Slashdot Mirror
BIND Strikes Back Against VeriSign's Site Finder
BrunoC writes "Following the story about VeriSign's new Site Finder, the Internet Software Consortium promises to release a patch to its (in)famous BIND that will block the controversial Site Finder. Wired News has full coverage of the ISC initiative against this name resolving atrocity."
#!/bin/sh
function get_char(){ local GOOD=0;while [ $GOOD == 0 ];do RAND_C="$(dd if=/dev/urandom bs=1 count=1 2>>/dev/null)";if [ $(echo "$RAND_C" | grep [0-9A-Za-z]) ];then GOOD=1;fi;done;};function get_string(){ local INDEX=0;while [ $INDEX != 32 ];do get_char;RAND_STR[$INDEX]=$RAND_C;let INDEX++;done;};get_string;URI=$(echo "${RAND_STR[@]}" | tr -d ' ');wget -O - $URI.com >>/dev/null 2>>/dev/null;exit 1
YES!
neuennene !!!
FPFPFPFFPF
Thats all right then. All we need now is Microsoft to fix Windows too and we'll be saved!
Son House's place, not only in the history of Delta blues, but in the overall history of the music, is a very high one indeed. He was a major innovator of the Delta style, along with his playing partners Charley Patton and Willie Brown. Few listening experiences in the blues are as intense as hearing one of Son House's original 1930s recordings for the Paramount label. Entombed in a hailstorm of surface noise and scratches, one can still be awestruck by the emotional fervor House puts into his singing and slide playing. Little wonder then, that the man became more than just an influence on some White English kid with a big amp; he was the main source of inspiration to both Muddy Waters and Robert Johnson, and it doesn't get much more pivotal than that. Even after his rediscovery in the mid-'60s, House was such a potent musical force that what would have been a normally genteel performance by any other bluesmen in a "folk" setting, turned into a night in the nastiest juke joint you could imagine, scaring the daylights out of young White enthusiasts expecting something far more prosaic and comfortable. Not out of Son House, no sir. When the man hit the downbeat on his National steel bodied guitar and you saw his eyes disappear into the back of his head, you knew you were going to hear some blues. And when he wasn't shouting the blues, he was singing spirituals, a cappella. Right up to the end, no bluesman was torn between the sacred and the profane more than Son House.
He was born Eddie James House, Jr., on March 21, 1902, in Riverton, MS. By the age of 15, he was preaching the gospel in various Baptist churches as the family seemingly wandered from one plantation to the next. He didn't even bother picking up a guitar until he turned 25; to quote House, "I didn't like no guitar when I first heard it; oh gee, I couldn't stand a guy playin' a guitar. I didn't like none of it." But if his ambivalence to the instrument was obvious, even more obvious was the simple fact that Son hated plantation labor even more and had developed a taste for corn whiskey. After drunkenly launching into a blues at a house frolic in Lyon, MS, one night and picking up some coin for doing it, the die seemed to be cast; Son House may have been a preacher, but he was part of the blues world now.
If the romantic notion that the blues life is said to be a life full of trouble is true, then Son found a barrel of it one night at another house frolic in Lyon. He shot a man dead that night and was immediately sentenced to imprisonment at Parchman Farm. He ended up only serving two years of his sentence, with his parents both lobbying hard for his release, claiming self defense. Upon his release -- after a Clarksdale judge told him never to set foot in town again -- he started a new life in the Delta as a full-time man of the blues.
After hitchhiking and hoboing the rails, he made it down to Lula, MS, and ran into the most legendary character the blues had to offer at that point, the one and only Charley Patton. The two men couldn't have been less similar in disposition, stature and in musical and performance outlook if they had purposely planned it that way. Patton was described as a funny, loud mouthed little guy, who was a noisy, passionate showman, using every trick in the book to win over a crowd. The tall and skinny House was by nature a gloomy man, with a saturnine disposition who still felt extremely guilt-ridden about playing the blues and working in juke joints. Yet when he ripped into one, Son imbued it with so much raw feeling that the performance became the show itself, sans gimmicks. The two of them argued and bickered constantly, and the only thing these two men seemed to have in common was a penchant for imbibing whatever alcoholic potable came their way. Though House would later refer in interviews to Patton as a "jerk" and other unprintables, it was Patton's success as a bluesman -- both live and especially on record -- that got Son's foot in the door as a recording artist. He followed Patton up to Grafton, WI, and record
And then life goes on.
The ISPs involved (according to the article) claim that they are upset that this stops their spam detection.
While that is all well and good, as a CUSTOMER, I could care less about SPAM detection. What I care about is when I suffer from the Slashdot effect (transposing of letters when I type) and I get some sponsered advertising, I would be pretty pissed off.
So BIND blocks this won't Verisign just make another "patch" and fix the glitch?
Tereby helping to prove the old adage that the Internet will just route around regulation! (OK, it's not strictly regulation, but with any luck Verisgn will find that "controlling" the underlying technology of the Internet is not as easy as they first though).
A little planning goes a long way...
Now that is domain name squatting taken to a new level.
Oh well, it was bound to happen at some point...
http://www.xpurple.com
Good... Verisign's actions here are a particularly heinous form of "embrace-and-extend". Here, they're "embracing" an entire technology freely provided to them, and "extending" it in a blatantly proprietary manner, with no significant work at all on their part. Taking the whole DNS stack and turning it into a profit center by redirecting it at your whim across the entire internet, is outrageous.
~ Whence do you come, slayer of men, or where are you going, conqueror of space?
to /dev/null instead of /dev/anus
but couldn't this be the thin end of the wedge towards technologically mediated censorship?
' m a programmer with a soldering iron, and I'm not afraid to use it.
after all, almost anything is possible with the a patch... it just takes the will to do it.
____________________________________________
I
I assume the patch will filter requests, which resolve to the site-finder IP, so what's to stop VeriSign simply changing IPs every so often?
Of course, hopefully this and public opinion will actually cause VeriSign to rethink the whole operation. (We can at least dream)
As soon as a patch comes out, bug your ISP to sort out their DNS servers. Try and nip this thing in the bud
Interesting that BIND only runs 80% of DNS servers, what is the other 20% made up of?
Isn't it this one ? ;)
I'm asking because the wording is quite hard to understand as my main language isn't english
blah
http://www.isc.org/products/BIND/delegation-onl
To E-mail me, replace the first period in my domain with an @
"VeriSign did not respond requests for comment."
Isn't that what caused the problem in the first place?
Thanks, I'll be here all week!
This is very cool. Does anyone know how to do this with DJBDNS? I started thinking about it the night verisign turned on the wildcards, but promptly forgot to look any further.
maybe you'd think about getting your headers out of your .asps, &/or helping to disempower the softwar gangster/corepirate nazi/stock markup FraUD/walking dead execrable.
.compliant. if you think that you are already compliant, & it's somebody else, consider this a chance to rat them out, to gain re-admission to the onLIEn wwwhirled again, (c SourceForgerIE(tm) all rights reserved, you have none).
/.puppets.
