
    0daymeme.com: Great stuff.
    1. Re:MX Problems by TheViewFromTheGround · · Score: 4, Insightful

      Some improvement! Patches to BIND aren't the answer. Verisign need to be made to stop breaking the internet.

      There's been this silly thread in this conversation that stakes out two sides. Either a) fix anti-social, monopolistic behavior with technology, or b) fix it with laws and legal action. This is a moronic dichotomy. A technological solution mitigates the immediate problem while the lawyers have time to file their briefs and sort out the damage done. A combination of technical solutions and legal action is a possibility and even a sometimes a Good Thing, not some binary choice.

      --
      Online citizen journalism from the inner city: The View From The Ground
  5. Re:Soundex into BIND! by AKnightCowboy · · Score: 5, Insightful
    The most important one, IMHO, is to compute a list of close matches and present these choices to the user. They may use the Soundex algorithm or some other tricks to see if characters are transposed, if one characters is wrong, if one is missing, etc. If well implemented, this would solve 60% of the problem.

    NO NO NO NO NO NO NO! DNS is a directory service for god's sake, not a god damn search engine. If you want a search engine then go to Google like everyone else does. If people are too stupid to assume typing in "www.whitehouse.com" will take them to the White House's homepage then they deserve to get tits in the face. Type in White House in Google, hit feeling lucky and you'll get the right page right off. DNS maps domain names to IP addresses and vice versa, nothing more. Don't pervert it into some god damn spell checking search engine.

  6. Re:didn't they already do that? by AKnightCowboy · · Score: 4, Insightful
    I seem to remember certain 'default' browser settings, that would automaticly re-direct unknown queries to a related MSN search page.

    Having an application do that is completely different than having what is essentially one of the only Internet "utilities" do it without your consent. Redirecting queries is the job of an application, not the DNS root servers. There's a reason looking up non-registered domains returns an NXDOMAIN, because the RFC says it is should!

  7. Re:Yeah, only SPAM, sure. by Zocalo · · Score: 4, Insightful

    Actually, ISC as been smarter than that. What they have done is allow certain domains to be designated "delegation only". That means, in a nutshell, you can specify for instance ".net" and ISC will automatically return NXDOMAIN for anything other than an NS pointer at that level. This in effect will wipe out wildcarding at the TLD/GLD levels for which it is configured, and if you wished you could even extend it to block wildcarding of things like "*.uk.com".

    --
    UNIX? They're not even circumcised! Savages!
  8. Re:Has anyone.. by Oddly_Drac · · Score: 4, Insightful

    "I just did. I don't see what the fuss is."

    Ah. Bless. Cuddle up nice and warm.

    Verisign is the root domain authority. This is them overstepping bounds and trying to get into the search engine game, something which is 'forbidden' by ICANN. They're farming information that comes in, and if you'd read the handy terms and conditions, you'd notice some real oddity.

    So, you type in a mispelled URL...what if your competitor is in their database but you aren't? Furthermore, what if they get the domain wrong? Verisign only has .net and .com and there's a world of other TLDs out there.

    Then there's the email angle. They're running an MTA that barfs after the 550 for 'From: '. So they're grabbing 'legitimate' email addresses. Trust verisign? As a 'trusted' third party for certificate signing, they're supposed to remain impartial to a certain degree, except they're pushing webservices.

    --
    Oddly Draconis
    Too cynical to live, too stubborn to die.
  9. TRUST by Craig+Ringer · · Score: 4, Insightful

    This is especially critical given that Verisign's business is supposedly trust. They sell SSL certificates, and the only way they can claim they're better to use for them than (say) I am, is that they have an established record of security procedures and trust.

    Had trust. Who can take them seriously now?

  10. Re:Yeah, only SPAM, sure. by Zocalo · · Score: 4, Insightful
    Actually the could quite easily setup their already non-standard DNS servers to simply respond with the effective equivalent of:

    * IN NS screw-isc.verisign.com. and use that to deliver their stupid A records. Of course, if they do that, then things are going to degenerate rapidly. Verisign will not back down because there is money involved, the DNS admins will not back down because of the principle of the thing.

    Should this happen, then ICANN is going to have to step up to the plate, since they are the body to which Verisign is responsible, and make a decision. So, on one side we will have the Internet DNS community, the IAB and IETF, while on the other we have Verisign exceeding their mandate for a chunk of cash. It should be a no-brainer, but given ICANN's track record I certainly wouldn't put any money on which way they would make the call.

    --
    UNIX? They're not even circumcised! Savages!