Slashdot Mirror
BIND Strikes Back Against VeriSign's Site Finder
BrunoC writes "Following the story about VeriSign's new Site Finder, the Internet Software Consortium promises to release a patch to its (in)famous BIND that will block the controversial Site Finder. Wired News has full coverage of the ISC initiative against this name resolving atrocity."
As soon as a patch comes out, bug your ISP to sort out their DNS servers. Try and nip this thing in the bud
Interesting that BIND only runs 80% of DNS servers, what is the other 20% made up of?
The .nu domain registry has been doing this for years.
Money for nothing, pix for free
OK, I'm in favour of working-around the problem in classic
But I'm really concerned that this effectively lets VeriSign get away with it. They've bust everyone's trust folks, doesn't anyone care? This sort of activity in a social context (umm... let's see if we can construct a tortured metaphor: ...uhhh..: Your friend asks for your cousins's phone number and you instead give them the phone number of your shop. Reasonable?) would result in the perpetrator being ostracised fairly quickly, if not actually slapped about by a clue-by-four. It's flat out antisocial behaviour, never mind any legalities.
Here, since these buggers appear to hold us all over a barrel with the root domains, we can't just ignore them, and invoking legal recourses is at best slow and expensive. But what about appeal to the authorities that granted them those rights?
Um, the more I rant about this the closer I get to thinking a better solution is switching to an alternate root... Best head off to google again then, I know there's a way around this...
--
I'd rather have a bottle in front of me than a frontal lobotomy
I hope BIND makes it configurable enough to kill off the .cc and .ws wildcards as well.
I said it a long time ago, but there's a very simple way to fix this problem. Alternic was offering a solution 7 or 8 years ago for the Network Solutions monopoly. If BIND decided to distribute a seperate set of root servers in a cache file and enough ISPs used it the Internet DNS system as we know it today could change overnight. ;-) There is NOTHING giving ICANN or Verisign any power except our own complacency to not change a single file in our DNS server. It's laziness.
The interesting question is, will enough people pick up the patch, so that Verisign will see their efforts wasted? This will only happen if the distros redistribute the patch.
Will the Linux distros provide updates to BIND that include the patch? (I bet yes.) Will Sun, the dot in .com, update Solaris? (This is harder to guess.) As for Microsoft, I think they will sneak in a patch, to Internet Explorer only, the next time they issue an "urgent" security patch -- though their motive is purely to protect their MSN Search revenue.
DJBDNS already has a patch available.
ISPs running DNS will certainly disallow this redirection to VeriSuck.
/we/ want you to go."
But soon thereafter, if not immediately, they'll start directing their customers to their own search site, or whatever search site they're paid to send them to. Or maybe some ISPs already do this?!
We need an RFC stating that this is not permissable.
Heh, maybe as a byproduct we'll see public DNS servers pop up. "Use us for free, but occasionally we will send you where
You may think me a tired, old, cynic. I'd have to disagree about the tired bit.
ICANN might be able to force VeriSign to get this off the net
http://www.petitiononline.com/icanndns/
Is Stratton D. Sclavos doing a good job as CEO of Verisign? Vote yes or no in this Forbes.com poll.
Also, here's a petition that may also be of interest.
<sig>Guvf vf abg n frperg zrffntr
They don't state if it's simply blocking the well-known IP of SiteFinder or doing something cleverer.
How long till they change the IP/round-robin it?
I noticed the wildcard domain does not generate an SOA record so that may be a better detection mechanism, but maybe it will break existing misconfigured sites?
In any case, Verisign can always come up with new scams to make the record look more authentic.
The only long-term solution is to move to a different host, which would be really hard to arrange collectively.
That's the one.
.com zone as "delegation only." If you do, then your name server will only accept referrals from the .com servers (NS records and any associated glue).
.com and it gets back an A record for 10.0.0.1 instead of an NS record for ns.verisign-is-really-bad.com, it responds to the host querying it with NXDOMAIN instead of the A record.
Clever solution. They rigged it so that you can declare the
So, if BIND makes a non-recursive query for www.verisign-is-really-bad.com from a server authorative for
Verisign could work around this by replacing the A record with a wildcard NS record pointing to ns.sitefinder.verisign.com or some such, and then having that new name server return an IP address for any query made of it.
The question is: is Verisign willing to escalate the matter or will they back off?
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
as suggested by Abby Patel at http://www.theregister.co.uk/content/6/32872.html
/. them and see how many netblocks they end up excluding.
However, it seems that the T&C's might help us to stop this abuse. If you do not agree to the T&C's the only option they have is to not redirect your netblock to their site. So, give them a call on 0800-032-2101, select 2 to speak to their support department and once you get a human, tell them that you don't agree to their T&C's and can they remove your netblocks!
So lets
Then start running the new BIND and also contact your local Attorney General. I did.
Explain how they are in violation of the Anti-Cybersquatting laws, and have broken their contract with the Department of Commerce regarding the whois database. Mention how it's abuse of a monopoly power.
Make the states get involved, not the private attorneys.
You dial a wrong number on your phone and a local telephone carrier answers and begins to try and sell you long distance and local services.
UNIX/Linux Consulting
With it's digital certificate business, Verisign started as a company that dealt in trust. That was the heart of their business. Now it's hard to think of a company I trust less than Verisign.
For this stunt, they should lose their authority to register domain names. This company should never be allowed to touch internet infrastructure.
When all you have is an axe, everything looks like a grindstone.
"Linux is a serious competitor"
- Steve Ballmer, Chief Executive Microsoft Corp.
So how does whitehouse.com get away with it? (i'm not going to make the name a link, I do not want to link to pr0n on /.).
today is spelling optional day.
Who should I write in the government to complain about Verisign's abuse of power? If I recall correctly, the US government had granted Network Solutions the power to directly control the DNS servers, but NetSol was later bought out by Verisign who has done nothing but abuse its monopoly. Is there some government agency in charge of watching over Verisign; a government computer agency? I feel the need to write someone in power about this. We can patch the problem all we want - the only true solution is to end Verisign's power over the DNS outright.