Forgot your password?
typodupeerror
The Internet Businesses Software Your Rights Online

BIND Strikes Back Against VeriSign's Site Finder 582

Posted by timothy
from the checks-and-balances dept.
BrunoC writes "Following the story about VeriSign's new Site Finder, the Internet Software Consortium promises to release a patch to its (in)famous BIND that will block the controversial Site Finder. Wired News has full coverage of the ISC initiative against this name resolving atrocity."
This discussion has been archived. No new comments can be posted.

BIND Strikes Back Against VeriSign's Site Finder

Comments Filter:
  • Excellent! (Score:5, Insightful)

    by Ratface (21117) on Wednesday September 17, 2003 @08:04AM (#6984453) Homepage Journal
    Tereby helping to prove the old adage that the Internet will just route around regulation! (OK, it's not strictly regulation, but with any luck Verisgn will find that "controlling" the underlying technology of the Internet is not as easy as they first though).
    • by inputsprocket (585963) on Wednesday September 17, 2003 @09:14AM (#6984886)
      .....and from Verisign's Terms and Conditions:

      "2.4 Monitoring and Communication
      VeriSign actively monitors all traffic associated with Site Finder, including DNS queries matching the wildcard entries in .com and .net and associated responses, and all traffic sent to the response server. This traffic is correlated and monitored in real time, 24 hours a day, seven days a week, by VeriSign's Network Operations Centre... complete traffic stream to the .com and .net name servers and the response server, as well as rolled up statistics, are stored for analysis."

      Ehm, well I don't agree to your Terms and Conditions, thank you very much. Please stop storing my typo data Please.

  • Good for BIND (Score:5, Insightful)

    by Empiric (675968) * on Wednesday September 17, 2003 @08:05AM (#6984461) Homepage
    Good... Verisign's actions here are a particularly heinous form of "embrace-and-extend". Here, they're "embracing" an entire technology freely provided to them, and "extending" it in a blatantly proprietary manner, with no significant work at all on their part. Taking the whole DNS stack and turning it into a profit center by redirecting it at your whim across the entire internet, is outrageous.
    • by Anonymous Coward on Wednesday September 17, 2003 @08:13AM (#6984511)
      At least they could have directed us to some decent pr0n instead.
      • Re:Good for BIND (Score:3, Informative)

        by Insurgent2 (615836)
        No, they don't dare do this.
        It's a federal offence to redirect a misspelling to a porn site as it's "illegal to deceive children into viewing harmful material". This is a provision of the "Amber Alert" legislation and will land you in jail for 4 years.
        Relevant Link [geek.com]
        • by Anonymous Coward
          Did the surgeons remove your funny bone at birth along with your foreskin?
        • Re:Good for BIND (Score:5, Interesting)

          by ruiner13 (527499) on Wednesday September 17, 2003 @10:24AM (#6985440) Homepage
          "No, they don't dare do this. It's a federal offence to redirect a misspelling to a porn site as it's "illegal to deceive children into viewing harmful material". This is a provision of the "Amber Alert" legislation and will land you in jail for 4 years."

          So how does whitehouse.com get away with it? (i'm not going to make the name a link, I do not want to link to pr0n on /.).

    • Re:Good for BIND (Score:5, Interesting)

      by AKnightCowboy (608632) on Wednesday September 17, 2003 @08:16AM (#6984534)
      Verisign's actions here are a particularly heinous form of "embrace-and-extend". Here, they're "embracing" an entire technology freely provided to them, and "extending" it in a blatantly proprietary manner

      I hope BIND makes it configurable enough to kill off the .cc and .ws wildcards as well.

    • Re:Good for BIND (Score:5, Insightful)

      by aborchers (471342) on Wednesday September 17, 2003 @08:33AM (#6984643) Homepage Journal
      And the BIND solution is an excellent response in the spirit of the network's self-healing nature. I'd rather see it solved this way than through a bunch of law suits that benefit none but the attorneys.

      I can't help but think of the contraversy over deep linking and how all those stupid suits could have been avoided if server operators would have just detected the referer header and bounced deep links back to the home page...