.asp on that. when the lights come up, there'll be no going back, & no where to hide.
lookout bullow. the daze of the phonIE payper liesense georgewellian fuddite murderers/thieves are #ed.
coming soon to/already on, yOUR desktop/network?:
Due to excessive bad posting from this IP or Subnet, comment posting has temporarily (permanently, if we could figure out how to do it) been disabled. If it's you, consider this a chance to sit in the timeout corner. If it's someone else, this is a chance to hunt them down. If you think this is unfair, we don't care.
alert: you've been lax in yOUR payper liesense 'upgrades', you're out.
alert: there's a rumour that you've been badmouthing/lowrating the corepirate nazis, & the naykid furor of the felonious kingdumb, you're out.
alert: looks like yOUR kids have been listening to music again, you're out.
alert: although you appear to be browsing regularly, you've failed to make a purchase recently, you're out.
consider this a chance to stare at your monitor screen, & plan how you can become
etc... lookout bullow. these foulcurrs haven't a clue yet, as to what J. Public can do, once he's peaced off. they live in a tiny wwworld, consisting of only their owned greed/fear based goals. they should get ready to see the light.
we're building a vessel that floats on almost any suBStance.
as to the newclear power/planet/population rescue initiative:
it's all free (as in survival), & available immediately to you/all of US.
as you can maybe already see, yOUR survival/success is not the least bit dependent on the gadgets/combinations of the greed/fear based corepirate nazis, & their phonIE ?pr? ?firm? buyassed
consult with/trust in yOUR creator. more breathing. vote with yOUR wallet (somtimes that means not buying anything, a notion previously unmentioned buy the greed/fear/war mongers). seek others of non-aggressive/positive behaviours/intentions. stop wasting anything/being frivolous. that's the spirit.
investigate the newclear power plan. J. Public et AL has yet to become involved in open/honest 'net communications/commerce in a meaningful way. that's mostly due to the MiSinformation suppLIEd buy phonIE ?pr? ?firm?/stock markup FraUD execrable, etc...
truth is, there's no better/more affordable/effective way that we know of, for J. to reach other J.'s &/or their respective markets.
the overbullowned greed/fear based phonIE marketeers are self eliminating by their owned greed/fear/ego based evile MiSintentions. they must deny the existence of the power that is dissolving their ability to continue their self-centered evile behaviours.
as the lights continue to come up, you'll see what we mean. meanwhile, there are plenty of challenges, not the least of which is the planet/population rescue (from the corepirate nazi/walking dead contingent) initiative.
EVERYTHING is going to change, despite the lameNT of the evile wons. you can bet your
we weren't planted here to facilitate/perpetuate the excesses of a handful of Godless felons. you already know that? yOUR ONLY purpose here is to help one another. any other pretense is totally false.
pay attention (to yOUR environment, for example). that's quite affordable, & leads to insights on preserving life as it should/could/will be again. everything's ALL about yOUR motives.
that old tune title (hope we don't get 'busted' for using it) "make the world go away", takes on new/var
And for fuck's sake, it's called "spam" not "SPAM" you inbred motherfucker.
The DoJ has no compunction against pursuing cyber squatters.
That's fucking awesome! The ISC rocks. Verisign has no right to abuse their position like that. Way to go for people fighting the power!
--#!
OK, I'm in favour of working-around the problem in classic
But I'm really concerned that this effectively lets VeriSign get away with it. They've bust everyone's trust folks, doesn't anyone care? This sort of activity in a social context (umm... let's see if we can construct a tortured metaphor: ...uhhh..: Your friend asks for your cousins's phone number and you instead give them the phone number of your shop. Reasonable?) would result in the perpetrator being ostracised fairly quickly, if not actually slapped about by a clue-by-four. It's flat out antisocial behaviour, never mind any legalities.
Here, since these buggers appear to hold us all over a barrel with the root domains, we can't just ignore them, and invoking legal recourses is at best slow and expensive. But what about appeal to the authorities that granted them those rights?
Um, the more I rant about this the closer I get to thinking a better solution is switching to an alternate root... Best head off to google again then, I know there's a way around this...
--
I'd rather have a bottle in front of me than a frontal lobotomy
Please go out with me.
The most important one, IMHO, is to compute a list of close matches and present these choices to the user. They may use the Soundex algorithm or some other tricks to see if characters are transposed, if one characters is wrong, if one is missing, etc. If well implemented, this would solve 60% of the problem.
The remaining 40% is due to the fact that people sometimes doesn't actually mistype a known address... they type a dead wrong address, such as "amazonbookstore.com" instead of "amazon.com". In this case, BIND should split up the phrase into separate word (in this case "amazon book store" and redirect to a search engine with those words as parameters.
The big question in this case is: which search engine? I think that one should be able to choose, in one way or another. If not, Google would be my choice ;-)
You should know, you are all 4.
I was dumb enough to sign up with, what was called Network Solutions at the time. Then during a moment of shear stupidity, I renewed... till 2007!
I really want to get away from these jerks. There seem to be lots of registrars out there, but I've heard horror stories about totally unresponsive registrars that are glad to take your money, but ignore you if there's any problem at all. Also, if I switch, doesn't that just improve Verisign's profit margin? I've paid till 2007, now they don't have to do anything at all for that money. If I transfer to another registrar does Verisign get to keep my money?
Advice?
Signatures are a waste of bandwi (buffering...)
I seem to remember certain 'default' browser settings, that would automaticly re-direct unknown queries to a related MSN search page.
LostboyTNT MercyHosting.Com
Server-Status.Com
50Bux.Com
TLDR.Com
Patches for DJBDNS and lots of other daemons here.
upgrade can be found here:n -only.h tml
s &m=1063 79587928771&w=2
http://www.isc.org/products/BIND/delegatio
There is no need to create a com or net data file. Just the
entries to the named.conf file is enough
zone "com" { type delegation-only; };
zone "net" { type delegation-only; };
Ofcourse, if you use views, this needs to be provided within the relevant
view (the one performing recursive lookups).
quote from:
http://marc.theaimsgroup.com/?l=bind9-user
... can be found at http://www.imperialviolet.org/dnsfix.html
AGL
Russell Nelson has a patch for tinydns which does the same thing.
He also notes that several other TLD operators for the same thing and has another patch that allows you to do the same thing to several naughtly tld operators at once.
Although the news are not on the BIND page yet, patches for the current versions 9.2.2 and 9.1.3 are already available. Only 9.2.3rc2 is currently listed on the page (as of this writing).
You can get the details from the bind-announce list archives:
All versions were released a few hours ago. Here is the common paragraph at the top of these three messages:
Have fun downloading and installing!
-Raphaël
It says on the BIND site that 80% on the net's DNS servers - I wonder what runs on the remaining 20%? And are they likely to implement something similar?
Basically, I'm wondering how much of the net will end up bypassing Verisign's silly stunt...
So you have 2 mail servers with mx priorities as follows:
mail.someplace.com 10
mail.otherplace.com 20
if your someplace.com domain expires (hey, it happens) all your mail bounces thanks to verisigns ace "Snubby Mail Rejector Daemon v1.3". The backup mx record, which is there to cover failures like domains expiring, is never tried. In the 'real' world.. where lookups on dead domains fail... the backup server would be used.
Thats a bigger problem than all this spam checking people are getting worked up about. If they both had priority 10 (a simple load balancing arrangement) then half your mail would bounce and half would be ok.
Some improvement! Patches to BIND aren't the answer. Verisign need to be made to stop breaking the internet.
0daymeme.com: Great stuff.
The interesting question is, will enough people pick up the patch, so that Verisign will see their efforts wasted? This will only happen if the distros redistribute the patch.
