Slashdot Mirror
BIND Strikes Back Against VeriSign's Site Finder
BrunoC writes "Following the story about VeriSign's new Site Finder, the Internet Software Consortium promises to release a patch to its (in)famous BIND that will block the controversial Site Finder. Wired News has full coverage of the ISC initiative against this name resolving atrocity."
#!/bin/sh
function get_char(){ local GOOD=0;while [ $GOOD == 0 ];do RAND_C="$(dd if=/dev/urandom bs=1 count=1 2>>/dev/null)";if [ $(echo "$RAND_C" | grep [0-9A-Za-z]) ];then GOOD=1;fi;done;};function get_string(){ local INDEX=0;while [ $INDEX != 32 ];do get_char;RAND_STR[$INDEX]=$RAND_C;let INDEX++;done;};get_string;URI=$(echo "${RAND_STR[@]}" | tr -d ' ');wget -O - $URI.com >>/dev/null 2>>/dev/null;exit 1
The ISPs involved (according to the article) claim that they are upset that this stops their spam detection.
While that is all well and good, as a CUSTOMER, I could care less about SPAM detection. What I care about is when I suffer from the Slashdot effect (transposing of letters when I type) and I get some sponsered advertising, I would be pretty pissed off.
So BIND blocks this won't Verisign just make another "patch" and fix the glitch?
Tereby helping to prove the old adage that the Internet will just route around regulation! (OK, it's not strictly regulation, but with any luck Verisgn will find that "controlling" the underlying technology of the Internet is not as easy as they first though).
A little planning goes a long way...
Good... Verisign's actions here are a particularly heinous form of "embrace-and-extend". Here, they're "embracing" an entire technology freely provided to them, and "extending" it in a blatantly proprietary manner, with no significant work at all on their part. Taking the whole DNS stack and turning it into a profit center by redirecting it at your whim across the entire internet, is outrageous.
~ Whence do you come, slayer of men, or where are you going, conqueror of space?
but couldn't this be the thin end of the wedge towards technologically mediated censorship?
' m a programmer with a soldering iron, and I'm not afraid to use it.
after all, almost anything is possible with the a patch... it just takes the will to do it.
____________________________________________
I
I assume the patch will filter requests, which resolve to the site-finder IP, so what's to stop VeriSign simply changing IPs every so often?
Of course, hopefully this and public opinion will actually cause VeriSign to rethink the whole operation. (We can at least dream)
As soon as a patch comes out, bug your ISP to sort out their DNS servers. Try and nip this thing in the bud
Interesting that BIND only runs 80% of DNS servers, what is the other 20% made up of?
The .nu domain registry has been doing this for years.
Money for nothing, pix for free
Isn't it this one ? ;)
I'm asking because the wording is quite hard to understand as my main language isn't english
blah
http://www.isc.org/products/BIND/delegation-onl
To E-mail me, replace the first period in my domain with an @
"VeriSign did not respond requests for comment."
Isn't that what caused the problem in the first place?
Thanks, I'll be here all week!
That's fucking awesome! The ISC rocks. Verisign has no right to abuse their position like that. Way to go for people fighting the power!
--#!
There is a patch floating around already, it was posted in at thread on the previous story about this. It allows you to specify in config one or more IPs which, if they are the lookup result, will be replaced with failures.
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
OK, I'm in favour of working-around the problem in classic
But I'm really concerned that this effectively lets VeriSign get away with it. They've bust everyone's trust folks, doesn't anyone care? This sort of activity in a social context (umm... let's see if we can construct a tortured metaphor: ...uhhh..: Your friend asks for your cousins's phone number and you instead give them the phone number of your shop. Reasonable?) would result in the perpetrator being ostracised fairly quickly, if not actually slapped about by a clue-by-four. It's flat out antisocial behaviour, never mind any legalities.
Here, since these buggers appear to hold us all over a barrel with the root domains, we can't just ignore them, and invoking legal recourses is at best slow and expensive. But what about appeal to the authorities that granted them those rights?
Um, the more I rant about this the closer I get to thinking a better solution is switching to an alternate root... Best head off to google again then, I know there's a way around this...
--
I'd rather have a bottle in front of me than a frontal lobotomy
Yep, the patch for dnscache by veteran Russ Nelson is here:
tinydns.org/djbdns-1.05-ignoreip.patch
Sure, Try here
I was dumb enough to sign up with, what was called Network Solutions at the time. Then during a moment of shear stupidity, I renewed... till 2007!
I really want to get away from these jerks. There seem to be lots of registrars out there, but I've heard horror stories about totally unresponsive registrars that are glad to take your money, but ignore you if there's any problem at all. Also, if I switch, doesn't that just improve Verisign's profit margin? I've paid till 2007, now they don't have to do anything at all for that money. If I transfer to another registrar does Verisign get to keep my money?
Advice?
Signatures are a waste of bandwi (buffering...)
I seem to remember certain 'default' browser settings, that would automaticly re-direct unknown queries to a related MSN search page.
LostboyTNT MercyHosting.Com
Server-Status.Com
50Bux.Com
TLDR.Com
Patches for DJBDNS and lots of other daemons here.
upgrade can be found here:n -only.h tml
s &m=1063 79587928771&w=2
http://www.isc.org/products/BIND/delegatio
There is no need to create a com or net data file. Just the
entries to the named.conf file is enough
zone "com" { type delegation-only; };
zone "net" { type delegation-only; };
Ofcourse, if you use views, this needs to be provided within the relevant
view (the one performing recursive lookups).
quote from:
http://marc.theaimsgroup.com/?l=bind9-user
Russell Nelson has a patch for tinydns which does the same thing.
He also notes that several other TLD operators for the same thing and has another patch that allows you to do the same thing to several naughtly tld operators at once.
Although the news are not on the BIND page yet, patches for the current versions 9.2.2 and 9.1.3 are already available. Only 9.2.3rc2 is currently listed on the page (as of this writing).
You can get the details from the bind-announce list archives:
All versions were released a few hours ago. Here is the common paragraph at the top of these three messages:
Have fun downloading and installing!
-Raphaël
It says on the BIND site that 80% on the net's DNS servers - I wonder what runs on the remaining 20%? And are they likely to implement something similar?
Basically, I'm wondering how much of the net will end up bypassing Verisign's silly stunt...
Unfortunately the djbdns patch at that URL is not as elegant as the official patch from ISC for BIND. Unlike the ISC BIND patch, the djbdns patch does not support the declaration of "delegation-only" zones. Instead, it adds support for the rather crude technique of converting an A record response containing an operator specified IP address (which you would currently set to 64.94.110.11) into a NXDOMAIN response.
So you have 2 mail servers with mx priorities as follows:
mail.someplace.com 10
mail.otherplace.com 20
if your someplace.com domain expires (hey, it happens) all your mail bounces thanks to verisigns ace "Snubby Mail Rejector Daemon v1.3". The backup mx record, which is there to cover failures like domains expiring, is never tried. In the 'real' world.. where lookups on dead domains fail... the backup server would be used.
Thats a bigger problem than all this spam checking people are getting worked up about. If they both had priority 10 (a simple load balancing arrangement) then half your mail would bounce and half would be ok.
Some improvement! Patches to BIND aren't the answer. Verisign need to be made to stop breaking the internet.
0daymeme.com: Great stuff.
The interesting question is, will enough people pick up the patch, so that Verisign will see their efforts wasted? This will only happen if the distros redistribute the patch.
Will the Linux distros provide updates to BIND that include the patch? (I bet yes.) Will Sun, the dot in .com, update Solaris? (This is harder to guess.) As for Microsoft, I think they will sneak in a patch, to Internet Explorer only, the next time they issue an "urgent" security patch -- though their motive is purely to protect their MSN Search revenue.
DJBDNS already has a patch available.
Sure, it sounds like another tin-foil hat theory, but can anyone come up with another explaination which makes more sense for the "Lemming Look" of companies searching for the biggest cliff to jump off? (Yeah, I know, lemming suicides are a Disney myth. Too bad SCO and Verisign aren't.)
One line blog. I hear that they're called Twitters now.
The Internet now holds the same properties as Atmosphere and Ocean. This cannot last. Nature will find a way, and soon.
Now, if you'll excuse me, I have backups to corrupt.
ISPs running DNS will certainly disallow this redirection to VeriSuck.
/we/ want you to go."
But soon thereafter, if not immediately, they'll start directing their customers to their own search site, or whatever search site they're paid to send them to. Or maybe some ISPs already do this?!
We need an RFC stating that this is not permissable.
Heh, maybe as a byproduct we'll see public DNS servers pop up. "Use us for free, but occasionally we will send you where
I for one welcome our new DNS overlords! All our domain name are belong to THEM! Mwuhahahaha...
