Slashdot Mirror
BIND Patches Make Bad Situation Worse
An anonymous reader writes "After .COM and .NET started using a wildcard, the internet community busily started
creating patches to various pieces of software to circumvent this. It was
said that this was a grave problem to the internet. Several official BIND
patches were
announced over the next few days. However, it turns out they weren't necessarily
too well thought through. Usage of the patch unexpectedly
broke at least 7 Top Level Domains, ISC announced 3 weeks later, after
users
started having problems. The .NAME registry has sent a formal letter to ICANN's Security and Stability Advisory Comittee to warn against using the BIND patch, which they will look into in their next meeting. The intention may have been good, but...
Stability? Anyone?"
I thought sitefinder was dead
Yes. .io and .sz.
I see we call these "patches" and not security updates.
Write, Compile, Deploy, Test, Pass the Blame.
Ahhh! BIND
Why don't you use MSN Keywords(r) or new.net browser plug-ins, you GNU hippies!
That's what happens when you rush patches out the door. Thankfully, I'm running XP which needs no BIND patches thanks to Microsoft's policy that puts high quality before profits.
It seems appropriate for the Commerce Dept. to revoke the Verisign contract and award it to another entity that will be more concerned about operating the registry, root, and TLD servers in compliance with relevant standards and for stability and the public benefit, rather than an entity that sees their custodianship as a way of subverting the system to increase their profits without regards to the effects on the internet at large.
... we told you about the ill effects of blocking the wildcard!
Will this be the beginning of a rematch between VeriSign and the world?
Indeed the patches were bad. I tried the first one and it caused strange problems.
My ISP installed another one and it is even worse: it does not return an error but it simply returns no answer for the wildcarded records.
"unexpectedly broke at least 7 Top Level Domains" /.'d
They were
A BIND patch wasn't the right way to address the problem anyway.
The legality of the wildcard scheme is what needs to be addressed. If it's illegal then the bind patch isn't needed, and if it's legal then then BIND people would probably find themselves sued.
Aw crap, ninjas!
BIND patches? Well I'm in a bind as to whether or not I should ask someone what in the heck this means, since I have no idea.
...wha?
it made picking up new domains take half of forever in my experience. i have bellsouth access, still, through sheer interia. they seem to be always the last on the net to refresh dns.
"You never want a serious crisis to go to waste." - Rahm Emanuel
...is easily seen here. Its a perfect example.
We really need to link ICANN more effectively to the
world, maybe each state or province in each country can elect 1 ICANN rep.
Or maybe they should be elected from the owners of each CLASS A worth of network space, or each network, regardless of size, that has a large impact on the internet as a whole (AT&T owns all of 12.0.0.0/255.0.0.0 as far a i know)
Whatever the method, we need a more top-down system for ICANN.
Just my 216 Yen.
/* * pope1 */
Don't I feel all smug for letting the free world try out all that expimentanl @#$!&!!#$A$#@$!!^!!#$%!#Q [No Carrier]
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
Dear (dot)name,
Since (dot)name provides such a useful and valuable service to the Internet community, we will immediately take action to address your--
It's nowhere near as difficult to set up as BIND, it's more secure than BIND, and there's a patch available to block Verisign's wildcard lookups. I've been running the patched version at home and at work since shortly after Verisign added the wildcard records and haven't had issues with any DNS queries.
20 January 2017: the End of an Error.
I don't want to sound like "told you so", but this is exactly the reason why I did not used them in the first place. An authoritive answer from a nameserver is authoritive, even if you do not agree with it. IMHO, Verisign should hang for their completely stupid actions which messed up the entire DNS system but on the other hand, I think that DNS operators should think twice before applying code that tampers with authoritive answers from root nameservers.
/32 in your favourite IGP and reroute the traffic to /dev/null or your ISP's site.
The path to follow was via ICANN, or if you still wanted to disable the sitefinder, just insert a route for the
I do appreciate the efforts from the ISC in this matter. A lot. It certainly helped convincing ICANN of the seriousness of this problem.