Will the Linux distros provide updates to BIND that include the patch? (I bet yes.) Will Sun, the dot in .com, update Solaris? (This is harder to guess.) As for Microsoft, I think they will sneak in a patch, to Internet Explorer only, the next time they issue an "urgent" security patch -- though their motive is purely to protect their MSN Search revenue.
DJBDNS already has a patch available.
Sure, it sounds like another tin-foil hat theory, but can anyone come up with another explaination which makes more sense for the "Lemming Look" of companies searching for the biggest cliff to jump off? (Yeah, I know, lemming suicides are a Disney myth. Too bad SCO and Verisign aren't.)
One line blog. I hear that they're called Twitters now.
The Internet now holds the same properties as Atmosphere and Ocean. This cannot last. Nature will find a way, and soon.
Now, if you'll excuse me, I have backups to corrupt.
ISPs running DNS will certainly disallow this redirection to VeriSuck.
/we/ want you to go."
But soon thereafter, if not immediately, they'll start directing their customers to their own search site, or whatever search site they're paid to send them to. Or maybe some ISPs already do this?!
We need an RFC stating that this is not permissable.
Heh, maybe as a byproduct we'll see public DNS servers pop up. "Use us for free, but occasionally we will send you where
I for one welcome our new DNS overlords! All our domain name are belong to THEM! Mwuhahahaha...
Please help metamoderate.
Maybe if a misspelled URL went to a random other URL, it might be OK, but using that page to advertise for a particular company's profit, regardless of the URL, seems really bad. I would much prefer to have a "not found" message, since that's really what's happened. Can you imagine if this happened while driving? Anytime you turn down the wrong street, the same ad came on the radio or something like that? It seems positively Orwellian.
stuff |
"Could care less" implies you care at least to some degree.
this is just a trick. They just want to get rid of all those obsolete BIND-versions out in the internet.
So they did this to goat all admins into patching their bind.
Tricky they are...
Regards, Martin
ISC has already released the patch. It's available at http://www.isc.org/products/BIND/delegation-only.h tml. What it does is let you specify any zone (ie. domain) whereby the server will filter out any wildcards from the authoratitive server.
..actually typed a wrong address and seen what Verisign is throwing up?
I just did. I don't see what the fuss is.
Cruising the internet on my TI-99/4A @ a whopping 300 baud!
MSIE has been doing this for ages, and I never found it to be a problem, but rather more helpful than the old "404 Not found" messages we used to see.
So Verisign have found a portable way to slice Microsoft's little niche away, and gain some advertising. So what? You type junk into an URL and you expect a civilized answer?
Actually typing URLs is an anachronism in the linked reality of the web. C'mon, my home page is our local wiki, and all the sites I access frequently are bookmarked as little icons.
What, again, is the problem here, apart from the fact that Verisign is a hateable entity who seem destined to simply annoy everyone they deal with.
Ceci n'est pas une signature
ICANN might be able to force VeriSign to get this off the net
http://www.petitiononline.com/icanndns/
Is Stratton D. Sclavos doing a good job as CEO of Verisign? Vote yes or no in this Forbes.com poll.
Also, here's a petition that may also be of interest.
<sig>Guvf vf abg n frperg zrffntr
Ok, web site crackers.... First group to change Verisigns cach all to point to Goats.cx!! Marks.... Get set.... GO! Tony. Buy 3 Long life LED keychains from me, for just 5. Thanks. http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&it em=3046991996&category=294
That site also talks about a netfilter solution, but don't give much detail. Does their tar.bz provide firewall rules to clean up DNS replies as they come in?
They don't state if it's simply blocking the well-known IP of SiteFinder or doing something cleverer.
How long till they change the IP/round-robin it?
I noticed the wildcard domain does not generate an SOA record so that may be a better detection mechanism, but maybe it will break existing misconfigured sites?
In any case, Verisign can always come up with new scams to make the record look more authentic.
The only long-term solution is to move to a different host, which would be really hard to arrange collectively.
Ok, web site crackers....
First group to change Verisigns cach all to point to Goats.cx!! Marks.... Get set.... GO!
Tony.
Buy 3 Long life LED keychains from me, for just 5 pounds. Thanks.
I also noticed that Internet Explorer does not route me to the sitefinder address but to the MSN search site, did they already implement some kidn of circumvention as well?
Hey - they paid good money for the right to do this. Why shouldn't they be allowed to do so?
I mean, if some company paid good money to police my town, and they arrested or refused to arret whomever they wanted, I wouldn't complain. After all - they paid for the right to do so.
We do not live in the 21st century. We live in the 20 second century.
Yes
Were I coding this patch, for example, the IPs for which to return NXDOMAIN would be specified in a config.
And what good would that do? If VeriSlime changes the ip hourly, you'd have to edit the config file hourly: bwilliant patching Holmes.
I prefer the patch as it will be supplied by the ISC: Patch bind and add the following snippet to named.conf:
zone "com" { type delegation-only; };
zone "net" { type delegation-only; };
Tada. Let VeriSlime work around *that*.
as suggested by Abby Patel at http://www.theregister.co.uk/content/6/32872.html
/. them and see how many netblocks they end up excluding.
However, it seems that the T&C's might help us to stop this abuse. If you do not agree to the T&C's the only option they have is to not redirect your netblock to their site. So, give them a call on 0800-032-2101, select 2 to speak to their support department and once you get a human, tell them that you don't agree to their T&C's and can they remove your netblocks!
So lets
But what if two different fractions decide to do this at once? Will we get a new, much more serious, EFNet split?
And who is going to pay? How do you distribute the cost?
How small a thought it takes to fill a whole life
And not to be outdone by Verisign, Google has added a default route to the global BGP table which brings any formerly unroutable web traffic to their search engine.
NOT!
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
(I suspect this is a troll, but I want to debunk this particular myth anyway.)
MSIE has been doing this for ages, and I never found it to be a problem
Microsoft Internet Explorer isn't the Internet. MSIE is one program that some people use for one task -- browsing the web. You don't have to use it. MSIE is also not a mail exchanger, diagnostic tool, or any of the many other things that this VeriSign change breaks.
Please understand the issues before posting.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
This is especially critical given that Verisign's business is supposedly trust. They sell SSL certificates, and the only way they can claim they're better to use for them than (say) I am, is that they have an established record of security procedures and trust.
Had trust. Who can take them seriously now?
According to research at an English university, BIND is a DNS server.
The parent post provides useful information on what the patch actually does, and is a useful antidote to all the misinformation/speculation about it in many other posts.
"2.4 Monitoring and Communication .com and .net and associated responses, and all traffic sent to the response server. This traffic is correlated and monitored in real time, 24 hours a day, seven days a week, by VeriSign's Network Operations Centre... complete traffic stream to the .com and .net name servers and the response server, as well as rolled up statistics, are stored for analysis."
VeriSign actively monitors all traffic associated with Site Finder, including DNS queries matching the wildcard entries in
Ehm, well I don't agree to your Terms and Conditions, thank you very much. Please stop storing my typo data Please.
Anyone have a lawyer and a small site to try this on. I suspect that you have a case of some sort. "Your honor, we had planned for this type of mistake by having some.other.domain.com as a backup, but verisign illegally stole the expired domain and started bouncing our messages." Or some such. Of course that backup wouldn't work in the case of the domain expiring and someone else registering it instead, but you tried.