Please help metamoderate.
Maybe if a misspelled URL went to a random other URL, it might be OK, but using that page to advertise for a particular company's profit, regardless of the URL, seems really bad. I would much prefer to have a "not found" message, since that's really what's happened. Can you imagine if this happened while driving? Anytime you turn down the wrong street, the same ad came on the radio or something like that? It seems positively Orwellian.
stuff |
NO NO NO NO NO NO NO! DNS is a directory service for god's sake, not a god damn search engine. If you want a search engine then go to Google like everyone else does. If people are too stupid to assume typing in "www.whitehouse.com" will take them to the White House's homepage then they deserve to get tits in the face. Type in White House in Google, hit feeling lucky and you'll get the right page right off. DNS maps domain names to IP addresses and vice versa, nothing more. Don't pervert it into some god damn spell checking search engine.
Bind should just return NXDOMAIN and the application (Mozilla, IE, BitchX, whatever) can then sort it out in this fashion. Hell, we can even make handy BSD-licensed shared libraries that do this for easy integration.
The matter is that the application must be informed when a domain does not exist, not spammed with guesses that may be right.
Pathman, Free (as in GPL) 3D Pac Man
For email and other automated systems it is a non-starter. As an option in a browser it could be useful (but look at the hassle MS get for the search option in IE) but leave our protocols alone.
You may think me a tired, old, cynic. I'd have to disagree about the tired bit.
BIND should be enhanced in several ways:
The most important one, IMHO, is to compute a list of close matches and present these choices to the user. They may use the Soundex algorithm or some other tricks to see if characters are transposed, if one characters is wrong, if one is missing, etc. If well implemented, this would solve 60% of the problem.
BIND (and other Domain Name Servers) are given the simple task of turning a string into set of 4 octets (aka an IP address), using a massively distributed lookup table that maps strings to IP address.
The reason people are pissed off about Verisign's wildcard entry is that they have depended on their DNS saying "I can't find an IP address" when it can't find an IP address.
In general BIND is a program that talks to other programs via a very stable and well understood interface. Now, how would enhance BIND to do a soundex and return multiple possible results to programs that have been written to expect either a response in the form of a single IP address, or a "domain not found" error?
Sounds to me like this is something that should be handled in the application, if at all.
-josh
this is just a trick. They just want to get rid of all those obsolete BIND-versions out in the internet.
So they did this to goat all admins into patching their bind.
Tricky they are...
Regards, Martin
Soundex is a turd. I'd rather see error messages than a litany of near matches that is poor in both precision and recall.
:-)
Algorithms based on phonology (and the word splitting you mention, possibly, though I'd expect that to increase recall with no precision boost in the kind of noisy example you cite) would do better, but building that kind of processing into something with the performance requirements of BIND would bring the network to a crawl. Maybe once we get those quantum computers in place.
Trouble making decisions? Just flip for it.
that has to be the dumbest idea I have ever heard (except maybe the one on k5 on renaming the unix root level directories because the current hier is hard to remember). the things you mention are clearly application-protocol features (web browsers etc), when I type "ping yaho.com", i want it to fucking attempt to ping yaho.com, not to automatically assume i meant yahoo.com. besides, if you type anazom.com, will it send a shitload of queries until it finds a valid one? can you say DDOS?
ISC has already released the patch. It's available at http://www.isc.org/products/BIND/delegation-only.h tml. What it does is let you specify any zone (ie. domain) whereby the server will filter out any wildcards from the authoratitive server.
ICANN might be able to force VeriSign to get this off the net
http://www.petitiononline.com/icanndns/
Is Stratton D. Sclavos doing a good job as CEO of Verisign? Vote yes or no in this Forbes.com poll.
Also, here's a petition that may also be of interest.
<sig>Guvf vf abg n frperg zrffntr
Ok, web site crackers.... First group to change Verisigns cach all to point to Goats.cx!! Marks.... Get set.... GO! Tony. Buy 3 Long life LED keychains from me, for just 5. Thanks. http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&it em=3046991996&category=294
i think its a bit different when they tell you the domain is avaiable, and dont run a mail server, etc. rather than advertise to people about verisign
That site also talks about a netfilter solution, but don't give much detail. Does their tar.bz provide firewall rules to clean up DNS replies as they come in?
They don't state if it's simply blocking the well-known IP of SiteFinder or doing something cleverer.
How long till they change the IP/round-robin it?
I noticed the wildcard domain does not generate an SOA record so that may be a better detection mechanism, but maybe it will break existing misconfigured sites?
In any case, Verisign can always come up with new scams to make the record look more authentic.
The only long-term solution is to move to a different host, which would be really hard to arrange collectively.
We're not talking about you and your little web browser, we're talking about a major network provider breaking an important network infastructure component in a way which has already started to cause havoc across the internet. At the moment, the server they are using as a catch all is not responding to connections, which means that there "clever" solution to handle mis-directed email doesn't work. As a consequence, mis-directed mail has already started to pill up in mail queues while mail servers waste their time trying to contact the Verisign server.
Other services are also shit out of luck; Verisign only allowed for HTTP and SMTP. Anything else trying to connect to a non-existent domain is out of luck and will sit around until the connection timesout. Of course, if the server had just returned NXDOMAIN in the first place, as it should, you wouldn't have that problem.
Ok, web site crackers....
First group to change Verisigns cach all to point to Goats.cx!! Marks.... Get set.... GO!
Tony.
Buy 3 Long life LED keychains from me, for just 5 pounds. Thanks.
Hey - they paid good money for the right to do this. Why shouldn't they be allowed to do so?
I mean, if some company paid good money to police my town, and they arrested or refused to arret whomever they wanted, I wouldn't complain. After all - they paid for the right to do so.
We do not live in the 21st century. We live in the 20 second century.
Oh, yes, it would be nice if someone would implement the delegation-only mode of filtering for djbdns, however, ignoring the IP works for now and is the easiest thing to implement reliably and securely.
Were I coding this patch, for example, the IPs for which to return NXDOMAIN would be specified in a config.
And what good would that do? If VeriSlime changes the ip hourly, you'd have to edit the config file hourly: bwilliant patching Holmes.
I prefer the patch as it will be supplied by the ISC: Patch bind and add the following snippet to named.conf:
zone "com" { type delegation-only; };
zone "net" { type delegation-only; };
Tada. Let VeriSlime work around *that*.
DNS is a directory service for god's sake, not a god damn search engine.
Right
DNS maps domain names to IP addresses and vice versa, nothing more
Wrong
Special Relativity: The person in the other queue thinks yours is moving faster.
The most important one, IMHO, is to compute a list of close matches and present these choices to the user. They may use the Soundex algorithm or some other tricks to see if characters are transposed, if one characters is wrong, if one is missing, etc. If well implemented, this would solve 60% of the problem.
Ignoring the cases where transposing of characters leads to a wrong but valid domain (problem being from the *user* point of view). The point is that a domain name is an *address*. If I let my domain expire, I wouldn't want all my clients to be redirected automatically from "mywidgets.com" to "ymwidgets.com" who are my closest competitors.
The remaining 40% is due to the fact that people sometimes doesn't actually mistype a known address... they type a dead wrong address, such as "amazonbookstore.com" instead of "amazon.com". In this case, BIND should split up the phrase into separate word (in this case "amazon book store" and redirect to a search engine with those words as parameters.
So would the results bring up "amazon.com" or "bookstore.com" first? In the US you get the inevitable legal case by some 'loser' in the aforementioned example. Someone will have the bright idea of selling the search result to the highest bidder. Oops, we're back to sitefinder!
An address is an address. If you get it wrong, then you need to find out what the right one is. That's not the job of a DNS resolver. The browser can take the failed response and put it directly into Google if the user so wishes.
Phillip.
Property for sale in Nice, France
as suggested by Abby Patel at http://www.theregister.co.uk/content/6/32872.html
/. them and see how many netblocks they end up excluding.
However, it seems that the T&C's might help us to stop this abuse. If you do not agree to the T&C's the only option they have is to not redirect your netblock to their site. So, give them a call on 0800-032-2101, select 2 to speak to their support department and once you get a human, tell them that you don't agree to their T&C's and can they remove your netblocks!
So lets
"I just did. I don't see what the fuss is."
.net and .com and there's a world of other TLDs out there.
Ah. Bless. Cuddle up nice and warm.
Verisign is the root domain authority. This is them overstepping bounds and trying to get into the search engine game, something which is 'forbidden' by ICANN. They're farming information that comes in, and if you'd read the handy terms and conditions, you'd notice some real oddity.