I'm not a complete idiot... Some parts are missing.
the blame for this lies squarely at verisign's feet.
pr0n - keeping monitor glass spotless since 1981.
I've been getting the 500 errors as well over the past 2 days...
When verisign went ahead and changed the TLD the argument by icann was that the ensueing enviroment in the internet community would cause chaos as organizations attempted to accomidate a once static internet infastructure.
YOU DAMN DIRTY VERISIGN.
If you can't fix it ask the 3 year old down the street.
I had a feeling this would happen.
And now that SiteFinder is gone, it may take forever for 100% of these patches to be fixed/remedied/removed/ etc.
In the meantime, i'm sure that someone, somewhere (or most likely hundreds or thousands of someones) are considering what mischevious deeds they might be able to do with these patches, a situation like SiteFinder or similar.
Ever notice that whenever someone does something a little bold and arrogant, they get shut down almost right away. But within 6 months of that, the gate opens and a pile of people pop up doing things significantly worse or ugly with little effective resistance?
Oh well. Maybe i should just obey the voices in the back of my head and go kill myself.
do() || do_not();
Not surprising, as BIND is as shown again and again a poorly designed and coded product. The fact that authors of this crap can't come up quickly with a working patch is laughable.
I think that DNS operators should think twice before applying code that tampers with authoritive answers from root nameservers.
Not only do i agree with your statement, but i feel this applies equally as well to mailservers (and other facets of inet infrastructure).
RFCs were created for a reason, and the day we all decide to do it our own way is the day that the internet will die.
do() || do_not();
This wouldn't be a problem with closed course software.
I'm just sayin. With closed source software domain name hijacking and pop-up windows are an unavoidable part of your day.
The first feature (which is the one that was implemented initially) supports marking selected zones as delegation-only. This is safe, as long as VeriSign doesn't rush ahead and offers a special DNS service (with alleged super-high reliability) which involves A records directly in the COM and NET zones.
The second feature is much more dangerous because you have to explicitly mark the TLD zones which contain records which aren't delegations--all other zones are assumed to be delegation-only. Some zones have lots of in-zone A and/or MX records (DE, for example), so you have to do some research before you can enable this feature.
If the second feature is incorrectly configured, there will be some local disruption of service. While it might contribute slightly to the instability of the Internet, it's just a localized configuration error (mind that BIND doesn't even have a default for the configuration option), and it's not comparable to what VeriSign did on a global scale.
It would have been appropriate for the United Nations to revoke the Saddam's title over Iraq and award it to another entity that was more concerned about running the country and its oil fields in compliance with relevant standards and for stability and the drivers' benefit, rather than an entity that sees its custodianship as a way of subverting the system to increase his powers without regards to the effects on the world at large.
I can't wait to feed.
I'm going back to Windows!
I don't know the meaning of the word 'don't' - J
BIND Patches Make Bad Situation Worse
I hear those Nicotine Patches can do the same thing to people trying to quit smoking.
do() || do_not();
However, it turns out they weren't necessarily too well thought through
Nor was this sentence.
I wasn't happy with what Verisign did, and the prompt response from ISC was admirable, but that doesn't forgive the matter that "broken" patches were rushed to the street. It was simply a matter of bad code that was never tested properly.
"That's what happens when you rush patches out the door. Thankfully, I'm running XP which needs no BIND patches thanks to Microsoft's policy that puts high quality before profits."
What?! Nu-UH! Microsoft is teh suX! Linux is much better! Microsoft doesn't...
waittaminute. Are you trolling me?
I think that DNS operators should think twice before applying code that tampers with authoritive answers from root nameservers.
/32 in your favourite IGP and reroute the traffic to /dev/null or your ISP's site.
The BIND patch doesn't alter the contents of the root zone (small nitpick).