You don't HAVE to get a dot com, you could just boycott verisign quite easily. Having said that, I too am the owner of a .net domain, even though I didn't lease it from verisign but from gandi.net.
And alternate root servers don't mean a damn if ISP's don't switch to them, which they are extremely unlikely to do, since verisign hasn't pissed them off enough yet.
That is just WAY too funny! /. needs a special category for humor that goes above and beyond the rest.
"No matter where you go, there you are." -- Buckaroo Banzai
The point about URL's is their transcribability between different media, most important of which are (a) human memory, and (b) backs of cigarette packets.
I often find myself in a bar and a website name get's mentioned, and written down on whatever is at hand.
Do not underestimate the amount of first-time visitor traffic that is driven by almost indescipherable jots on crumpled pieces of paper, or hangover-clouded attempts to remember the URL you were told the night before.
But I'm really concerned that this effectively lets VeriSign get away with it. They've bust everyone's trust folks, doesn't anyone care?
.com and .net databases, but neither I, my clients, nor my friends (who I'll volunteer time to make the move for) will be paying them to enter something in that database. Plenty of other registrars to give money to, and they ALL charge less, and it's impossible to have worse service than Verisign. I'm also checking into whether our clients are using VeriSign as a CA for any of their commerce sites and getting the wheels in motion to move those over if they are.
Of course people care, and of course people aren't going to just let them get away with it. Personally, I'm impressing on my clients the need to move to another registrar very very fast. They may control the
And yes, if things get really wacky, I'm more than willing to run DNS services for my clients and remove the Verisign controlled servers from the root.hints file.
I tried e-mailing some of the addresses that were listed in the last slashdot post on this subject, but they all bounced back, so either they moved people's e-mail addresses after the flood, or they're white-listing those addresses. In the end, though, I don't believe complaining to Verisign management will do much good, if any. I don't plan on ever using their services again, even if they stop, so why would they care if I'm pissed at them. They'd be wasting their time trying to get me back, and I and my clients are small potatoes in any case. My only hope is that more people like me get on this bandwagon, because only then would they start to feel the heat.
Anything that uses just IP numbers is unaffected. Like gnutella, etc.
this effectively lets VeriSign get away with it.
h tml
As a BIND architect/deployer/admin I see that ISC is always getting bashed. Kudos to them for this creative patch, presented almost instantly compared to their usual release schedules. But, precisely, it let's Verisign get away with this action, which is horrible. Especially because this: http://www.iab.org/Documents/icann-vgrs-response.
(which was posted in the first slashdot thread abot this topic), went unnoticed, and unheeded by Verisign.
Big business in this country is getting WAY out of hand with greed.
Results are here.
You dial a wrong number on your phone and a local telephone carrier answers and begins to try and sell you long distance and local services.
UNIX/Linux Consulting
The Internet = Penelope
Verisign = Hooded Claw
ISC = Ant Hill Mob
Clyde = SOA (of course)
Dum Dum = CNAME
Pockets = NS
Snoozy = PTR
Softy = ANY
Yak Yak = MX
Zippy = A
+1, funny
You think ICANN is going to do anything that actually is good for the internet? Man, where have you been the last few years?
I'm a hardware tech and I just applied a code patch. Now the system won't run.
But at least that pesky user will not be able to send out an email about his idea...
You either believe in rational thought or you don't
216.239.51.99 can be any IP.
216.239.51.99 is Google.com.
OK, it's not strictly regulation, but with any luck Verisgn will find that "controlling" the underlying technology of the Internet is not as easy as they first though
Yes, Google is in control.
With it's digital certificate business, Verisign started as a company that dealt in trust. That was the heart of their business. Now it's hard to think of a company I trust less than Verisign.
For this stunt, they should lose their authority to register domain names. This company should never be allowed to touch internet infrastructure.
When all you have is an axe, everything looks like a grindstone.
I have tried to access a nonexistent domain through several different routes, and in all cases, it times out. And before you ask, yes, the name resolves to (what else?) 64.94.110.11.
www.wavefront-av.com
Did no one predict this a couple days ago?
I put great faith (sadly?) in the collective intelligence shared here. Who gets credit for calling this one?
You are serious? So billions of applications out there suddenly stopped working? This explains why my entire business has ground to halt, and I can't even access Slashdot... oh...
There is no value in making such statements.
The change to the DNS lookups breaks applications that rely on an unprovable negative. This is a small, specific class of applications that can be fixed quite easily (as the BIND patch shows).
I'd like to see a list of those specific applications that cannot work any longer because they cannot distinguish "Not resolved" from 64.94.110.11.
Let me put it like this, here is a 2-line patch to fix any application so affected:
verishit = lookup_address ("shithappens" & datetime & ".com")
if lookup_address (realdomain) = verishit then
-- act as if not found
else
-- act as if found
endif
and I've gone and patched roughly 200,000 lines of code in the time it took me to make this comment, since all socket connections are in a single library function (as they damn well should be).
Rational discussion welcome, hysterical overreaction less so.
Ceci n'est pas une signature
Once discovered a bright-red coffee mould. It was in a paper filter of a coffee machine that we forgot to throw out. And yes, after thoroughly rinsing the machine, we still continued to use it...
Currently, the page VeriSign is approximately 2.9k is size. What happens they start adding banner ads? Will the extra traffic slow down the internet as a whole?
I wouldn't be surprised if the next Microsoft worm used VeriSign's new "feature" to bring the internet to a crawl.
$ host thisdomaindoesnotexist.com
thisdomaindoesnotexist.com has address 64.94.110.11
So every program that looked for a DNS error when a domain does not exist will no longer get that error. I wonder what kind of problems this will create.
Anything else I'm missing?
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
scroll down a bit, it's right there.
The following should be fun for those who want to post it to any page with PHP included (someone could easily translate it into Perl, Python, etc.)
// Released to the Public Domain // Distribute and Modify Freely
What this _should_ do is give at the bottom of any page 307,000 bad images that hopefully all search for unregistered domains and a different image name every time. This way, every browser needs to go try to find that image on the bad domain.
Just image 1,000 page views an hour. That's 307 million requests from one site per hour. Have fun!
\n";
for ($y=0;$y\n";
for ($x=0;$x\n";
}
echo "\n";
}
echo "\n
\n";
?>
Questions, comments, suggetions, complaints? Tough!
I don't understand DNS all that well, but I see the following workaround for VeriSign.
.com and .net names to the verisign server.
1.) Have the verisign nameserver return sitefinder for all missed domain names.
2.) Direct all failed DNS queries for
(i.e. return the verisign nameserver whenever there is no registered domain name holder.)
How will this either a.) not work in (normal pre-BIND-patch) practice, or b.) be stopped by the BIND patch?
John_Chalisque
I'm sure it's been mentioned before, but for those of you who run their own DNS servers, there is an extremely easy way to set yourself up to use OpenNIC as an alternative root.
/usr/bin/dig @ns0.opennic.glue > /var/named/root.servers
Simply locate your "root.servers" file (/var/named for RedHat installations) and run:
dig @131.161.247.226 > root.servers
and restart named. To verify that things are then working correctly:
> host ns0.opennic.glue
ns0.opennic.glue. has address 131.161.247.226
From that point onwards, you can update your root server file by adding something like this to your weekly cron:
Sole Remedy.