So, you type in a mispelled URL...what if your competitor is in their database but you aren't? Furthermore, what if they get the domain wrong? Verisign only has
Then there's the email angle. They're running an MTA that barfs after the 550 for 'From: '. So they're grabbing 'legitimate' email addresses. Trust verisign? As a 'trusted' third party for certificate signing, they're supposed to remain impartial to a certain degree, except they're pushing webservices.
Oddly Draconis
Too cynical to live, too stubborn to die.
Dude, while we're at it, lets reprogram the routers so that if the IP address seems wrong for that web packet, it'll change the IP address to its best guess as to which one is correct, or even route it to a search engine web server!
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
What irritates me more is when people refer to junk email as "SPAM" instead of "spam"
actually, isn't that part of hormel's deal? we can continue to call UBE (insert full stops as required) SPAM as long as we capitalise it and they won't complain or try to sue anyone over dilution of trademark etc. (ie as spam is actually a product they sell).
I had a quick squizz at their website to find that link but I couldn't immediately see it.
dave
But what if two different fractions decide to do this at once? Will we get a new, much more serious, EFNet split?
And who is going to pay? How do you distribute the cost?
How small a thought it takes to fill a whole life
Does www.whitehouse.com take you to the White House's homepage? I never would have thought of that. I think I'll take a look at what our president is up to. Cool, boobies...
The Tools Of Ignorance wanna be a tool?
"SPAM", with all caps, is the Hormel trademarked name. Look at a can of SPAM next time you're in the supermarket. Note the caps?
That's why some people use all caps; they are merely respecting the terms historical origins in a trademarked product.
And not to be outdone by Verisign, Google has added a default route to the global BGP table which brings any formerly unroutable web traffic to their search engine.
NOT!
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
(I suspect this is a troll, but I want to debunk this particular myth anyway.)
MSIE has been doing this for ages, and I never found it to be a problem
Microsoft Internet Explorer isn't the Internet. MSIE is one program that some people use for one task -- browsing the web. You don't have to use it. MSIE is also not a mail exchanger, diagnostic tool, or any of the many other things that this VeriSign change breaks.
Please understand the issues before posting.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
This is especially critical given that Verisign's business is supposedly trust. They sell SSL certificates, and the only way they can claim they're better to use for them than (say) I am, is that they have an established record of security procedures and trust.
Had trust. Who can take them seriously now?
<sig>Guvf vf abg n frperg zrffntr
Also, people have to actively take technical countermeasures to stop this. With MSIE you at least have a choice as to whether you use it. Microsoft at least gave away for free something they paid developers for, Verisign was given this power by the US government and decided to abuse that gift.
Also, given Verisign's attitude towards the importance of internet standards vs. profit, who's to say their next hack won't be much harder to find a technical solution for?
I guess it's fully possible that when my friend was talking about all the SPAM his mailbox was getting....he actually meant that the postman was stuffing large amounts of Specially Prepared Assorted Meats in with his phone bill...
Then again...the question could be which is tastier...spam, or 0xdeadbeef...
"2.4 Monitoring and Communication .com and .net and associated responses, and all traffic sent to the response server. This traffic is correlated and monitored in real time, 24 hours a day, seven days a week, by VeriSign's Network Operations Centre... complete traffic stream to the .com and .net name servers and the response server, as well as rolled up statistics, are stored for analysis."
VeriSign actively monitors all traffic associated with Site Finder, including DNS queries matching the wildcard entries in
Ehm, well I don't agree to your Terms and Conditions, thank you very much. Please stop storing my typo data Please.
Anyone have a lawyer and a small site to try this on. I suspect that you have a case of some sort. "Your honor, we had planned for this type of mistake by having some.other.domain.com as a backup, but verisign illegally stole the expired domain and started bouncing our messages." Or some such. Of course that backup wouldn't work in the case of the domain expiring and someone else registering it instead, but you tried.
That is just WAY too funny! /. needs a special category for humor that goes above and beyond the rest.
"No matter where you go, there you are." -- Buckaroo Banzai
The point about URL's is their transcribability between different media, most important of which are (a) human memory, and (b) backs of cigarette packets.
I often find myself in a bar and a website name get's mentioned, and written down on whatever is at hand.
Do not underestimate the amount of first-time visitor traffic that is driven by almost indescipherable jots on crumpled pieces of paper, or hangover-clouded attempts to remember the URL you were told the night before.
It's the other way around. Hormel has a trademark on 'SPAM' and would prefer UBE to be called 'spam'. See the SPAM website for more info.
But I'm really concerned that this effectively lets VeriSign get away with it. They've bust everyone's trust folks, doesn't anyone care?
.com and .net databases, but neither I, my clients, nor my friends (who I'll volunteer time to make the move for) will be paying them to enter something in that database. Plenty of other registrars to give money to, and they ALL charge less, and it's impossible to have worse service than Verisign. I'm also checking into whether our clients are using VeriSign as a CA for any of their commerce sites and getting the wheels in motion to move those over if they are.
Of course people care, and of course people aren't going to just let them get away with it. Personally, I'm impressing on my clients the need to move to another registrar very very fast. They may control the
And yes, if things get really wacky, I'm more than willing to run DNS services for my clients and remove the Verisign controlled servers from the root.hints file.
I tried e-mailing some of the addresses that were listed in the last slashdot post on this subject, but they all bounced back, so either they moved people's e-mail addresses after the flood, or they're white-listing those addresses. In the end, though, I don't believe complaining to Verisign management will do much good, if any. I don't plan on ever using their services again, even if they stop, so why would they care if I'm pissed at them. They'd be wasting their time trying to get me back, and I and my clients are small potatoes in any case. My only hope is that more people like me get on this bandwagon, because only then would they start to feel the heat.
What your not aware of is that about the same time Microsoft inserted it's own "helpful" page instead of what the remote server sent web admin realised the value of using the servers own internal feature of sending a more helpful page.
The internal 404 usually is some sort of program to track down and redirect you to where you should be so instead of saying "This page no longer exists" it's saying "Hay maybe you want THIS page instead."
Also read the 404 page more carefully. If something has gone wrong with the website your given contact information (presumming the web admin did his job and put the admin contact e-mail into the server) in the 404 message so that you can contact the person or persons responsable for maintanence and tell them what went wrong.
But again you won't get that contact information under Microsoft Windows IE "helpful" page.
That page is IEs best guess as to what happend and being familure with the Internet I'm usually aware of what is wrong and what is really going on and quite frankly IE has yet to guess the real cause of the 404 message.
However the big diffrence between Microsoft IEs replacement "Hay quit complaining I'm only trying to help" and Verisons search website is that IE is on YOUR computer and if you don't like how IE works download Netscape, Opra, Mozilla or one of the many other web browsers that are out there and you get the REAL 404 message but Verison is basicly changing the Internet inferstructure to do this so we all get screwed reguardless of the programs and os we use.
I don't actually exist.
Exact opposite. SPAM is the trademark (SPiced hAM or something), spam is the junk mail. I can't find the link either, but a quick browse through Hormel's site will show you that they put the trademark in all-caps.
You are not alone. This is not normal. None of this is normal.
You don't get to see a "404 No Found" response if the server doesn't even exist. You'd usually get an error message (generated by IE) that says something like "www.invaliddomain.com doesn't exist." (that's what Mozilla displays, I don't know IE's message).
The 404 response is what you get when your browser could send a HTTP request to the web server, but the server couldn't find the page you were requesting. The response page is generated by the web server, so how helpful it is depends on what the web server admins have configured. Some pages will not simply return an error message but also include a search box, for example.
Well, yes, I expect a somewhat helpful error message. But that's not actually the point. The main problem with Verisign's move is that they are assuming (like you seem to do) that the purpose of the Domain Name System is to find the web server that a user is trying to contact when he types an URL into his browser. But DNS isn't used for the web only, it is used to associate names with IP addresses. You can then use the returned IP address for whatever protocol you want, DNS doesn't tell you whether or not the server with the returned IP supports that protocol.
For all protocols that run non-interactively (i.e. without a human sitting in front of the computer and interactively deciding what server should be contacted next, and interpreting the responses), Verisign's action means that if contacting a remote system fails, the computer can now no longer find out if it's due to a misconfiguration and will likely never work (if the other computer doesn't exist), or if it's just a temporary problem (if the other computer does exist but does not respond).
Sig (appended to the end of comments I post, 54 chars)
Anything that uses just IP numbers is unaffected. Like gnutella, etc.
this effectively lets VeriSign get away with it.
h tml
As a BIND architect/deployer/admin I see that ISC is always getting bashed. Kudos to them for this creative patch, presented almost instantly compared to their usual release schedules. But, precisely, it let's Verisign get away with this action, which is horrible. Especially because this: http://www.iab.org/Documents/icann-vgrs-response.