The path to follow was via ICANN, or if you still wanted to disable the sitefinder, just insert a route for the
Tampering with Internet routing could be viewed as damaging as dealing with DNS. Route manipulation is almost universally accepted. I guess if we had the tools to filter and/or rewrite DNS requests (like route-maps for most BGP implementations), the sacrosanct nature of DNS would change as well.
However, null routing doens't restore the original behavior. The BIND configuration option does. It's a kludge, but it's the best option to restore the zone contents (from the point of view of your clients).
Hello idiots,
the delegation-only option is supposed to be used on a PER ZONE basis. It's not like applying the patch makes it so that no TLD is able to return non-delegation responses. It simply allows you to define certain zones that that the server only accepts delegation results from.
Now in this great wide internet, I suppose it is possible that some asshats found a way to apply it to every zone that they query against - but last time I checked, you were supposed to do this:
zone "com" {type delegation-only;};
zone "net" { type delegation-only;};
So how it's breaking all these other zones is a farking mystery to me.
Looks to me like the post was meant to say "don't set the delegation-only option on these domains", but someone who doesn't understand what's going on took it to mean "THE PATCH BREAKS ALL DNS! THE SKY IS FALLING, THE SKY IS FALLING!"
Calm down people. The patch is still a perfectly fine idea.
You may disagree, but to be blunt, you're wrong. -tgd
I'd almost say that if a TLD can be handled with a single wildcard, then the domain is not large enough to exist and should be a second level under something else. Even if it is just starting out, it should be run as if it were a significant participant in the net, which means delegation of specific second level entries under that tld.
You can't ping Slashdot because Slashdot doesn't respond to pings. Notice that the web server seems to be working fine? :-P
sitefinder is not dead as far as Verislime is concerned. They have only "temporarily" suspended it pending final resolution to the "technical problems" that it caused. Verislime is working hard to try and get them reinstated.
SPF support for most open source mail servers can be found at libspf2.
The slashzealots will figure out a way to blame Microsoft somehow.
GTFO! I dont trust that crap like I dont trust sendmail.. its djb software fer me all the way baby.
-Dirtbag
ZIM: I helped with the DNS problem.
Tallest: You made the DNS problem worse!
ZIM: Worse..? or better?
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
DJBDNS, anyone?
The Bind authors are known idiots. Much like users of their software. It's buggier, more resource intensive and slower, but at least it costs more!
Hey freaks: now you're ju
But I thought, regression testing, hell testing at all, was a bad thing. Isn't it *good* that in the open source world, a patch gets slapped together and applied the world over, within an hour?
Vintage computer games and RPG books available. Email me if you're interested.
Those 500 Internal Server messages are annoying. Also the boards have slowed to a crawl at times.
I find it strange that I be coming to the aid of the authors of BIND as a loyal djbdns user, but in this case I strongly believe it is Verisign who are to be hung, drawn and quartered over this one. The ISC were merely attempting to meet the needs of their customers. I haven't looked at why this caused breakage yet, but I wonder how much of it is related to poor configuration of the other domains? I wonder also how difficult it would be to modify the patch to sanitise only .com and .net domains? Not quite as clean, but better than, say, filtering IP numbers!
I'm on Bellsouth.Net dial-up, and it's been a couple of weeks now since I've been able to correctly get to google.com. I ultimately had to ask a friend of mine to give me the correct IP address, and have had to bookmark that. I noticed that in the first few days the browser was unable to locate any page on that address, but the space has since been "colonized", I guess by some opportunist.
I presume this hassle is because of the various problems caused by these idiotic modifications to the foundations of the Internet, and I wish hellfire and brimstone upon the PHB's responsible for them.
The non-delegation records in those zones are crap records to various registrars's websites, just like the ones Verisign was publishing. Why would anyone care? Filter them all, I say.
500 Internal Server Errors with Slasdhtot lately,
yes, me too. using MDK 9.2
.name suits complain that their wildcard doesn't work anymore with those who installed patched Bind?
