Re: Verisign Hijack - Patches may be available
by Limbic~Region (Chancellor) on Sep 30, 2003 at 06:03 UTC
|
tachyon,
I thought I had seen this article posted here at the Monastery, but I could be wrong. It is an interview between O'Reilly Networks and Paul Vixie. chromatic is listed as the author. Currently there is something you might be able to do. Pressure your DNS provider to apply a patch and enable a feature if possible.
Cheers - L~R | [reply] |
|
zone "com" { type delegation-only; };
zone "net" { type delegation-only; };
Happiness, all is back to normal :-)
[root@devel3 root]# dig @localhost verisign-are-pirates.com
; <<>> DiG 9.2.3rc4 <<>> @localhost verisign-are-pirates.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12600
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;verisign-are-pirates.com. IN A
;; Query time: 116 msec
;; SERVER: 127.0.0.1#53(localhost)
;; WHEN: Tue Sep 30 07:26:26 2003
;; MSG SIZE rcvd: 42
[root@devel3 root]#
cheers
tachyon
s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print
| [reply] [d/l] [select] |
|
(if what is shown on the patch page seems a little obique :-)
The way this works is actually pretty simple. The DNS servers for .com and .net should only send to you NS records. NS records are like pointers to other DNS servers. This patch rejects everything except NS records when they come from the VeriSign servers. Now when they send to you an A record (which has the IP address inside it), it will ignore it and the patch will instead give you the "does not exist" response.
This is a good way to work around the problem, because it will still work correctly even if VeriSign changes the IP address that they use.
The Acme::DNS::Correct module does not work this way. It merely looks for the hardcoded IP address in the response and filters it out. It will not work if the IP address is ever changed. Well, it's only an Acme module, after all.
| [reply] |
|
|
Pressure your DNS provider to apply a patch and enable a feature if possible.
That's a start, but it definately isn't a solution. Verisign does not own the .com and .net domains. Verisign needs to be reminded of its responsibilities and how easily they could be taken away. They should also have realized the plethora of legal problems this will create for them (think trademarks amoung others).
Common sense would dictate that Verisign will remember (or be forcefully reminded of) its responsibilities and put this silly action behind them. Unfortunately common sense is in short supply these days.
If you're truly interested in preventing these type of abuses in the future (and fixing this situation) I'd suggest getting involved immediately. Write your representatives (standard rules apply: be nice, coherent, and know what you're talking about) and take further steps as necessary.
| [reply] |
|
If you're truly interested in preventing these type of abuses in the future (and fixing this situation) I'd suggest getting involved immediately. Write your representatives (standard rules apply: be nice, coherent, and know what you're talking about) and take further steps as necessary.
For the people who don't live in the States, do as I did, and sign the online petition.
"Stop Verisign DNS Abuse"
http://www.whois.sc/verisign-dns/
| [reply] |
Re: Verisign Hijack all possible domains and destroy Email::Valid, Net::DNS, gethostbyname() etc
by Moriarty (Abbot) on Sep 30, 2003 at 05:56 UTC
|
Alternatively, add a country id (eg .au). These are not controlled by verisign and nobody has hijacked them ... yet.
| [reply] |
|
| [reply] |
|
To be fair, Tuvalu (the .tv country,) is leasing their ccTLD. I remembered reading about it when it happened.
The good old CIA World Factbook mentions this item here.
| [reply] |
Re: Verisign Hijack all possible .com .net domains and destroy Email::Valid, Net::DNS, gethostbyname() etc
by hardburn (Abbot) on Sep 30, 2003 at 13:42 UTC
|
| [reply] |
|
| [reply] |
Re: Verisign Hijack all possible .com .net domains and destroy Email::Valid, Net::DNS, gethostbyname() etc
by cLive ;-) (Prior) on Oct 01, 2003 at 04:45 UTC
|
<plug> my ISP patched Bind within 24hrs of the patch's release, stopping any of these problems from affecting me. If you're in LA, I thoroughly recommend them - very geek friendly. Brand X Internet</plug>
cLive ;-) | [reply] |