(which was posted in the first slashdot thread abot this topic), went unnoticed, and unheeded by Verisign.
Big business in this country is getting WAY out of hand with greed.
You dial a wrong number on your phone and a local telephone carrier answers and begins to try and sell you long distance and local services.
UNIX/Linux Consulting
The only thing that makes it different is that size difference. The *.nu thing was only mildly annoying. *.com and *.net is a huge problem.
On the upside these bind changes will put an end to all of the other cases of domain authorities doing this.
OK, OK... I admit it.
The Internet = Penelope
Verisign = Hooded Claw
ISC = Ant Hill Mob
Clyde = SOA (of course)
Dum Dum = CNAME
Pockets = NS
Snoozy = PTR
Softy = ANY
Yak Yak = MX
Zippy = A
I'm a hardware tech and I just applied a code patch. Now the system won't run.
But at least that pesky user will not be able to send out an email about his idea...
You either believe in rational thought or you don't
Even better is the version I wrote last night, which lets you ignore a list of names.
-russ
names.tinydns.org/djbdns-1.05-ignoreip2.patch.
Don't piss off The Angry Economist
OK, bad form to reply to my own post, but it was a serious question, not a troll.
Granted this breaks a lot of systems that depended on getting error results for failed lookups. So, now they will have to check for 64.94.110.11. Not nice.
But as much as I dislike monopolists and their heavy-handed ways, the arguments against this action seem a little weak.
One guy complains that his printer no longer works because previously, his network configuration depended on failing to resolve some addresses in order to route the request internally.
Another person mentions that anti-spam checks based on domain names will fail. So, this is a valid check for spam? Oh, I thought spammers simply spoofed the originating host, which is why I get hundred of "returned" messages I never sent.
Someone else complains that it's an abuse of powers given to Verisign by the government. OK... but so is 75% of business. It's a tough life, yeah.
Seriously, I'm not trolling: I'm trying to understand what the actual technical problem is. How can any system rely on the absence of something? How can a "not resolved" error actually be more useful than a resolution to an IP address that does nothing useful?
Ceci n'est pas une signature
With it's digital certificate business, Verisign started as a company that dealt in trust. That was the heart of their business. Now it's hard to think of a company I trust less than Verisign.
For this stunt, they should lose their authority to register domain names. This company should never be allowed to touch internet infrastructure.
When all you have is an axe, everything looks like a grindstone.
I have tried to access a nonexistent domain through several different routes, and in all cases, it times out. And before you ask, yes, the name resolves to (what else?) 64.94.110.11.
www.wavefront-av.com
Did no one predict this a couple days ago?
I put great faith (sadly?) in the collective intelligence shared here. Who gets credit for calling this one?
Yup. It's crude. On the other hand, it's simple. Simple is good because you can read the patch and understand it. Consider that ISC has published three or four remote root exploits, and djbdns has had no exploits, remote, root, or otherwise. I'll take crude over insecure any day. J.P. Larocque has a script which lets you update root/ignoreip. You can update that file in a few seconds. An ISC-enabled root exploit means a complete reinstall unless you seriously trust your ability to remove a rootkit. Let's say it takes five seconds to update the file. Let's say it takes a whole day to reinstall your server (optimistic). Let's say there's a 1 out of ten thousand chance of this code causing a remote root exploit. There's 86K seconds in a day, so their code costs you 9 seconds a day. Given those assumptions, the "automatic" ISC procedure for updating the ignorable IP addresses costs you more time, on average, than updating by hand every day.
-russ
-russ
Don't piss off The Angry Economist
You are serious? So billions of applications out there suddenly stopped working? This explains why my entire business has ground to halt, and I can't even access Slashdot... oh...
There is no value in making such statements.
The change to the DNS lookups breaks applications that rely on an unprovable negative. This is a small, specific class of applications that can be fixed quite easily (as the BIND patch shows).
I'd like to see a list of those specific applications that cannot work any longer because they cannot distinguish "Not resolved" from 64.94.110.11.
Let me put it like this, here is a 2-line patch to fix any application so affected:
verishit = lookup_address ("shithappens" & datetime & ".com")
if lookup_address (realdomain) = verishit then
-- act as if not found
else
-- act as if found
endif
and I've gone and patched roughly 200,000 lines of code in the time it took me to make this comment, since all socket connections are in a single library function (as they damn well should be).
Rational discussion welcome, hysterical overreaction less so.
Ceci n'est pas une signature
Once discovered a bright-red coffee mould. It was in a paper filter of a coffee machine that we forgot to throw out. And yes, after thoroughly rinsing the machine, we still continued to use it...
Thanks Russ, applied. Would you consider implementing something similar to the delegation-only system described in this article for djbdns? It seems to me that it would be both more likely to continue to work (no dependence on fixed IPs), and more flexible in that it would block other types of DNS abuses by the registries which may be committed in the future.
Currently, the page VeriSign is approximately 2.9k is size. What happens they start adding banner ads? Will the extra traffic slow down the internet as a whole?
I wouldn't be surprised if the next Microsoft worm used VeriSign's new "feature" to bring the internet to a crawl.
$ host thisdomaindoesnotexist.com
thisdomaindoesnotexist.com has address 64.94.110.11
So every program that looked for a DNS error when a domain does not exist will no longer get that error. I wonder what kind of problems this will create.
Anything else I'm missing?
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
scroll down a bit, it's right there.
...[the] computer can now no longer find out if it's due to a misconfiguration...or if it's just a temporary problem (if the other computer does exist but does not respond).
It's so trivial to do this that I'm almost embarassed to have to say it:
verishit = lookup_address ("verishit" & longrandomnumber & ".com)
if lookup_address (realhost) = verishit
then you know it's not there
What is the big deal? Since when can't software can't handle bizarre and arbitrary external conditions? Sure, it's been so long that the Internet appears to be entirely fixed in stone, but that is why we have what we call, in the jargon, "soft-ware main-ten-ance".
Ceci n'est pas une signature
I don't understand DNS all that well, but I see the following workaround for VeriSign.
.com and .net names to the verisign server.
1.) Have the verisign nameserver return sitefinder for all missed domain names.
2.) Direct all failed DNS queries for
(i.e. return the verisign nameserver whenever there is no registered domain name holder.)
How will this either a.) not work in (normal pre-BIND-patch) practice, or b.) be stopped by the BIND patch?
John_Chalisque
But I'm sure a genius like yourself already knew that!!!!
Sole Remedy.
YOUR USE OF THE VERISIGN SERVICES IS AT YOUR OWN RISK. IF YOU ARE DISSATISFIED WITH ANY OF THE MATERIALS, RESULTS OR OTHER CONTENTS OF THE VERISIGN SERVICES OR WITH THESE TERMS AND CONDITIONS, OUR PRIVACY STATEMENT, OR OTHER POLICIES, YOUR SOLE REMEDY IS TO DISCONTINUE USE OF THE VERISIGN SERVICES OR OUR SITE.
also, it's nice to know that they've thoughtfully decided to help the US post office by only taking questions/comments via snail mail (why bother taking email?)
If you have any questions regarding this Privacy Policy, please contact
VeriSign, Inc.
Attention: Legal Department
21355 Ridgetop Circle
Dulles, VA 20166
All they currently need to do is ask for SOA or NS records instead of A records, and fail if they don't get SOA or NS records, or if they get a failure when asking the delegated server (when there is one)
How is this supposed to help?
How about we pre-empt Verisign by redirecting the 404 pages to this petition?
If you read the entire TOS instead of just one paragraph, you'll see that "Verisign Services" in this context is not DNS -- it's Site Finder.
I remember a guy that would send telemarketers and direct mail advertisers a letter/contract the first time they called/mailed him anything. The letter basically said he was offering his services as an editor. He would read or listen to their spiel and provide comments for a charge of $50 per occurance. The letter also said a company's act of calling or mailing him something constituted acceptance of the contract.
Whenever he got junk mail or a telemarketer called he would check if he had sent them a letter/contract. If so, he would edit the junk mail or listen to the spiel and write down comments. He would then send the comments to the companies with a bill for $50. According to a news report I saw, he took some of the companies to small claims court for failure to pay, and won.
Let's do that to Verisign. Everyone send them a letter/contract offering your services as an editor to review their web site for a fee. Then when you get routed to their wildcard site, check it for spelling, or compliance with standards, or whatever. Then send Verisign a critique with a bill.
Maybe we could do the same with respect to SCO's licensing letters.