.com/.net and ISC came up with Bind patches, many admins decided to also block wildcards in about a dozen small TLDs some of which supported wildcards from day one - they were simply below the radar until Sep 15. Now those TLDs are unhappy because customers have tools to block their idiotic tricks - who cares? - how are they any better than Verislime except they can't quite screw up as many people?
How is it a problem for anyone except them?
When Verisign turned the wildcard for
I am perfectly happy running the patched bind and have no intention of rolling it back - even if sitefinder is out for good, it's a matter or principle, - no wildcards on TLDs!
Vlad
... like the companies want to keep people away from future "patches" that may override such annoying services in the future.
Ditto.
Peter M. Dodge,
Chief Executive Officer,
LiquidFire Studios
Platinum Linux - www.
I have avoided BIND for years. For a while my DNS server was actually one written in Perl...
I'm using Windows 2K and I haven't noticed any problems. I have been experiencing 500 Internal Server Errors with Slasdhtot lately, but I'm pretty sure that isn't a BIND thing. I checked task manager and BIND isn't running. Also, I can't ping Slashdot either. Something is wrong.
/winnt or /windows directory for a teddy bear icon. this is the verisign virus that causes sitefinder to run. you need to delete that.
you hit that on the head... yes something is wrong and you can fix it easily...
first search your
now every time something act's wierd you need to simply press ALT-F4 and it will correct the problem.
Hey, at least it lightened the load on my DNS cache... :-)
I prefer instability to inaction in circumstances such as arose with Verisign.
You know, every time this buggy, insecure, over-complicated sack of crap is the source of a security hole, I make a post here to the effect that BIND is a buggy, insecure, over-complicated sack of crap and that its maintainers evidently lack either the will or the ability to fix it, and that there is more than one good alternative, including, but not limited to, djbdns.
And every time, someone comes back and says no, it's really fixed this time, it's really finally stable, the developers really are both concerned and competent.
I no longer bother replying anymore. Usually CERT does it for me.
BIND must go. The only thing it does reliably is diminish the credibility of open source. (And make sendmail look good by comparison, which is no mean feat, either.)
Proud member of the Weirdo-American community.
That's a real cute (even if completely off-topic) parallel. Oh, except for one thing:
"stockpiling weapons of mass destruction"
I dont even consider .name or those other stupid ass vanity poos as real TLDs anyways... .name people can kiss my ass
...who uses .name domains anyway?
That'd be like suing Microsoft for outlook viruses
Oh, we can only dream...
Zodiac Survey
-I'm currently taking an entry-level college coding class and its actually, analyse, design, code, test, implement . . . . . . pass the blame then if you want. Wow, only four weeks studying computers and I'm already smarter then the average ./er
GWB should be tried for war crimes.
Microsoft is in charge of BIND development now!
This
The DJB wanabees are pushing their idol's software, and ISC gets the flak for having designed a very good patch. The problem is not with the patch itself, it's how it is used.
The first patch
ISC initially designed Verisign wilcard blocking patch so that one can mark a zone as delegation only. Explanation: the TLD servers (the one that serve .com, .net, .us, etc) should not contain any domain information: their purpose is just to point to the actual name server for a given domain:
- When a
.com TLD server is asked for existingdomain.com, it replies: for any address below existingdomain.com, ask this and this servers. That's a delegation answer.
- When asked for non-existingdomain.com, the gtld server used to reply: there is no such domain.
- When Verisign introduced their sitefinder service, they basically configured their server to say: non-existingdomain.com is at this address. Compare that with the ask this other server. That's not a delegation. It's a straight answer.
So, the first ISC patch allowed people to mark a zone (eg.Note to the DJB groupies: that's much cleaner than passing an IP address to be ignored in an environment variable. For once, with the bind approach, you can still access www.sitefinder.com. It's only the unwanted wildcard referrals that are blocked, not a given IP address.
Second (and current) patch
Then people noticed that all TLD ought to be delegation-only (they were wrong) and objected to have to write a stanza in the configuration file for every TLD. That's why the second patch was introduced.
