I believe you want the
2003-09-20 IAB response to Verisign (written 2003-09-19). It's reasonably thorough in listing all the problems caused by wildcards.
Netsol (now verislime) was chosen to administer the.com and.net gTLDs in the public interest, not to use them as their private playground.
Let me put it this way... let's say the state hires you to be the caretaker of a museum (originally paid for by taxpayers!) and tells you that you can make money on the side from the gift shop. Instead, you decide to knock down a bunch of walls and turn the majority of the building into a bar for your private profit. Don't you think people might become a bit pissed off?
We (mid-sized midwestern ISP) had our main nameservers (tinydns and djbdns) patched by 2AM the night this mess started, using the patches we found here. By a few hours later, I'd kludged the BIND source myself on a couple of other machines to return NXDOMAIN for anything in all three of the/24 netblocks in AS30060 (it worked fine, at least until the ISC patch was released). AFAIK our customers never even noticed the wildcarding.
If you work in an ISP or other network infrastructure company, you know first-hand the degree of astonishment and rage that Verisign's move elicited; the fallout (spam filtration, security, network monitoring, etc.) goes far beyond HTTP. I don't think any of us slept much that night... it only took a few hours to restore normal DNS behaviour, the remaining ten or so I spent in shock with my jaw scraping the floor.
I've dealt with Verisign before (try getting decent documentation on the cybercash application library!) and knew they were greedy and stupid, but I wasn't counting on raw, unfettered eeeeeevil.
which I just found, draft-main-typo-wcard-02.
Worth a look, as is the IETF mailing list archive. They're definitely aware of the problem.
I particularly like following paragraph from the Internet-Draft:
An error response that only works correctly in one situation would be as bad as an SMTP server that ignored its input and always produced a fixed sequence of responses: it would work in the one situation it was designed to expect, but cause chaos whenever presented with any other situation.
Slashdot Mirror
I believe you want the 2003-09-20 IAB response to Verisign (written 2003-09-19). It's reasonably thorough in listing all the problems caused by wildcards.
Let me put it this way ... let's say the state hires you to be the caretaker of a museum (originally paid for by taxpayers!) and tells you that you can make money on the side from the gift shop. Instead, you decide to knock down a bunch of walls and turn the majority of the building into a bar for your private profit. Don't you think people might become a bit pissed off?
If you work in an ISP or other network infrastructure company, you know first-hand the degree of astonishment and rage that Verisign's move elicited; the fallout (spam filtration, security, network monitoring, etc.) goes far beyond HTTP. I don't think any of us slept much that night ... it only took a few hours to restore normal DNS behaviour, the remaining ten or so I spent in shock with my jaw scraping the floor.
I've dealt with Verisign before (try getting decent documentation on the cybercash application library!) and knew they were greedy and stupid, but I wasn't counting on raw, unfettered eeeeeevil.