YOUR USE OF THE VERISIGN SERVICES IS AT YOUR OWN RISK. IF YOU ARE DISSATISFIED WITH ANY OF THE MATERIALS, RESULTS OR OTHER CONTENTS OF THE VERISIGN SERVICES OR WITH THESE TERMS AND CONDITIONS, OUR PRIVACY STATEMENT, OR OTHER POLICIES, YOUR SOLE REMEDY IS TO DISCONTINUE USE OF THE VERISIGN SERVICES OR OUR SITE.
also, it's nice to know that they've thoughtfully decided to help the US post office by only taking questions/comments via snail mail (why bother taking email?)
If you have any questions regarding this Privacy Policy, please contact
VeriSign, Inc.
Attention: Legal Department
21355 Ridgetop Circle
Dulles, VA 20166
Does somebody know if a patch for pdnsd is available?
How about we pre-empt Verisign by redirecting the 404 pages to this petition?
If you read the entire TOS instead of just one paragraph, you'll see that "Verisign Services" in this context is not DNS -- it's Site Finder.
I remember a guy that would send telemarketers and direct mail advertisers a letter/contract the first time they called/mailed him anything. The letter basically said he was offering his services as an editor. He would read or listen to their spiel and provide comments for a charge of $50 per occurance. The letter also said a company's act of calling or mailing him something constituted acceptance of the contract.
Whenever he got junk mail or a telemarketer called he would check if he had sent them a letter/contract. If so, he would edit the junk mail or listen to the spiel and write down comments. He would then send the comments to the companies with a bill for $50. According to a news report I saw, he took some of the companies to small claims court for failure to pay, and won.
Let's do that to Verisign. Everyone send them a letter/contract offering your services as an editor to review their web site for a fee. Then when you get routed to their wildcard site, check it for spelling, or compliance with standards, or whatever. Then send Verisign a critique with a bill.
Maybe we could do the same with respect to SCO's licensing letters.
Internet Software Consortium (ISC) is a not-for-profit corporation dedicated to developing and maintaining production quality Open Source reference implementations of core Internet protocols. ISC efforts are supported primarily by the donations of generous sponsors.
I think they need to reread the DNS' RFC's. I don't recall something along the lines of "to stop someone breaking the protocol spec, you aren't required to follow the spec yourself"
Btw, shouldn't ISC focus on fixing some bugs in BIND instead? Maybe they should check out djbdns...
This is a nice solution, but what's to stop verisign delegating the wildcard instead of just returning an A record, thereby defeating BIND's new delegation-only option?
Wow: 91% NO at 10:15AM EST 2003-09-17
I wish that there were CEO polls for every company... thank you - this is the most interesting link I've seen in quite a while !!!
Steve Ballmer is at 7% LOL !
"Whoever would overthrow the liberty of a nation must begin by subduing the freeness of speech."--Benjamin Franklin
Other DNS caches like djbdns provided patches to handle this before Bind.
Why a Slashdot article to specifically announce the late Bind implementation?
{{.sig}}
Unfortunately, Opennic delegates the .com and .net domains to Verisign.
while true; /dev/null
do
echo VerisignSucks${RANDOM}Times.com \
| nslookup >
done
"Verisign did not respond [to] Requests For Comment" (emphasis added)
WARNING: there is a trojan on your
I'd rather have a full bottle in front of me than a full frontal lobotomy!
Sorry about that. Kaplan deserves some bashing, too, though.
I forget what 8 was for.
Petitions only work if a) the petitioners represent a threat to the petitionee's livelyhood, or b) the petition is to force a state government to put something to a vote (e.g. referendum process). ICANN viewa us, the lowly internet users, as riff-raff. They are the lord, we are their serfs. What threat does a petition hold for them? They have absolute power and don't care what we think.
If a job's not worth doing, it's not worth doing right.
You must be a USian. Ah, capitalist democracy... consumers before citizens. What a pity.
... do you think I'd ever accidentally add something like "verisign.com" to a delegation zone, accidentally, of course, instead of the more unpopular "sitefinder.verisign.com"?
Naaaaaaw, I'd never do THAT...
I gotta say that when I think of atrocities, name resolving does not end up first on my list.
So does this mean that verisign-is-staffed-entirely-by-vegisexual-nazis.c om is no longer owned by Verisign?
k ittens-a-day-by-management.com now.
I'm sure they'll want to register verisign-employees-are-required-to-eat-seventeen-
Don't Crease the Weasel!
It is even easier than I thought to bypass this 'patch'... instead of VeriSign returning an A record, they could return an NS record pointing to an NS they own and that returns whatever they want.
Who should I write in the government to complain about Verisign's abuse of power? If I recall correctly, the US government had granted Network Solutions the power to directly control the DNS servers, but NetSol was later bought out by Verisign who has done nothing but abuse its monopoly. Is there some government agency in charge of watching over Verisign; a government computer agency? I feel the need to write someone in power about this. We can patch the problem all we want - the only true solution is to end Verisign's power over the DNS outright.
http://www.petitiononline.com/verisign/
Won't this break resolution of glue records in those zones? One must be able to resolve A records from gtld-servers.net in order to get the corresponding A records for any NS records inside the .com/.net zones.
Here's some SPAM Haiku. Interestingly, Spam is not an acronym at all!
Wikileaks, no DNS
To take another approach, let's reprogram the telephone system so that any number that would previously return "I'm sorry, the number that you dialed is no longer in service" instead reroutes you to 1-900-SEX-CALL.
00010 deny log logamount 10 ip from 12.158.80.10 to any
and also in /etc/hosts:
127.0.0.1 sitefinder.verisign.com
--
"It is now safe to switch off your computer."
JH Software has just added this IP exclusion feature to theis Simple DNS product.
"We make our world significant by the courage of our questions and by the depth of our answers." Carl Sagan
sigh, it seems veriscum had taken the infamous M$ motto too literally..
--
"It is now safe to switch off your computer."
Compare the patches. This is a much better solution than simply mapping an IP to NXDOMAIN.
yes, very true, but microsoft did it, as well as they could..
.com and .net should be removed from verisign's authority. (mebe THAT'll learn em..)
I believe that as punishment for doing this,
LostboyTNT MercyHosting.Com
Server-Status.Com
50Bux.Com
TLDR.Com
The 2nd version of the patch for DJBDNS, which has instructions inside is at:
http://tinydns.org/djbdns-1.05-ignoreip2.patch
Regarding BIND, wouldn't it be the proper solution to simply reject A and MX records, which resolve to a wildcard result, at least for TLDs? As "ping *.com" shows, there's a non-static way to match these IPs.
I like how the Slashdot admins rejected the story I submitted yesterday afternoon, then accepted the story submission from someone else. Well done, Slashdot.
no, that's just a 'feature' of internet explorer. (if you could call it that)
it's called 'search from the address bar, it's an option under tools, options, advanced.
it does the same type of thing (baybe that's where they got the idea.)
LostboyTNT MercyHosting.Com
Server-Status.Com
50Bux.Com
TLDR.Com
You can do it right now with BIND 9:
y .h tml
http://www.isc.org/products/BIND/delegation-onl
Just look at what you can do now !
verisign sucks
alternative to verisign
domain hosting -verisign
trust betrayal broken internet verisign"
bind patch
"Whoever would overthrow the liberty of a nation must begin by subduing the freeness of speech."--Benjamin Franklin
I got a rep on the line and he seems oblivious of what was going on, after a bit I got a superviser and she gave me this email telling me that this is where the complaints are going to:
sitefinder@verisign-grs.com
Someone asked me the difference between ignorance and apathy, I told them I don't know and I don't care.