This time, in addition to the configuration directive saying "this zone is delegation only", a new configuration directive was introduced: "all TLDs are delegation-only". You may also provide a a TLD exclusion list for the few domains that were known to have non-delegation records (like .de).
Some misinformed admins started using this new directive with just the few known non-delegating domains excluded, but more TLDs than previously thought had non-delegating records in their TLD zone. Like .name. And that's what they're complaining about.
Summary
If you use the .com and .net are delegation-only zones configuration directive, you're doing good.
If you use the all TLDs but a select few are delegation-only, then you must make sure you have the exhaustive list of non-delegating TLDs. Since no-one has the exhaustive list yet, so I suggest you just mark .com and .net for the moment.
If you use DJBDNS, stop showing such misplaced zealotry.
And yet not smart enough to figure out how /. accounts work.
We should all be using OpenNIC. I know that I've converted all DNS servers that I run. (including one at a large University)
People are always saying it isn't safe to install MS patches because they break things, but this case surely shows that it can happen in any OS or any environment (closed and open). Where are all the people screaming about how people shouldn't install patches until they have been out at least 6 months like they do with MS patches? And doesn't this make OSS patches as dangerous, since they obviously aren't being tested?
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
... is TopText.
Thanks Microsoft, for trying to introduce your very innovative "Smart Tags".
Anyone notice all of MS' true innovations merely annoy and hinder rather than help? MS Bob, HTML email, Clippy...
Wow, so the open source community released a patch that wasn't well tested, that caused problems, and probably cost some people a bit of money.
How many times has slashdot bitched and moaned about a certain unnamed corporation doing something similar.
Some people say "this could have been avoided if your named.conf was written properly." Yes, and most viruses and worms could be prevented if people would patch their desktops.
So what we have:
A patch that caused a lot of problems.
Users that could have prevented the problem if they had known better.
Sounds a lot like the kind of users all you eleet unix junkies diss on so often.
no comment
some may have faced the same decision i did: Either you spend hours and hours in investigations if the sitefinder shit breaks some script of yours or your ancestors, or you take the risk applying a patch that can't be tested very throughly. Neither choice really seemed inviting.
As it turned out, the patch wasn't working very well (increased memory usage, was an unofficial patch for 8.4.somewhat) and we had a malfunctioning debug script.
Regards, Martin
Since BIND doesn't support dynamic updates, it doesn't work well with DHCP, Mobile IP, Ad-Hoc IP or any other environment in which dynamic updates are, well, essential. (Incidently, as IPv6 mandates Mobile IP support, BIND cannot be considered IPv6-compliant.)
The API changes with BIND 9 meant that anything using the resolver library was likely to do nasty things.
So why does anyone use BIND? Why do I use BIND? Because, as was the case with Sendmail, until Postfix came along, the "alternatives" just aren't even up to the level of these dying, legless dinosaurs.
(Even now, Postfix won't do everything Sendmail can. It's usable for most things, and development is impressive, but until it passes Sendmail by, it won't be a real alternative, merely a usable standby.)
So what do I want, that the other DNS' either can't do as well as BIND, or can't do at all?
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Consider that ISC stepped up to the plate and delivered a sensible solution in the midst of many unknowns at the time - Verisign did the breaking, not ISC.
Sorry, but ISC BIND is the most standards compliant implementation widely available, and djbdns is still incomplete. Switching name server software is not the answer to the problem of Verisign commandeering the COM and NET zones for their own profit.
I have been running 8 ISP 9.2.1 BIND servers for nearly a year without a single hiccup, security breach or question of performance.
Please review the history of ISC BIND development vs. security issues. You'll see that they've done an admirable job of clearing up loads of problems.
You should not be using BIND 8, although it is still supported. I've had a very good experience with BIND 9.2.x, and I did not roll out the patch at the time because I suspected that Verisign would remove the problem shortly and they did. It was my lucky guess, it could have worked out otherwise.
There is nothing wrong with the Bind patches. The problem comes from an incorrect configuration.