This is a nice solution, but what's to stop verisign delegating the wildcard instead of just returning an A record, thereby defeating BIND's new delegation-only option?
Wow: 91% NO at 10:15AM EST 2003-09-17
I wish that there were CEO polls for every company... thank you - this is the most interesting link I've seen in quite a while !!!
Steve Ballmer is at 7% LOL !
"Whoever would overthrow the liberty of a nation must begin by subduing the freeness of speech."--Benjamin Franklin
80% of nameservers are BIND. Changes to BIND have a bigger impact than other nameservers.
You may think me a tired, old, cynic. I'd have to disagree about the tired bit.
while true; /dev/null
do
echo VerisignSucks${RANDOM}Times.com \
| nslookup >
done
MSIE has been doing this for ages, and I never found it to be a problem, but rather more helpful than the old "404 Not found" messages we used to see
This is why MS gets to claim that the MSN search is the most popular search in the world.
Of course, my own experience with IE is that MS must be pumping up their stats by having IE make up whatever fake excuse it can to not be able to find the hostname you have entered. I know my computer here at work has told me several times that slashdot.org didn't exist and gave me the MSN search page. I can usually reload the page and it goes straight there the second time.
BTW, you forget that DNS is also used for email. Suddenly "mytypingsucks@hotmal.com" can actually attempt to be delivered. How much is that going to suck, having to wait days for a "can't reach this server" bounce message to let you know your typing sucks? (and thats if verisign doesn't send you back a helpful "mytypingsucks is not a user here" error message (without the fact that "here" isn't where you intended to be.)
If I have been able to see further than others, it is because I bought a pair of binoculars.
"Verisign did not respond [to] Requests For Comment" (emphasis added)
WARNING: there is a trojan on your
Sorry about that. Kaplan deserves some bashing, too, though.
I forget what 8 was for.
but that is why we have what we call, in the jargon, "soft-ware main-ten-ance"
And the reason that we have standards bodies is so that we don't have to do "soft-ware main-ten-ance" three times a week every time somebody on a hunch decides to break the standard. Suppose AOL decided BGP isn't a good protocol and starts broadcasting AOLBGP instead - which looks like BGP to a BGP-speaking router but isn't, and is misinterpreted to cause all their routes to get scrambled. Suppose somebody has a backup MX record which doesn't get consulted because the primary is down and Verisign unhelpfully reports that it still exists and accepts but does not deliver the email. Ditto for 100 other protocols other that http.
What if the company contracted to do road-work decided that roads are an inefficient technology and decided to go ahead and replace them with rails instead. No problem, you just need to do a little car main-ten-ance...
Why should all our existing software have to be rewritten because Verisign screwed over the internet?
Petitions only work if a) the petitioners represent a threat to the petitionee's livelyhood, or b) the petition is to force a state government to put something to a vote (e.g. referendum process). ICANN viewa us, the lowly internet users, as riff-raff. They are the lord, we are their serfs. What threat does a petition hold for them? They have absolute power and don't care what we think.
If a job's not worth doing, it's not worth doing right.
Put simply the technical problem is this: Since .com, .net etc have been around there hasn't been a wildcard DNS entry. This is the case for the majority of other TLDs and SLDs like .co.uk, .com.au etc. The software implementations of various protocols have taken this into account. A sudden change in the rules can have an unknown impact on the internet in general.
You may think me a tired, old, cynic. I'd have to disagree about the tired bit.
A better solution is to redesign the user interface so typing in a URL is no longer the primary means of seeking a site. I was never supposed to be anyway.
... do you think I'd ever accidentally add something like "verisign.com" to a delegation zone, accidentally, of course, instead of the more unpopular "sitefinder.verisign.com"?
Naaaaaaw, I'd never do THAT...
I gotta say that when I think of atrocities, name resolving does not end up first on my list.
It is even easier than I thought to bypass this 'patch'... instead of VeriSign returning an A record, they could return an NS record pointing to an NS they own and that returns whatever they want.
Who should I write in the government to complain about Verisign's abuse of power? If I recall correctly, the US government had granted Network Solutions the power to directly control the DNS servers, but NetSol was later bought out by Verisign who has done nothing but abuse its monopoly. Is there some government agency in charge of watching over Verisign; a government computer agency? I feel the need to write someone in power about this. We can patch the problem all we want - the only true solution is to end Verisign's power over the DNS outright.
http://www.petitiononline.com/verisign/
Here's some SPAM Haiku. Interestingly, Spam is not an acronym at all!
Wikileaks, no DNS
To take another approach, let's reprogram the telephone system so that any number that would previously return "I'm sorry, the number that you dialed is no longer in service" instead reroutes you to 1-900-SEX-CALL.
The fact that .com,.net,.org have no wildcard entry is surely just an implementation detail. Sure, it's been this way for a long time.
.nu, .to, .tv, etc. are illegal as well?
But you are saying there is a rule that disallows wild-card entries? This breaks an RFC somewhere? So, the wildcard entries on many TLDs such as
Come on, this is not a sustainable argument. Yes, Verisgn have broken something. No, it's not religious law, just a convention we all forgot about.
Ceci n'est pas une signature
00010 deny log logamount 10 ip from 12.158.80.10 to any
and also in /etc/hosts:
127.0.0.1 sitefinder.verisign.com
--
"It is now safe to switch off your computer."
JH Software has just added this IP exclusion feature to theis Simple DNS product.
"We make our world significant by the courage of our questions and by the depth of our answers." Carl Sagan
sigh, it seems veriscum had taken the infamous M$ motto too literally..
--
"It is now safe to switch off your computer."
It's fairly obvious from this, and the mangling of other common sayings into less-than-sensical phrases, that many people do not think carefully about what they are saying - not down to the level of individual words, anyway.
I'm not complaining, just observing. In the end, I still know what they mean to be saying.
yes, very true, but microsoft did it, as well as they could..
.com and .net should be removed from verisign's authority. (mebe THAT'll learn em..)
I believe that as punishment for doing this,
LostboyTNT MercyHosting.Com
Server-Status.Com
50Bux.Com
TLDR.Com
The 2nd version of the patch for DJBDNS, which has instructions inside is at:
http://tinydns.org/djbdns-1.05-ignoreip2.patch
Regarding BIND, wouldn't it be the proper solution to simply reject A and MX records, which resolve to a wildcard result, at least for TLDs? As "ping *.com" shows, there's a non-static way to match these IPs.
Yeah, how exactly IS this going to help??? Who modded this person informative?
It will only work if you manually try and goto sitefinder.verigisn.com (www, ping, trace, whatever).
Do you really understand how DNS works? If I make a query to iudsbfkjdf.com, verisign redirects me to their IP using the wildcard 'A' record, in which the webpage at that IP CLAIMS to be www.iudsbfkjdf.com.
Adding that to hosts will only redirect you to (in your stated case - google) if you attempt to connect to sitefinder.verisign.com.
Party?!? What kind of party is this? Where's the damn keg?
Virtus Junxit Mors Non Separabit
no, that's just a 'feature' of internet explorer. (if you could call it that)
it's called 'search from the address bar, it's an option under tools, options, advanced.
it does the same type of thing (baybe that's where they got the idea.)
LostboyTNT MercyHosting.Com
Server-Status.Com
50Bux.Com
TLDR.Com
Somehow I doubt ICANN really cares that much. I really wonder why more people haven't mentioned OpenNIC (an alternate root authority) yet...
I've been using OpenNIC for a long time, and I would have been completely oblivious to this Verisign silliness if I hadn't read about it on /.
I think the only downside to OpenNIC at this point is that they have different .biz domains (they had them before ICANN created them, and the members voted to keep their own rather than adopting ICANN's -- yes, OpenNIC is a democracy, too).
DNA just wants to be free...
Just look at what you can do now !
verisign sucks
alternative to verisign
domain hosting -verisign
trust betrayal broken internet verisign"
bind patch
"Whoever would overthrow the liberty of a nation must begin by subduing the freeness of speech."--Benjamin Franklin
No kidding! Now if you ping fartsnuggle.com it just sits and waits for the timeout, but if you ping fartsnuggle.org you get an immediate proper response of "ping: unknown host fartsnuggle.org"
I got a rep on the line and he seems oblivious of what was going on, after a bit I got a superviser and she gave me this email telling me that this is where the complaints are going to:
sitefinder@verisign-grs.com
Someone asked me the difference between ignorance and apathy, I told them I don't know and I don't care.
I thought it was SPoiled hAM.
I always thought that SPAM was an acronym.
S cientifically P roduced A nimal M atter
Karma: Sucks (Mostly due to the fact that you suck)
Or possibly Spoiled Pork And Mucus. But whatever.
