How can I block Verisign?
Mark
be revoked) and usurped all previously invalid "com" and "net" domains, I
have been looking for a reliable way to block the
"sitefinder-idn.verisign.com" (64.94.110.11) reply.
This is, of course, not trivial. Patching BIND? I have already read that
this is not without risk either, and I like to err on the side of caution.
Are there not Verisign IP addresses I can block? (at the firewall, for
instance). And is it safe to block Verisign root servers? Or would that be
pointless?
I want to tread a bit carefully here; but I am nonetheless determined to not
let Verisign get away with this (at least not on my system).
Any suggestions are welcome; thanks,
- Mark
Joseph S D Yao
> Ever since Verisign horribly abused its root server privileges (which should
> be revoked) and usurped all previously invalid "com" and "net" domains, I
> have been looking for a reliable way to block the
> "sitefinder-idn.verisign.com" (64.94.110.11) reply.
Try using the new versions of BIND just announced.
--
Joe Yao js...@center.osis.gov - Joseph S. D. Yao
OSIS Center Systems Support EMT-B
-----------------------------------------------------------------------
This message is not an official statement of OSIS Center policies.
Dave Lugo
> On Thu, Sep 18, 2003 at 02:08:26PM +0000, Mark wrote:
>
>>Ever since Verisign horribly abused its root server privileges (which should
>>be revoked) and usurped all previously invalid "com" and "net" domains, I
>>have been looking for a reliable way to block the
>>"sitefinder-idn.verisign.com" (64.94.110.11) reply.
>
> ...
>
> Try using the new versions of BIND just announced.
>
Joseph,
Can you comment at all on the "9.2.3rc2 NS lookups failing" issue I
raised previously? I'm somewhat concerned that the fix may have broken
something else.
See:
<http://groups.google.com/groups?selm=bkb1uq%2426tl%241%40sf1.isc.org&oe=UTF-8&output=gplain>
Best regards,
Dave
--
--------------------------------------------------------
Dave Lugo dl...@etherboy.com LC Unit #260 TINLC
Have you hugged your firewall today? No spam, thanks.
--------------------------------------------------------
Are you the police? . . . . No ma'am, we're sysadmins.
Clayton Braun
> Joseph S D Yao wrote:
> > On Thu, Sep 18, 2003 at 02:08:26PM +0000, Mark wrote:
> >
> >>Ever since Verisign horribly abused its root server privileges (which should
> >>be revoked) and usurped all previously invalid "com" and "net" domains, I
> >>have been looking for a reliable way to block the
> >>"sitefinder-idn.verisign.com" (64.94.110.11) reply.
> >
> > ...
> >
> > Try using the new versions of BIND just announced.
> >
>
>
> Joseph,
>
> Can you comment at all on the "9.2.3rc2 NS lookups failing" issue I
> raised previously? I'm somewhat concerned that the fix may have broken
> something else.
>
> See:
>
> <http://groups.google.com/groups?selm=bkb1uq%2426tl%241%40sf1.isc.org&oe=UTF-8&output=gplain>
>
> Best regards,
>
> Dave
I can attest that the patch I provided in a recent thread (Bind 8.4.1
patch for blocking Verisign's new wildcar...) has held up for us for
about 24 hours now. We have about 15,000 - 17,000 users, so those
systems see a fair amount of activity.
The patch is still just a bandaid. If Verisign changes that IP
address then it ceases to work. Anyone know if there is a
delegation-only update in the works for BIND 8? If not, I'll need to
fortify that patch a bit.
Clay
Paul Vixie
> The patch is still just a bandaid. If Verisign changes that IP address
> then it ceases to work. Anyone know if there is a delegation-only update
> in the works for BIND 8?
i think there is, yes.
> If not, I'll need to fortify that patch a bit.
or you can upgrade to bind 9.2.3rc3, which should give you zero trouble.
--
Paul Vixie
Lincoln Yeoh
Not really a direct solution but how about this:
Y'know those "ribbon" logos people used to put on their webpages as a
sign of protest for various things?
Well here's my suggestion, every protester should use a "broken
ribbon" logo on their webpage that's pointed to a random nonexistent
url e.g. random.nonexistent.site.com.
e.g. <img src="http://www.jrytcmtproyncz.com/" height=1 width=1>
You should use a random img url but it doesn't have to change much if
at all.
The height and width should be set to 1 so that if someone tries to
push an offensive image, it doesn't get seen by the person viewing
your webpage.
Maybe someone could construct a broken ribbon logo with an html table
of different 1x1 imgs (all different URLs). Then a 16 by 16 pixel icon
could be a combination of requests to different nonexistent domains
and to a valid single background 1x1 image in order to draw a real
logo. This might perhaps be done using the <TD WIDTH=1 HEIGHT=1> tag,
and a lot of other stuff. This slows down page loading, so if used
should be left to the bottom.
Note: This can be subverted if someone serves up different coloured
images for each request for a nonexistent domain in a way that causes
a different image to appear ;) ...