Mod the parent all the way up, or delete the incorrect, ignorant, flame-bait, troll of an article.
Paul Vixie releasing untested, buggy software?
You're kidding!
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
The right thing to do is to run two services one for DNS cache, the other as your authoritative nameserver. Even BIND idiots recommend to run BIND this way.
Pull your HEAD OUT OF YOUR ASS before you post!
As a secondary issue, there's the question of whether you *want* DNS wildcarding for those domains. If you don't, then even if the patch mistakenly blocks them, that's ok. One of the most serious problems with Verisign's DNS hack was that it's OK behaviour for web browsing on port 80, broken for browsing on other ports, but is almost never helpful for typoed email messages, is seriously broken wrong behaviour for spammer-forged email addresses, and for other protocols, is usually broken, sometimes very annoyingly broken. If you're using a web browser to check out http://nonexistent.museum, you get a friendly menu, but if you were trying to send email to curator@missspelllled.art.museum, instead of your email client telling you that the domain doesn't exist (which you'd then correct), it'll accept the email and then eventually give you a bouncegram, which is especially annoying if you were sending mail to more than one person. Do you get any better treatment from bob@misspellled.name ?
What's worse is spammers forging From: or SMTP envelope addresses from these TLDs, which was a problem that wasn't particularly obvious before Verisign's .com hack reminded everybody. Instead your email system detecting that MAIL FROM: is bogus and rejecting it, or accepting the message, or detecting that From: spammer@nonexistent.name is bogus and discarding it instead of delivering it to you, now you'll have to notice that yourself, if your email server and client are friendly enough to let you see the envelope headers.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Good one.
For purposes of blocking sitefinder.verisign.com's IP
What happens to a DJBDNS server's Sitefinder blocking performance should Verisign restart the Sitefinder web site and move its web server to a different IP every 24 hours?
Will I retire or break 10K?
Common, let's see those arguments for sticking with it. They're amusing(sad really).
The last few times I've installed djbdns, all I've had to do was type in emerge djbdns, go away for a few minutes, come back, and start adding data.
emerge: Bad command or file name. Installing and configuring Gentoo Linux on a production system is not always an option.
Distribute an unmodified tarball, along with whatever patches you want to apply
Applying a patch to a copyrighted program prepares a derivative work of that program. Will it be lawful under all nations' copyright laws for end users of DJB's programs to apply such patches, compile the patched programs, and run the compiled binaries? Though DJB claims that 17 USC 117 seems to allow this, not all U.S. district court judges interpret section 117 the same way, and not all jurisdictions have adopted corresponding legislation. Until DJB explains the specific terms for distribution of patches to his software (Trolltech's QPL might suit his liking), distributing patches will remain only quasi-lawful in many cases.
Will I retire or break 10K?
the reason we still use it after 15+ years is because its maintainers evidently DO have the will to maintain it, in spite of all the features that people keep wanting added, and the reason that 48 hours after Verisign broke the DNS system you could install a BIND patch is ALSO because its maintainers have the will and ability to fix it.
In an open-source open-protocol world, the reason to stop using a product like BIND is that either somebody writes a better product, or you get so fed up with it you write a better (or worse) replacement yourself, or you decide that it's so appallingly unfixably buggy that it's might be better to go back to using carrier pigeons to deliver /etc/hosts files on clay tablets than to keep using it. There are applications that are bad enough that you'd take the third approach, many of which come from Microsoft or Novell, and enough people took the second approach that you can be lazy and take the first approach if you want to. Most of the alternative solutions are good enough for 80-90% of the potential users, and some of the djb flame wars are either arguments from the other 10-20% of the people who need the extra capabilities or arguments about whether the DJB approach to licensing and doing everything his way justifies going back, if not to clay pigeons, at least to BIND.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
URL: http://www.xfocus.net/tools/200307/dnsflood.c
If sendmail & BIND didn't suck so hard, you wouldn't see so many people willing to mention alternatives (whether qmail & djbdns or some other MTA and/or DNS server).