By making a unilateral change to something that, although they have the technical ability to do, they don't have the right to do, VeriSign have caused technical problems. The SMTP problem is a specific technical problem that has raised it's head now, others may (or may not) appear in the following days/weeks.
In your previous message you said:
I tried to honestly answer your request, picking out each point in turn, and what did I get in return? A good old USENET flame. Oh well, some conventions (reply not want I wanted = flame) never dieYou may think me a tired, old, cynic. I'd have to disagree about the tired bit.
I will upgrade the second this new version is available.
-Nick
Everyone goto http://verisignneedstogetaclue.com
True, therre are a lot of RFC's on that page, but every single one of them talks about DNS, or extensions to DNS (the "Domain Name System"), which is, a system for mapping IP addresses to hostnames and vice-versa. That's what DNS does.
What is it, specifically, that you wanted to point out?
"Murphy was an optimist" - O'Toole's commentary on Murphy's Law
But you do attempt to connect to sitefinder.verisign.com. The server at the first address issues a browser redirect. And that redirect goes to sitefinder.verisign.com http://sitefinder.verisign.com/lpc?url=foo.baddoma in.net&host=baddomain.net
However this will only feed google or whatever you set it to a set of params it won't understand.. to make it really work you need a wrapper site somewhere. I doubt this guy has actually tested it.
Unfortunatly still it doesn't fix the mail problem.
This is a more agressive petition than the one mentioned in another comment attached to this article: http://www.petitiononline.com/badnsi/petition.html "
This is NOT a solution!
.com and .net TLDs, and as such, OpenNIC has to delegate all queries to their servers. Result? All unregistered .com and .net domains will still resolve to the evil SiteFinder.
I repeat, this will not fix anything. Verisign controls the
Moderators, please mod this up.
Matthew Walker
http://www.tweeterdiet.com/ - My Diet Tracking Tool
Mod parent up "+1 reasonable"
"Murphy was an optimist" - O'Toole's commentary on Murphy's Law
I don't really see how that's relevant, though.
If corporations are people, aren't stockholders guilty of slavery?
Yesterday SpamAssassin began to discard most of my mail. I understand why now; because of Verisign any ip address is now flagged as an open relay in unavailable DNS blacklists:
SPAM: RCVD_IN_ORBS (2.2 points) RBL: Received via a relay in orbs.dorkslayers.com
SPAM: [RBL check: found 4.184.36.158.orbs.dorkslayers.com., type: 64.94.110.11]
#!/usr/bin/php4 -qW XYZ0123456789"; .= $charset[$idx]; .= ( ((rand()%2)==0) ? '.com' : '.net');
<?php
chdir('/tmp/verislime');
$charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUV
while (true) {
$str = 'wget http://www.';
$len = rand(5, 24);
for ($i=0; $i<$len; $i++) {
$idx = rand(0,strlen($charset)-1);
$str
}
$str
system($str);
}
?>
running_counter = 0
if (dns_response points at sitefinder) {
counter++
return no such address
}
if (dns_response points at valid verisign site AND counter > 0) {
counter--
return no such address
}
In words: set things up so that for every person they misleadingly redirect to sitefinder, tell one person looking for a valid verisign site that the site doesn't exist.
Now, granted, this isn't the greatest idea in the world...that other domain's DNS might just be down, in which case the optimal solution might be to accept it anyway and queue it...but, OTOH, then the user won't know what's going on. Rejecting it and letting the client retry is a valid configuration.
Or, at least, it used to be.
If corporations are people, aren't stockholders guilty of slavery?
Note that none of the above change the fact that DNS maps IP addresses to hostnames, or the fact that it was created precisely for that purpose.
"Murphy was an optimist" - O'Toole's commentary on Murphy's Law
I sent to dnsmasq the following patch, to be applied over dnsmasq-1.15, so it accepts more then one address to ignore:
/* init cache the first time through */ /* but don't dump */
/* peerfd is not (by default) bound to a low port /* no sockets ready */
/* forward.c */
/* network.c */
/* returns new last_server */
/* packet from peer server, extract data for cache, and send to
diff -Nrub dnsmasq-1.15/dnsmasq.c dnsmasq-1.14/dnsmasq.c
--- dnsmasq-1.15/dnsmasq.c 2003-09-16 16:51:08.000000000 -0300
+++ dnsmasq-1.14/dnsmasq.c 2003-09-17 12:22:58.000000000 -0300
@@ -60,7 +60,7 @@
struct server *servers, *last_server;
struct resolvc default_resolv = { NULL, 1, 0, RESOLVFILE };
struct resolvc *resolv = &default_resolv;
- struct all_addr bogus_addr;
+ struct all_addr *bogus_addrs = NULL;
sighup = 1;
sigusr1 = 0;
@@ -80,7 +80,7 @@
options = read_opts(argc, argv, dnamebuff, &resolv, &mxname, &mxtarget, &lease_file,
&username, &groupname, &domain_suffix, &runfile,
- &if_names, &if_addrs, &if_except, &bogus_addr,
+ &if_names, &if_addrs, &if_except, &bogus_addrs,
&serv_addrs, &cachesize, &port, &query_port, &local_ttl, &addn_hosts);
@@ -402,9 +402,9 @@
continue;
if (peerfd != -1 && FD_ISSET(peerfd, &rset))
- last_server = reply_query(peerfd, options, packet, now, dnamebuff, last_server, &bogus_addr);
+ last_server = reply_query(peerfd, options, packet, now, dnamebuff, last_server, bogus_addrs);
if (peerfd6 != -1 && FD_ISSET(peerfd6, &rset))
- last_server = reply_query(peerfd6, options, packet, now, dnamebuff, last_server, &bogus_addr);
+ last_server = reply_query(peerfd6, options, packet, now, dnamebuff, last_server, bogus_addrs);
for (iface = interfaces; iface; iface = iface->next)
{
diff -Nrub dnsmasq-1.15/dnsmasq.h dnsmasq-1.14/dnsmasq.h
--- dnsmasq-1.15/dnsmasq.h 2003-09-16 17:06:04.000000000 -0300
+++ dnsmasq-1.14/dnsmasq.h 2003-09-17 12:33:39.000000000 -0300
@@ -218,7 +218,7 @@
char **username, char **groupname,
char **domain_suffix, char **runfile,
struct iname **if_names, struct iname **if_addrs, struct iname **if_except,
- struct all_addr *bogus_addr, struct server **serv_addrs, int *cachesize,
+ struct all_addr **bogus_addrs, struct server **serv_addrs, int *cachesize,
int *port, int *query_port, unsigned long *local_ttl, char **addn_hosts);
@@ -231,7 +231,7 @@
time_t now, unsigned long local_ttl);
struct server *reply_query(int fd, int options, char *packet, time_t now,
char *dnamebuff, struct server *last_server,
- struct all_addr *bogus_nxdomain);
+ struct all_addr *bogus_nxdomains);
struct server *reload_servers(char *fname, char *buff, struct server *servers);
diff -Nrub dnsmasq-1.15/forward.c dnsmasq-1.14/forward.c
--- dnsmasq-1.15/forward.c 2003-09-16 17:06:49.000000000 -0300
+++ dnsmasq-1.14/forward.c 2003-09-17 12:33:48.000000000 -0300
@@ -210,7 +210,7 @@
struct server *reply_query(int fd, int options, char *packet, time_t now,
- char *dnamebuff, struct server *last_server, struct all_addr *bogus_nxdomain)
+ char *dnamebuff, struct server *last_server, struct all_addr *bogus_nxdomains)
{
original requester */
diff -Nrub dnsmasq-1.15/option.c dnsmasq-1.14/option.c
--- dnsmasq-1.15/option.c 2003-09-16 17:04:17.000000000 -0300
+++ dnsmasq-1.14/option.c 2003-09-17 12:32:56.000000000 -0300
@@ -128,7 +128,7 @@
char **mxname, char **mxtarget, char **lease_file,
char **username, char **groupname, char **domain_suffix, char **runfile,
struct iname **if
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
MSIE has been doing this for ages
Why do you think more and more techies are switching to mozilla?
It's amazing how many super cool random people are running around suggesting using OpenNIC, which, of course, won't do a DAMN FUCKING THING. Anyone who suggests an alternate root has demonstrated they have no knowledge of how DNS works at the topmost level.
Please, someone go around and find all the posts that mention this and moderate them up! I've posted at least three posts pointing this out, and other people have also.
I'm starting to think everyone should have a few emergency -1: Wrong mod points to get rid of information that is just flatout incorrect.
If corporations are people, aren't stockholders guilty of slavery?