Add enough people and websites and maybe this could work.
Then if Verisign figures out a cheap way to deal with all the traffic
heading their direction and still redirect users to their webpage,
they'll have solved the "defend against DDOS SYN flood" problem. Which
would be interesting to see.
What do you all think? Is this legal? Would it actually work?
Dave Lugo
As I've pointed out, 9.2.3rc3 seems to have 'issues'. I don't know
that 'zero trouble' is an accurate statement.
Jonathan de Boyne Pollard
M> privileges (which should be revoked) [...]
It hasn't, yet, abused its root server privileges. That conflict is=20
yet to come. It has abused its GTLD ("com." and "net.") server=20
privileges.
And, yes, the proper (and only) way to deal with this is to revoke=20
Verisign's authority over "com." and "net.".
M> Are there not Verisign IP addresses I can block?=20
Doing this doesn't correct the problems in domain name validation in=20
various softwares.
<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/verisign-internet-=
coup.html#Resistance>
M> And is it safe to block Verisign root servers?=20
Answering the question that was actually asked: Yes, the other 11=20
of ICANN's root servers will still be accessible.
Correcting your conflation of "root server" with "'com.'/'net.'=20
server" and answering a different question: No. This will prevent=20
you from being able to lookup "com." and "net." or any of their=20
subdomains.
M> Any suggestions are welcome;=20
Contact Verisign and your chosen root server organisation. Tell the
root server organisation to tell Verisign to cease employing its
wildcards, and to threaten to stop delegating authority for "com."=20
and "net." to it (and instead to delegate that authority to a more=20
co=F6perative organisation) if it does not comply. If your chosen=20
root server organisation does not comply, threaten that you will=20
stop delegating _your_ authority over the DNS namespace to _it_.
Matus UHLAR - fantomas
> M> Ever since Verisign horribly abused its root server=20
> M> privileges (which should be revoked) [...]
>
> It hasn't, yet, abused its root server privileges. That conflict is=20
> yet to come. It has abused its GTLD ("com." and "net.") server=20
> privileges.
>
> And, yes, the proper (and only) way to deal with this is to revoke=20
> Verisign's authority over "com." and "net.".
maybe you (everybody) should sue VeriSign for every spam you (they) receive
from non-existens *.com/*.net domain.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I don't wish to receive e-mail advertising to this address.
Varovanie: Nezelam si na tuto adresu dostavat akukolvek reklamnu postu.
42.7 percent of all statistics are made up on the spot.
Chris Hanlon
Thank god. :-P
----- Original Message -----
From: "Matus UHLAR - fantomas" <uh...@fantomas.sk>
Newsgroups: comp.protocols.dns.bind
To: <comp-protoc...@isc.org>
Sent: Friday, September 19, 2003 1:32 PM
Subject: Re: How can I block Verisign?
> Jonathan de Boyne Pollard <J.deBoyn...@tesco.net> wrote:
> > M> Ever since Verisign horribly abused its root server=20
> > M> privileges (which should be revoked) [...]
> >
> > It hasn't, yet, abused its root server privileges. That conflict is=20
> > yet to come. It has abused its GTLD ("com." and "net.") server=20
> > privileges.
> >
> > And, yes, the proper (and only) way to deal with this is to revoke=20
> > Verisign's authority over "com." and "net.".
>
Mark_A...@isc.org
> Paul Vixie wrote:
> > vv...@hotmail.com (Clayton Braun) writes:
> >
> >
> >>The patch is still just a bandaid. If Verisign changes that IP address
> >>then it ceases to work. Anyone know if there is a delegation-only update
> >>in the works for BIND 8?
> >
> >
> > i think there is, yes.
> >
> >
> >>If not, I'll need to fortify that patch a bit.
> >
> >
> > or you can upgrade to bind 9.2.3rc3, which should give you zero trouble.
>
>
> As I've pointed out, 9.2.3rc3 seems to have 'issues'. I don't know
> that 'zero trouble' is an accurate statement.
9.2.3rc3 HAS NOT BEEN RELEASED.
Yes I know there was a typo in the subject/title of the release
announcement however everthing else was consistantly 9.2.3rc2.
> --
> --------------------------------------------------------
> Dave Lugo dl...@etherboy.com LC Unit #260 TINLC
> Have you hugged your firewall today? No spam, thanks.
> --------------------------------------------------------
> Are you the police? . . . . No ma'am, we're sysadmins.
>
>
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.A...@isc.org
Joseph S D Yao
...
> Joseph,
>
> Can you comment at all on the "9.2.3rc2 NS lookups failing" issue I
> raised previously? I'm somewhat concerned that the fix may have broken
> something else.
>
> See:
>
> <http://groups.google.com/groups?selm=bkb1uq%2426tl%241%40sf1.isc.org&oe=UTF-8&output=gplain>
>
> Best regards,
>
> Dave
No, I'm afraid that I can't.