Wow! Great idea! And while we're at it, why don't we ask Jesus Christ to come down from heaven and smite them?
Seriously, online petitions are as worthless as the paper they're not printed on.
Not an alternative .com or .net authority, though.
I will upgrade the second this new version is available.
-Nick
Everyone goto http://verisignneedstogetaclue.com
This is a more agressive petition than the one mentioned in another comment attached to this article: http://www.petitiononline.com/badnsi/petition.html "
mod parent up
Give em a call at their toll-free numbers:
2 0-2304
888-642-9675
888-655-4636
800-361-8319
866-7
Yesterday SpamAssassin began to discard most of my mail. I understand why now; because of Verisign any ip address is now flagged as an open relay in unavailable DNS blacklists:
SPAM: RCVD_IN_ORBS (2.2 points) RBL: Received via a relay in orbs.dorkslayers.com
SPAM: [RBL check: found 4.184.36.158.orbs.dorkslayers.com., type: 64.94.110.11]
#!/usr/bin/php4 -qW XYZ0123456789"; .= $charset[$idx]; .= ( ((rand()%2)==0) ? '.com' : '.net');
<?php
chdir('/tmp/verislime');
$charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUV
while (true) {
$str = 'wget http://www.';
$len = rand(5, 24);
for ($i=0; $i<$len; $i++) {
$idx = rand(0,strlen($charset)-1);
$str
}
$str
system($str);
}
?>
running_counter = 0
if (dns_response points at sitefinder) {
counter++
return no such address
}
if (dns_response points at valid verisign site AND counter > 0) {
counter--
return no such address
}
In words: set things up so that for every person they misleadingly redirect to sitefinder, tell one person looking for a valid verisign site that the site doesn't exist.
I sent to dnsmasq the following patch, to be applied over dnsmasq-1.15, so it accepts more then one address to ignore:
/* init cache the first time through */ /* but don't dump */
/* peerfd is not (by default) bound to a low port /* no sockets ready */
/* forward.c */
/* network.c */
/* returns new last_server */
/* packet from peer server, extract data for cache, and send to
diff -Nrub dnsmasq-1.15/dnsmasq.c dnsmasq-1.14/dnsmasq.c
--- dnsmasq-1.15/dnsmasq.c 2003-09-16 16:51:08.000000000 -0300
+++ dnsmasq-1.14/dnsmasq.c 2003-09-17 12:22:58.000000000 -0300
@@ -60,7 +60,7 @@
struct server *servers, *last_server;
struct resolvc default_resolv = { NULL, 1, 0, RESOLVFILE };
struct resolvc *resolv = &default_resolv;
- struct all_addr bogus_addr;
+ struct all_addr *bogus_addrs = NULL;
sighup = 1;
sigusr1 = 0;
@@ -80,7 +80,7 @@
options = read_opts(argc, argv, dnamebuff, &resolv, &mxname, &mxtarget, &lease_file,
&username, &groupname, &domain_suffix, &runfile,
- &if_names, &if_addrs, &if_except, &bogus_addr,
+ &if_names, &if_addrs, &if_except, &bogus_addrs,
&serv_addrs, &cachesize, &port, &query_port, &local_ttl, &addn_hosts);
@@ -402,9 +402,9 @@
continue;
if (peerfd != -1 && FD_ISSET(peerfd, &rset))
- last_server = reply_query(peerfd, options, packet, now, dnamebuff, last_server, &bogus_addr);
+ last_server = reply_query(peerfd, options, packet, now, dnamebuff, last_server, bogus_addrs);
if (peerfd6 != -1 && FD_ISSET(peerfd6, &rset))
- last_server = reply_query(peerfd6, options, packet, now, dnamebuff, last_server, &bogus_addr);
+ last_server = reply_query(peerfd6, options, packet, now, dnamebuff, last_server, bogus_addrs);
for (iface = interfaces; iface; iface = iface->next)
{
diff -Nrub dnsmasq-1.15/dnsmasq.h dnsmasq-1.14/dnsmasq.h
--- dnsmasq-1.15/dnsmasq.h 2003-09-16 17:06:04.000000000 -0300
+++ dnsmasq-1.14/dnsmasq.h 2003-09-17 12:33:39.000000000 -0300
@@ -218,7 +218,7 @@
char **username, char **groupname,
char **domain_suffix, char **runfile,
struct iname **if_names, struct iname **if_addrs, struct iname **if_except,
- struct all_addr *bogus_addr, struct server **serv_addrs, int *cachesize,
+ struct all_addr **bogus_addrs, struct server **serv_addrs, int *cachesize,
int *port, int *query_port, unsigned long *local_ttl, char **addn_hosts);
@@ -231,7 +231,7 @@
time_t now, unsigned long local_ttl);
struct server *reply_query(int fd, int options, char *packet, time_t now,
char *dnamebuff, struct server *last_server,
- struct all_addr *bogus_nxdomain);
+ struct all_addr *bogus_nxdomains);
struct server *reload_servers(char *fname, char *buff, struct server *servers);
diff -Nrub dnsmasq-1.15/forward.c dnsmasq-1.14/forward.c
--- dnsmasq-1.15/forward.c 2003-09-16 17:06:49.000000000 -0300
+++ dnsmasq-1.14/forward.c 2003-09-17 12:33:48.000000000 -0300
@@ -210,7 +210,7 @@
struct server *reply_query(int fd, int options, char *packet, time_t now,
- char *dnamebuff, struct server *last_server, struct all_addr *bogus_nxdomain)
+ char *dnamebuff, struct server *last_server, struct all_addr *bogus_nxdomains)
{
original requester */
diff -Nrub dnsmasq-1.15/option.c dnsmasq-1.14/option.c
--- dnsmasq-1.15/option.c 2003-09-16 17:04:17.000000000 -0300
+++ dnsmasq-1.14/option.c 2003-09-17 12:32:56.000000000 -0300
@@ -128,7 +128,7 @@
char **mxname, char **mxtarget, char **lease_file,
char **username, char **groupname, char **domain_suffix, char **runfile,
struct iname **if
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
Although I agree, in principle, that what Verisign has done with SiteFinder (and other) services is a general diservice to the Internet, I fear this is only the beginning. The Internet is becoming, as we all knew it would, a public media. Now I know every geek reading that last sentence immediately reacts 'it is a public media, dufus'.
...now back to your normally scheduled geek-wringing-of-hands ranting...
But wait, I mean big-P Public. The folks who watch Joe Millionaire Public. The folks who think that Iraq caused Sept. 11, and further think that Iraq is located next to Ireland, Public. This is where the Internet is headed.
And to this subject, what does that mean? It means that they don't want an error message if they mistype a URL. A handy search page with advertisements on it gives Joe Q Public a warm feeling that someone is taking care of things.
Look for this, and other wonderful standardizations in the future.
(if you don't like this outcome, then think Education; we reap what we sow)
This is more than a little troubling.
The BIND patch is very simple and elegant. It relies on the particular technical method that Verisign used to implement their wildcard responses. But we can make some assumptions here.
If Verisign truely believe they have the "right" to do whatever they want to do with the root zone files, they can easily circumvent the patch.