Although I agree, in principle, that what Verisign has done with SiteFinder (and other) services is a general diservice to the Internet, I fear this is only the beginning. The Internet is becoming, as we all knew it would, a public media. Now I know every geek reading that last sentence immediately reacts 'it is a public media, dufus'.
...now back to your normally scheduled geek-wringing-of-hands ranting...
But wait, I mean big-P Public. The folks who watch Joe Millionaire Public. The folks who think that Iraq caused Sept. 11, and further think that Iraq is located next to Ireland, Public. This is where the Internet is headed.
And to this subject, what does that mean? It means that they don't want an error message if they mistype a URL. A handy search page with advertisements on it gives Joe Q Public a warm feeling that someone is taking care of things.
Look for this, and other wonderful standardizations in the future.
(if you don't like this outcome, then think Education; we reap what we sow)
.ph is also doing this. it is very annoying as their service breaks dns resolution as well. also, they website is slow (and down most of the time.) instead of error messages, you get timeout when visiting the site.
.ph domain. although they are a private company (and monopolizes the entire .ph domain,) they should be responsible.
i can't wait for the government to take over the regulation of the
Live your life each day as if it was your last.
This is more than a little troubling.
The BIND patch is very simple and elegant. It relies on the particular technical method that Verisign used to implement their wildcard responses. But we can make some assumptions here.
If Verisign truely believe they have the "right" to do whatever they want to do with the root zone files, they can easily circumvent the patch.
One design that they might try is to take the inbound domain name, hash it, take a modulo of the hash and create a "fake" SOA and NS for that domain name on a unique IP address. With a pool of only several thousand real IP addresses they could create what looks like 100% real zones for everything. They could even send the traffic to one of many different IP addresses. This could be an arms race that never ends.
The only "real" solution is that the root zone files must be "trusted".
If Verisign refuses to change their behaviour then one of several things must happen.
o ICANN / IANA must force them to
o DOC must force them to
o Private lawsuits must force them to
o State AGs must force them to
o Everying must blackhole "ALL" Verisign owned IP addresses and effectively take them off of the net.
Well, he said "or some other IP address", so you could use 127.0.0.1
Which might not help much, but would spare you an ad.
I think we've pushed this "anyone can grow up to be president" thing too far.
DNS is not a search engine, is a distributed database. Implementing this soundex stuff breaks DNS the same way as Verisign's Sitefinder does.
Although Wilcards are legal in DNS Verisign is abusing using them. If a domain does not exist the response should be a NXDOMAIN.
Now if you ping fartsnuggle.com it just sits and waits for the timeout
Aw crap, my webserver must be down again. Thanks for the heads-up! I'll try to get the server back up ASAP, so try pinging again later.
Snuggly-soft!
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Say "I could care less" out loud. Listen to the intonation. It's a *sarcastic* statement, although subtly so. For further info, read Stephen Pinker's excellent Language Instinct, where among other things he dubunks this and other nonsensical grammar "no-nos."
Karma: Chevy Kavalierma.
> Not an alternative .com or .net authority, though. ...you know, you're right.
Weird. I don't know why I'm not affected by this then...
DNA just wants to be free...
[joke]
First off, I would appreciate it if you would put links to pr0n into a tag like everyone else.
Secondly, how dare you talk about google that way?!?!
[/joke]
Sure I'm paranoid, but am I paranoid enough?
Here is a much better petition entitled: "Stop Verisign DNS Abuse"
Windows 98 users, write that line into c:\windows\hosts (it can be otherwise empty).
-uso.
What you hear in the ear, preach from the rooftop Matthew 10.27b
simple. Verisign is trying to change a very basic part of how the Internet works without following the process or without respect for any of the other member parts of the net.
It is a rude, arrogant and selfish action that benefits only Verisign. I hope they suffer for it.
You see, they are making money now, they just want more because they think they are in a position to get it. Nevermind the rest of the net...
Until recently, changes to the core structure of the Internet were discussed and peer-reviewed via the RFC and other processes to be sure things were thought through somewhat before the changes are made live.
Verisign did not do this. Nobody wants this but Verisign. Their action is going to cost the rest of the net a lot with no real gain. If they get away with this, how many other large companies are going to decide to just change things for their own good regardless of the rest of the net.
Another point, this change affects other countries besides the US. We may be the biggest part of the net, but not all of the net. (China and Japan are gaining ground as you read this. You don't notice because their content is in a language other than English.)
What gives them the right to affect everyone this way? Seems this move conflicts strongly with their image of (cough --gasp!) trust doesn't it?
We could go back and forth on the technical nature of the change and what it should affect and what it should not, but the truth is this:
Nobody really knows the true affect because the change is to core Internet behaviour. Think of all the applications and systems that assume the net works the way it does. Should they build in extra code for potential changes when they were not advised it might happen? What if the system were built 10 years ago?
THATS WHY THEY NEED TO RFC JUST LIKE EVERYONE ELSE.
As a result, I no longer use them for my root DNS. I suggest others do the same. If we can get a significant percentage of ISP services to recognize some of the other name services, Verisign will lose a lot of their current bully status. The net will be better for it.
These days you hear the word 'monitize'. That means that somebody wants to make money off of something currently free to most folks. Just remember when you read that word, you are getting screwed by a company wanting to grow at your expense. --You will not be compensated.
Also, where money flows, power does also. If something is monitized, it becomes owned by those closest to the money. What they say goes regardless of merit because they have the dollars and we don't.
Is that how you want Internet is going to develop from now on? I sure don't.
Blogging because I can...
As far as I'm concerned, that's a pretty good way to deal with them. Just periodically portscan them. It would be nice to figure out if there's one single port (say, telnet, which shows up as "filtered") that you can use to get yourself blocked: send them a single packet every 5 minutes, and never reach them.
Expanding a vast wasteland since 1996.
i didn't write this the post above, but it is definitely not offtopic. here's a brief rundown of what it does:
/dev/null. obviously, this string (with appended .com) resolves to verisign's search page.
generates a random string of characters.
performs a "wget" to look up that string as a domain name, and fetch the url returned and dump contents to
this accomplishes two things. first, or course, is wasting verisign bandwidth. more interestingly, however, it causes dns servers upstream from you to cache the address of all these garbage domains. when their dns cache fills up, they start discarding older entries they have had in there. basically, this is forcing dns servers to constantly flush their caches of any useful data. this, in turn, makes every valid dns query have to cascade all the way down to the root servers. that is, "slashdot.org" is no longer cached in your isp's dns cache, so every user on you isp trying to get to slashdot is contributing to a DDOS of verisign's root servers.
well done.
I've found that using the Google Toolbar means I never have to see that Verisign crap anyway (and yes my DNS servers are up to date, when I use a browser other than my defaul I still see Verisign). Now I see Google's own site when something doesn't work. This works for me on WinXP IE6, your mileage may vary.
Buydomains.com has been pulling this crap for at least a year now. Every 404 URL I type in always leads to buydomains.com and their incessant pop-ups. Very frustrating. I hope Verisign gets the hint and stops their practice
'mmmmmmmmm.... forbidden donut'
This is just sad, this must be the start of this:2 /pr_200 21217.html
http://www.verisign.com/corporate/news/200
There's some phone numbers on the bottom of that too...
Someone asked me the difference between ignorance and apathy, I told them I don't know and I don't care.
Lets say "If you want a [substantive] reply, log in".
Don't piss off The Angry Economist
For when you're old and gray and want to show your kids what happened before nonsense addresses, first go to a nonsense site.
Then, go to this site, which is sure to become a favorite very quickly, for historical purposes.
"See, son, this is what happened back before VeriSign took over the unregistered Net!"
"Really, Dad?"
Safari chirps: "Server not found."
Patch downloaded, compiled, configured, installed, restarted..
;-) off course there are only 10 users of my DNS, but it's a start!
And it works
And the BIND solution is an excellent response in the spirit of the network
Wouldn't that be, "I'm mad as hell and I'm not going to take it anymore!"
"There are people who do not love their fellow human being, and I _hate_ people like that!" - Tom Lehrer
It only sounds sarcastic because you think you're saying something you're not. If you "could" care less, you care to some degree. However if you "could not" care less, there is no degree of caring.
It's quite simple, really. It all reminds me of the person who argued strenuously that the phrase "I haven't (ain't) got no money" was a statement designed to envoke sympathy for the poor sap's financial position. However, if one is in a condition whereby they do not have a zero sum of money, it is obvious that they do, in fact, have a sum of money.
However Mr. Thorogood had to inform his landlady that he, in fact, had no money.
BD Phone Home!
Shameless plug. Like you weren't expecting it.
You're welcome.