20 January 2017: the End of an Error.
A software process is comprised of specification, development, validation, and evolution. There are various ways of breaking down the software development activity, as well as defining the words that you used, but I am not aware of any choices of these which would make what you said correct. What text are you using?
Every time there's a patch to BIND, somebody spouts off about DJB's "great stuff"...
As much of the value of software is the LICENSE under which it is release as the source code itself.
If M$ didn't sell binary copies of their Windows O/S, it would have no value at all.
DJB's tools might be great for some people, and it might even become a standard for the Internet, but as long as DJB's license is so restrictive as to prevent Red Hat from releasing a QMail RPM, its value is greatly diminished. Despite the aviailability of the source code, it's not truly "open source".
So we stick with BIND. Written for a different era of the Internet, it nonetheless works quite well, and security issues aren't much of a problem (at least for me, periodically running up2date works quite well)
Another example is qmail. Since only patches can be released, I have to go through the scavenger hunt of patches and crossed fingers hoping to get a qmail installed with support for LDAP and qmail-scanner.
And it's not as though qmail is perfect, either. I mean, auto-responder messages with hard coded reply headers? WTF? How magnificently retarded is that?
The restrictive license of DJB's tools prevent things that really should have happened long ago - a forking of the codebase, and binary distribution.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
The problem is that .com and .net aren't the only TLDs with evil wildcarding brokenness, just the latest and the only one to do so unilaterally without the responsible people discussing and setting policy first, and the patch didn't list quite all the TLDs that have official policies of wildcarding, just most of them. You can update it to add the others to the list, if you want, though that'll only help web browsing on port 80, and will cause you trouble if spammers try to forge mail from the other domains.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
On Wednesday 15 October 2003 02:31 pm, Mike Hoskins wrote:
>> i'd prefer to see the feature stay, but possibly have the operation
>> reversed as someone suggested (include list vs. exclude list). it's a
>> little harder to shoot yourself in the foot that way, but it is also more
>> inline with KISS/POLA IMCO. i.e. it seems less astonishing (to me) to
>> specify "what you want" vs. "what you don't want".
If you haven't read: www.isc.org/products/BIND/delegation-only.html, please do, as you will see that we have always (almost from the beginning) have had two ways for taking care of this issue. It's up to the administrator to decide which option to use, if any at all. FWIW, we are always reviewing the list of TLD's in the root-delegation-only example, and will update the list as appropriate. (Remember - administrators can edit the list to their hearts content if they disagree with what we list)
So don't blame bind, or its multitude of admins.
And if none of those work, you can alway open up a command prompt and type "rmdir /s \"
Umm...if djbdns isn't open-source, then how is it that I've been able to install it on source-based distros like Gentoo and LFS?
h p. Specifically DJB doesn't allow derived works to be destributed under the same terms as the original (specifically, as binaries). If someone wanted to package DJBDNS and install the software into LSB standard locations, DJB prevents them from doing so.
That you can get source code for an application doesn't mean its Open Source. Some other examples besides DNSDNS would be QMail, Pine or Microsoft Windows. The Open Source definition is available from
http://www.opensource.org/docs/definition.p
The "breaking" that this "patch" supposedly caused is a feature (root-delegation-only), apparently used more by the (understandbly) uninformed than the informed, that is available only in BIND 9.2.3 Release Candidate 3 and 4.
Informed or uninformed about the feature, a release candidate in production may as well be beta software, good reasons to deploy notwithstanding. When you use beta software in production and it does something unintended, that's not a callous failure of the provider/programmer, that's called "testing" and impact should have been considered first. Last I heard, those who place their feet in a fire can expect to get burned, even if they don't like the idea of it.
BIND 9.2.2P3-- which is neither designated formally as a release candidate nor informally as a beta-- does not implement the root-delegation-only feature. So unless you're playing with the fires associated with beta testing... there should be no wildcard-related issues for the uninformed (innocent or otherwise).