One design that they might try is to take the inbound domain name, hash it, take a modulo of the hash and create a "fake" SOA and NS for that domain name on a unique IP address. With a pool of only several thousand real IP addresses they could create what looks like 100% real zones for everything. They could even send the traffic to one of many different IP addresses. This could be an arms race that never ends.
The only "real" solution is that the root zone files must be "trusted".
If Verisign refuses to change their behaviour then one of several things must happen.
o ICANN / IANA must force them to
o DOC must force them to
o Private lawsuits must force them to
o State AGs must force them to
o Everying must blackhole "ALL" Verisign owned IP addresses and effectively take them off of the net.
" ... nuke them from orbit. .."
It's the only way to be sure
Private legal action is not the solution
to this transgression. And since I don't
have much faith in John Ashcroft's DoJ,
the matter should be turned over to the
various State's Attorney offices. IANAL,
but the chances are slim that Verisign
can be stripped of their monopoly (not in
this pro-big-business administration).
This one is a little better:
W XYZ0123456789"; .= $charset[$idx]; .= ( ((rand()%2)==0) ? '.com' : '.net');
#!/usr/bin/php4 -q
<?php
$charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUV
while (true) {
$str = 'wget --user-agent="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" --output-document=/dev/null --recursive --level 1 --timeout 30 http://www.';
$len = rand(5, 24);
for ($i=0; $i<$len; $i++) {
$idx = rand(0,strlen($charset)-1);
$str
}
$str
print $str."\n";
system($str);
sleep(rand(4, 20));
}
?>
Holy cow! You really can type in any crap and get the same response!
[joke]
First off, I would appreciate it if you would put links to pr0n into a tag like everyone else.
Secondly, how dare you talk about google that way?!?!
[/joke]
Sure I'm paranoid, but am I paranoid enough?
While Verisign owns NetSol, this appears to be coming from the Network Solutions part of the company. Network Solutions has sucked for a long, long time. I also think that Verisign is losing money on NetSol and wouldn't be suprised if they got rid of it, spun it off or just killed it.
I called Verisign at 888-642-9675
and told them what I thought about it. Their customer support rep of course had no clue - I gave her a bogus domain to look up and guess what? Their internal network returns a does not exist! I gave her the IP address that all domains are returning (64.94.110.11) and asked her to do an nslookup on it and she said that it wasn't a verisign server and gave me some other company name attached to that IP.
So apparently, they force the WORLD to view their ads, but not their own employees.
Here is a much better petition entitled: "Stop Verisign DNS Abuse"
simple. Verisign is trying to change a very basic part of how the Internet works without following the process or without respect for any of the other member parts of the net.
It is a rude, arrogant and selfish action that benefits only Verisign. I hope they suffer for it.
You see, they are making money now, they just want more because they think they are in a position to get it. Nevermind the rest of the net...
Until recently, changes to the core structure of the Internet were discussed and peer-reviewed via the RFC and other processes to be sure things were thought through somewhat before the changes are made live.
Verisign did not do this. Nobody wants this but Verisign. Their action is going to cost the rest of the net a lot with no real gain. If they get away with this, how many other large companies are going to decide to just change things for their own good regardless of the rest of the net.
Another point, this change affects other countries besides the US. We may be the biggest part of the net, but not all of the net. (China and Japan are gaining ground as you read this. You don't notice because their content is in a language other than English.)
What gives them the right to affect everyone this way? Seems this move conflicts strongly with their image of (cough --gasp!) trust doesn't it?
We could go back and forth on the technical nature of the change and what it should affect and what it should not, but the truth is this:
Nobody really knows the true affect because the change is to core Internet behaviour. Think of all the applications and systems that assume the net works the way it does. Should they build in extra code for potential changes when they were not advised it might happen? What if the system were built 10 years ago?
THATS WHY THEY NEED TO RFC JUST LIKE EVERYONE ELSE.
As a result, I no longer use them for my root DNS. I suggest others do the same. If we can get a significant percentage of ISP services to recognize some of the other name services, Verisign will lose a lot of their current bully status. The net will be better for it.
These days you hear the word 'monitize'. That means that somebody wants to make money off of something currently free to most folks. Just remember when you read that word, you are getting screwed by a company wanting to grow at your expense. --You will not be compensated.
Also, where money flows, power does also. If something is monitized, it becomes owned by those closest to the money. What they say goes regardless of merit because they have the dollars and we don't.
Is that how you want Internet is going to develop from now on? I sure don't.
Blogging because I can...
As far as I'm concerned, that's a pretty good way to deal with them. Just periodically portscan them. It would be nice to figure out if there's one single port (say, telnet, which shows up as "filtered") that you can use to get yourself blocked: send them a single packet every 5 minutes, and never reach them.
Expanding a vast wasteland since 1996.
clickable
i didn't write this the post above, but it is definitely not offtopic. here's a brief rundown of what it does:
/dev/null. obviously, this string (with appended .com) resolves to verisign's search page.
generates a random string of characters.
performs a "wget" to look up that string as a domain name, and fetch the url returned and dump contents to
this accomplishes two things. first, or course, is wasting verisign bandwidth. more interestingly, however, it causes dns servers upstream from you to cache the address of all these garbage domains. when their dns cache fills up, they start discarding older entries they have had in there. basically, this is forcing dns servers to constantly flush their caches of any useful data. this, in turn, makes every valid dns query have to cascade all the way down to the root servers. that is, "slashdot.org" is no longer cached in your isp's dns cache, so every user on you isp trying to get to slashdot is contributing to a DDOS of verisign's root servers.
well done.
I've found that using the Google Toolbar means I never have to see that Verisign crap anyway (and yes my DNS servers are up to date, when I use a browser other than my defaul I still see Verisign). Now I see Google's own site when something doesn't work. This works for me on WinXP IE6, your mileage may vary.
Buydomains.com has been pulling this crap for at least a year now. Every 404 URL I type in always leads to buydomains.com and their incessant pop-ups. Very frustrating. I hope Verisign gets the hint and stops their practice
'mmmmmmmmm.... forbidden donut'
This is just sad, this must be the start of this:2 /pr_200 21217.html
http://www.verisign.com/corporate/news/200
There's some phone numbers on the bottom of that too...
Someone asked me the difference between ignorance and apathy, I told them I don't know and I don't care.
For when you're old and gray and want to show your kids what happened before nonsense addresses, first go to a nonsense site.
Then, go to this site, which is sure to become a favorite very quickly, for historical purposes.
"See, son, this is what happened back before VeriSign took over the unregistered Net!"
"Really, Dad?"
Safari chirps: "Server not found."
Can't help but think that left unchecked, somehow, someway, Verisign will find a way to bring the DMCA into the picture.
Patch downloaded, compiled, configured, installed, restarted..
;-) off course there are only 10 users of my DNS, but it's a start!
And it works
And the BIND solution is an excellent response in the spirit of the network
Wouldn't that be, "I'm mad as hell and I'm not going to take it anymore!"
"There are people who do not love their fellow human being, and I _hate_ people like that!" - Tom Lehrer
You're welcome.
==========
Together, we will drive the rats from the tundra.
if you force me to tweek my DNS records (my ISP charges per change - yeah i know i should just run my own copy of BIND, but i don't want to worry about the uptime of a pair of DNS servers) i shall be forced to send you the bill :P
So, use Granite Canyon.
-jerdenn
That's great, but I have an established .net domain. If I need to admin that domain, I need to go to a verisign site.