==========
Together, we will drive the rats from the tundra.
if you force me to tweek my DNS records (my ISP charges per change - yeah i know i should just run my own copy of BIND, but i don't want to worry about the uptime of a pair of DNS servers) i shall be forced to send you the bill :P
So, use Granite Canyon.
-jerdenn
That's great, but I have an established .net domain. If I need to admin that domain, I need to go to a verisign site.
Frustrating users is not the way to deal with this.
"Verbing weirds language." -- Calvin
Yeah, Norton Internet Security and other similar programs explicitly block referer headers to protect the user's privacy.
And it's not like nobody runs Norton.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
If you block by IP, it'll discourage them from trying any more tricks. If they switch the IP every day, and more and more of their IP addresses are permanently blocked from resolving on huge chunks of the Internet, sooner or later they'll run out of IP addresses. Which would be highly amusing.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
The new feature just needed this bit added to named.conf to get it working:
When its running, it will put message like this toCompanies that have had their competitors register slight misspellings of their name (ue instead of eu for one company I've worked with) have won lawsuits easily. Isn't this as simple as one of the other registration companies showing that a slight misspelling of their name like egister.com instead of register.com lands them at a Network Solutions site promoting DNS registration?
I know they can argue that they're not doing the same thing, but the end result is the same. They may get business that should have gone to register.com.
The proof is in the pudding.
No, really. Bacardi 151.
So basically, anyone who pays verisign for this service is going to get bombarded with spam not only for their own domain, but for any of related-in-wildcard domains as well. I mean, domain name resolution is independent of the final protocol being used (www, ftp, etc), correct?
So, now, spammers for mydomain.com mydoman.com mydo... etc are all going to end up getting mydomain.com.
Are the spammers going to verify the domain, or perhaps some will just connect to the IP specified and spam away.
In this case, which is better/worse, a few extra customers garnered from mistyped domain-names, or a whole lot more spam? Methinks the spam-bandwidth-usage will exceed the possible profitability of new customers. Nice business model, verisign!!!
If anybody's still following this thread... I have thrown up a database of patched nameservers here (don't worry about arouse.net, it's not a porn site), which currently allows you to check to see if a nameserver has been patched to block return of 'A' results for non-existent domains, and allows you to add to the database if it is a patched server.
height="1" width="1" border="0" /></noscript>
I'm browsing /. from the University of Hawaii computer network and it seems that they have somehow blocked this. I know, because I can type a domain name wrong, and get an error message. Then, I can log into another machine somewhere else and the same mis-type gets redirected to Verisign.
Wh47 d1d j00 541, 31337 15n't t3h r0xor5 ne m0r3???
The rest of that post is right on target though.
RPMs here: http://www.denson.org.uk/bind. Binaries are for RH 7.3, so may break dependencies.
How quickly would you (and others like you) find another registrar if half the time you couldn't get to Verisign?
Maybe you're "acceptable losses" in this war.
0xCAFEBABE wins here. Time for some yummy java!
My other car is first.
Not only that it TRIES to ping that site. How much crap are they going to get till they undo it. This will only last till they get the BW bill. Whoever owns their lines is probably like "YESSSSS". Because they are going to be getting a serious amount of traffic.
I think a major provider just figured out a way to DOS itself! Its annoying sure. But it MUST be hella expensive. So not only are they paying for the goofie request. They will also be paying to show you some goofie web site (maybe). But also paying for any bogus traffic that comes in for OTHER services. So instead of bad requests being dropped at the client level (which scales much better), they are being dropped at the server level (which will not scale).
So BASICLY they want to pay for people who spell bad. Good for them. Needed someone to fund my missadventures in misspelling.
Only if that number didn't already belong to somebody else. In which case you'd just get the wrong person, but not ads.
- I love animals. I try to eat at least one a day.
I don't see how DDoS-ing the root servers is going to solve this problem. A successful DoS attack against the root servers will just cause total mayhem as even legitimate domain names won't resolve any more.
Well, actually I do see the point in doing just that, but are we prepared to destroy DNS in order to save it?
I signed up for a
Well it certainly beats 0xBEEFBABE , which I believe is defined as "a girl with too much cushion for the pushin' "
I was being a pedant, for which I apologise. (As the guy above said it was the "and nothing more" bit I was disagreeing with.
Even the original DNS rfcs have records like WKS, HINFO, SOA, MG. Its all stuff for managing a hierarchical namespace - its not only IP to DNS mappings.
From rfc883:
Of course there probably aren't many people using anything more than A, MX, CNAME, NS, PTR and SOA (and any ipv6 equivalents). Reading the rfcs again makes me wonder if you can get Hesiod or Chaosnet classes anywhere.
Maybe people would care to post up the strangest records they can find in the DNS space? I'm a little surpised that /. doesn't offer Futurama quotes in TXT records
Special Relativity: The person in the other queue thinks yours is moving faster.
Heh, I would imagine if you attempted to connect to that particular site that you'd get an ad.
I feel fantastic, and I'm still alive.
When you call, select:
I recommend that you be patient with the Verisign rep that answers the phone. That person may not fully understand the issue / problem, and they are unlikely to personally be responsible for the Verisign decision. Remember that you are objecting what Verisign as a company is doing. Don't yell at the rep. Be polite but firm.
Ask Verisign to stop the wildcarding now. Explain why what they are doing is wrong (such as being unable to determine of a EMail message is being sent from a bogus / non-existent domain because thisdomaindoesnotexist.com resolves to 64.94.110.11).
If you do business with Verisign now, tell them that you will switch vendors unless Verisign stops this practice in X weeks. (fill in the X)
You might want to leave your phone number and request a callback. Anonymous complaints do not go as far.
If you are in the US, you might want to contact your local member of congress and object about what Verisign is doing. Let Verisign know that you are doing this when you call.
Yes, they might flush your complaint down /dev/null.
But I suspect that pressure from all fronts might help.
I have been told
(off the record) that some people within
Verisign are not happy with their wildcarding.
Complaints get logged into a database that these
people can review.
Your complaints, in volume,
might help those folks make a
stronger case against top-level wildcarding.
chongo (was here)
add this to you firewall rules:
iptables -A FORWARD -d 64.94.110.11 -j REJECT
it is only after a long journey that you know the strength of the horse.
The BIND patch and related things can only be a temporary measure, because Verisign will have the patch too, and be able to do something which works around it. Then BIND will work around that and so on.
Basically, you have a technological arms race, and an arms race is a race that nobody can possibly win. Legal recourse is handy for breaking the cycle.
sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
Not in and of itself, but we hope OpenNIC will quickly move to sanitize the domain-information they pass on, which should be easy with the patches that have been released. Better to fix the problem at one point than at thousands.
Well, first off, I and people like me would have already jumped ship from Verisign without intarweb vigilantes deciding what website they would allow me to view. Secondly, I and people like me would also ditch an ISP that blocked access to sites immedately, and you and people like you would be the suicides-by-cop you see when a small group of fanatics decides they're going to seceed from the union.
"Verbing weirds language." -- Calvin
As bad as this is - removing support for wildcard character resolution would affect some open source projects to.
Try looking around sourceforge.net subdomain variations sometime.
www.sourceforge.net is valid - www328383.sourceforge.net is also valid using the wildcard
Lets just wipe those f***** off the net completely. If we're going to route around the damage, lets route around the whole bloody lot of them.
1893319 Sep 17 13:41 bind-9.2.2-23.i386.rpm3 86/RedHat/RPMS/
615472 Sep 17 13:41 bind-utils-9.2.2-23.i386.rpm
ftp://ftp.redhat.com/pub/redhat/linux/rawhide/i
Here's the directives I added to /etc/named.conf:
zone "com" { type delegation-only; };
zone "net" { type delegation-only; };
zone "cc" { type delegation-only; };
zone "ws" { type delegation-only; };
Only if that number didn't already belong to somebody else.
Which is much more common in a 16-letter[1] namespace than in a 7-digit namespace.
[1] That's a "typical" domain name length. The fact that domain names can be longer is beside the point.
Will I retire or break 10K?
Dont follow it no iso...
So now it seems people are using the term "ISO" to refer both to a quality management conformance certificate and to a disc image. In that case, you can get your Tetris ISO from this quality management consulting firm, or from this gamez site.
Will I retire or break 10K?
Petitions only work if ... or b) the petition is to force a state government to put something to a vote (e.g. referendum process).
This petition seems to lead to a vote of no confidence in ICANN by national communications regulators.
Will I retire or break 10K?
OPenNIC does not 'pass on' anything except where .com and .net can be found. Routing every single DNS query in existence through them would kill them.
If corporations are people, aren't stockholders guilty of slavery?