As far as anyone has been able to determine, Saddam was in compliance with the UN requirements from the time he readmitted the UN inspectors until the time the US attacked.
When GWB said that he had evidence but couldn't make it public for reasons of national security, I was willing to give him the benfit of the doubt. In hindsight, it appears that he completely fabricated whatever evidence he claimed to have. Even GWB himself now claims that the war wasn't about WMDs, yet he provides no alternate explanation that justifies a first strike on our part.
No, I meant that Saddam should be restored to power and the thousands of Iraqi citizens we killed should be unkilled.At this point there's no reason to call off the investigation. Calling it off won't resurrect the dead.
Saddam may be an evil asshole, but when the US mounts a first strike on a country without in fact having any proof that the country has in fact done anything actionable, and the US kills thousands of civilians to overthrow that country's government, I really question the choice of countries designated the "axis of evil".
If the ruler of a country being evil is sufficient justification for the US to launch a first strike, why haven't we attacked North Korea? Maybe because North Korea doesn't have resources that the US cares about?
It's the sysadmins. They were supposed to configure as delegation-only ONLY the domains Verisign was bastardizing -- .com and .net. Oooopsie.
I still think the patch is kosher; the server administration has the final word, not the BIND developers. No need to recommend against it IMHO.
and failed. Microsoft patches are just as good.
Looks like many eyes is not better than a few when it comes to squashing bugs. Or wait, how many of you jumped to this just because you thought it would make life tougher for an "evil" corporation.
Looks like your hatred of businesses trying to make a buck bit you in the a$$!
And if none of those work, you can alway open up a command prompt and type "rmdir /s \"
Ooh! Is that similar to the "sudo rm -rf" command people have been telling me to use to fix my problems with OS X?
When you are repeatedly shown a better way and refuse it, that's the fun of watching the anti's in the djb argument. The OSS'ers are in the same seat as they view Microsoft users and they don't like it.
If you read the text you just linked to, it clearly states that yes, you still need to install the daemontools stuff even if you don't use it to start the daemon.
I would have installed djbdns if it wasn't for that.
In the end, I only needed a local caching forwarding DNS server, so I went with dnsmasq instead.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
Don't forget the /q switch for quiet mode ;)
This sounds suspiciouly like the comments that Verisign have previously made public. Just who is this "Anonymous Coward", anyway?
Nitpicking, knowitall, humor-impaired college sob.
It's alternativitis -- the desire to embrace something other than the norm primarily for the sake of embracing something other than the norm. There may or may not be valid reasons for doing so, but those are just rationalizations.
If djbdns and qmail are so good, why aren't they defaults any distros? Why hasn't FreeBSD, which has an excellent reputation for stability and the overall quality of the whole package, chosen to make them defaults over sendmail and bind?
It's rather hard to believe that with all the resources the US can bring to bear on this problem, that WMDs can remain hidden without a trace for this long. They haven't even found any infrastructure that would have been necessary to produce the WMDs, and that should be much more difficult to hide.
If GWB doesn't want people to think he is guilty of war crimes for ordering the deaths of thousands of Iraqi citizens, let him publish the evidence that he used to justify the war.
"If Linux is so good, why do computers have Windows preinstalled on them instead?" That's a weak argument for Windows, and so is yours.
20 January 2017: the End of an Error.
After going through the Verisign messing with the .com, .net fiasco, I gave up and applied the latest DNS/Bind with patches and the "delegation-only" options and it instantly solved all the issues with my systems. If some other TLD decided to do the wild card thing differently then I guess my users didn't notice.
I for one am keeping this configuration at least until Versign has stated that TLD wild cards are DEAD. It was a stupid idea to disable failed name resolution, which is where I had my grief.
The DNS/Bind patches saved me alot of issues. I am happy to see how responsive they were.
So presumably the people making Linux and BSD distros are just as ignorant as the sheep who buy Windows without thinking? Right. I buy that.