Frustrating users is not the way to deal with this.
"Verbing weirds language." -- Calvin
Yeah, Norton Internet Security and other similar programs explicitly block referer headers to protect the user's privacy.
And it's not like nobody runs Norton.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
If you block by IP, it'll discourage them from trying any more tricks. If they switch the IP every day, and more and more of their IP addresses are permanently blocked from resolving on huge chunks of the Internet, sooner or later they'll run out of IP addresses. Which would be highly amusing.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
The new feature just needed this bit added to named.conf to get it working:
When its running, it will put message like this toCompanies that have had their competitors register slight misspellings of their name (ue instead of eu for one company I've worked with) have won lawsuits easily. Isn't this as simple as one of the other registration companies showing that a slight misspelling of their name like egister.com instead of register.com lands them at a Network Solutions site promoting DNS registration?
I know they can argue that they're not doing the same thing, but the end result is the same. They may get business that should have gone to register.com.
So basically, anyone who pays verisign for this service is going to get bombarded with spam not only for their own domain, but for any of related-in-wildcard domains as well. I mean, domain name resolution is independent of the final protocol being used (www, ftp, etc), correct?
So, now, spammers for mydomain.com mydoman.com mydo... etc are all going to end up getting mydomain.com.
Are the spammers going to verify the domain, or perhaps some will just connect to the IP specified and spam away.
In this case, which is better/worse, a few extra customers garnered from mistyped domain-names, or a whole lot more spam? Methinks the spam-bandwidth-usage will exceed the possible profitability of new customers. Nice business model, verisign!!!
If anybody's still following this thread... I have thrown up a database of patched nameservers here (don't worry about arouse.net, it's not a porn site), which currently allows you to check to see if a nameserver has been patched to block return of 'A' results for non-existent domains, and allows you to add to the database if it is a patched server.
height="1" width="1" border="0" /></noscript>
I'm browsing /. from the University of Hawaii computer network and it seems that they have somehow blocked this. I know, because I can type a domain name wrong, and get an error message. Then, I can log into another machine somewhere else and the same mis-type gets redirected to Verisign.
Wh47 d1d j00 541, 31337 15n't t3h r0xor5 ne m0r3???
RPMs here: http://www.denson.org.uk/bind. Binaries are for RH 7.3, so may break dependencies.
How quickly would you (and others like you) find another registrar if half the time you couldn't get to Verisign?
Maybe you're "acceptable losses" in this war.
Only if that number didn't already belong to somebody else. In which case you'd just get the wrong person, but not ads.
- I love animals. I try to eat at least one a day.
I don't see how DDoS-ing the root servers is going to solve this problem. A successful DoS attack against the root servers will just cause total mayhem as even legitimate domain names won't resolve any more.
Well, actually I do see the point in doing just that, but are we prepared to destroy DNS in order to save it?
I signed up for a
When you call, select:
I recommend that you be patient with the Verisign rep that answers the phone. That person may not fully understand the issue / problem, and they are unlikely to personally be responsible for the Verisign decision. Remember that you are objecting what Verisign as a company is doing. Don't yell at the rep. Be polite but firm.
Ask Verisign to stop the wildcarding now. Explain why what they are doing is wrong (such as being unable to determine of a EMail message is being sent from a bogus / non-existent domain because thisdomaindoesnotexist.com resolves to 64.94.110.11).
If you do business with Verisign now, tell them that you will switch vendors unless Verisign stops this practice in X weeks. (fill in the X)
You might want to leave your phone number and request a callback. Anonymous complaints do not go as far.
If you are in the US, you might want to contact your local member of congress and object about what Verisign is doing. Let Verisign know that you are doing this when you call.
Yes, they might flush your complaint down /dev/null.
But I suspect that pressure from all fronts might help.
I have been told
(off the record) that some people within
Verisign are not happy with their wildcarding.
Complaints get logged into a database that these
people can review.
Your complaints, in volume,
might help those folks make a
stronger case against top-level wildcarding.
chongo (was here)
add this to you firewall rules:
iptables -A FORWARD -d 64.94.110.11 -j REJECT
it is only after a long journey that you know the strength of the horse.
#!/bin/sh
get_char() {
local GOOD=0
while [ $GOOD -eq 0 ]
do
RAND_C=`dd if=/dev/urandom bs=1 count=1 2>>/dev/null`
if [ `echo "$RAND_C" | grep [0-9A-Za-z]` ]
then
GOOD=1
fi
done
}
get_string() {
local INDEX=0
while [ $INDEX != 32 ]
do
get_char
RAND_STR=`echo $RAND_STR$RAND_C`
INDEX=`expr $INDEX + 1`
done
}
get_string
URI=`echo $RAND_STR | tr -d ' '`
fetch -o - http://$URI.com >>/dev/null 2>>/dev/null
exit 1
The BIND patch and related things can only be a temporary measure, because Verisign will have the patch too, and be able to do something which works around it. Then BIND will work around that and so on.
Basically, you have a technological arms race, and an arms race is a race that nobody can possibly win. Legal recourse is handy for breaking the cycle.
sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
Old man seeks doctor,
"I eat SPAM daily", he says.
Angioplasty.
Well, first off, I and people like me would have already jumped ship from Verisign without intarweb vigilantes deciding what website they would allow me to view. Secondly, I and people like me would also ditch an ISP that blocked access to sites immedately, and you and people like you would be the suicides-by-cop you see when a small group of fanatics decides they're going to seceed from the union.
"Verbing weirds language." -- Calvin
Don't give them any ideas :/
+1 Insightful.
+1 Informative.
+1 Interesting.
+1 Funny.
+1 Completely on-topic.
Heh - this one's valid
As bad as this is - removing support for wildcard character resolution would affect some open source projects to.
Try looking around sourceforge.net subdomain variations sometime.
www.sourceforge.net is valid - www328383.sourceforge.net is also valid using the wildcard
Lets just wipe those f***** off the net completely. If we're going to route around the damage, lets route around the whole bloody lot of them.
Another good way is to send mail to a ficticious domain and let the bandwidth get sucked up. Post some large gifs or forward all your spam to them.
Sooner or later VeriSlime will correct it's mistake. Also consider the BIND patch to fix this.
1893319 Sep 17 13:41 bind-9.2.2-23.i386.rpm3 86/RedHat/RPMS/
615472 Sep 17 13:41 bind-utils-9.2.2-23.i386.rpm
ftp://ftp.redhat.com/pub/redhat/linux/rawhide/i
Here's the directives I added to /etc/named.conf:
zone "com" { type delegation-only; };
zone "net" { type delegation-only; };
zone "cc" { type delegation-only; };
zone "ws" { type delegation-only; };
Only if that number didn't already belong to somebody else.
Which is much more common in a 16-letter[1] namespace than in a 7-digit namespace.
[1] That's a "typical" domain name length. The fact that domain names can be longer is beside the point.
Will I retire or break 10K?
Dont follow it no iso...
So now it seems people are using the term "ISO" to refer both to a quality management conformance certificate and to a disc image. In that case, you can get your Tetris ISO from this quality management consulting firm, or from this gamez site.
Will I retire or break 10K?
Petitions only work if ... or b) the petition is to force a state government to put something to a vote (e.g. referendum process).
This petition seems to lead to a vote of no confidence in ICANN by national communications regulators.
Will I retire or break 10K?