      • Re:Good for BIND (Score:5, Interesting)

        by Joe U (443617) * on Wednesday September 17, 2003 @08:58AM (#6984770) Homepage Journal
        Then start running the new BIND and also contact your local Attorney General. I did.

        Explain how they are in violation of the Anti-Cybersquatting laws, and have broken their contract with the Department of Commerce regarding the whois database. Mention how it's abuse of a monopoly power.

        Make the states get involved, not the private attorneys.
      • Re:Good for BIND (Score:3, Interesting)

        by jacksonyee (590218)

        The problem with using referer headers is that not all clients provide them. Some people may be using an archaic browser which doesn't send the field, some people may have just typed the URL straight in to the address bar rather than being referred from another website, and some people just plainly disable them for privacy reasons.

        Of course, most lawyers won't understand these principles, but for us web development geeks, there's no sense in blocking legimate users just by one single HTTP header which

        • Re:Good for BIND (Score:5, Insightful)

          by aborchers (471342) on Wednesday September 17, 2003 @09:26AM (#6984976) Homepage Journal
          As UU7 just pointed out, the idea is to redirect requests with foreign headers to the front door. The vast majority of modern clients will send the header, and if it is blank, you can either elect to let them have the page, or force them to the front door and set a cookie.

          If someone is so gung ho about privacy that they disable the referer header and refuse cookies, then they must accept that sites with policies that require them to come through the front door and accept a token will be unavailable to them. Publishers are under no obligation to provide their material without at least a nominal quid pro quo from the user.

      • Re:Good for BIND (Score:3, Insightful)

        by amcguinn (549297)

        The technical workaround is good, but I think this is one rare case where legal action might be reasonable.

        If you don't want deep linking, you're objecting to how various random individuals on the internet interact with your computers. You should restrict that interaction on your own computer and not whine about the rest of the world.

        Verisign are not some random external party - they exclusively control chunks of the internet infrastructure. They should be held to a higher standard of behaviour.

        Of cou

  • How will this work? (Score:3, Interesting)

    by kybosh (471551) <dan@yayfo r . m e .uk> on Wednesday September 17, 2003 @08:06AM (#6984469) Homepage
    I assume the patch will filter requests, which resolve to the site-finder IP, so what's to stop VeriSign simply changing IPs every so often?

    Of course, hopefully this and public opinion will actually cause VeriSign to rethink the whole operation. (We can at least dream)
    • by mccalli (323026) on Wednesday September 17, 2003 @08:09AM (#6984488) Homepage
      I assume the patch will filter requests, which resolve to the site-finder IP...

      I'd say that's quite an assumption. Were I coding this patch, for example, the IPs for which to return NXDOMAIN would be specified in a config. That config would be able to take single IPs and also ranges.

      ...so what's to stop VeriSign simply changing IPs every so often?

      I wouldn't write this off as ineffective yet. We need to see what methodolgy is being chosen before we can comment on its technical effectiveness.

      Cheers,
      Ian

    • by close_wait (697035) on Wednesday September 17, 2003 @08:17AM (#6984538)
      I assume the patch will filter requests, which resolve to the site-finder IP, so what's to stop VeriSign simply changing IPs every so often?

      No, the patch doesn't do filtering in that sense. It just allows you to mark some zones in your BIND config file (such as .com and .net), that should only contain delegation information. So basically if your BIND server recieves back A record(s) rather than NS delegation records from a server authoritative for .com , BIND simply ignores it.

      Simple and elegant, and nothing Verislime can do about it. (I hope.)

      • That approach is fucking dangerous.

        Why? Glue records. You are _meant_ to receive certain As from the parent servers of a domain delegated to nameservers which live within its own namespace.

        For example, let's say I have the domain movezig.com. I fill in a host template to for the two nameservers, base.movezig.com (3.214.8.19) and cats.movezig.com (3.217.21.40), then delegate it to those nameservers. Obviously, if the .com NSs only returned movezig.com IN NS base.movezig.com and movezig.com IN NS cats.m
        • by Paul Jakma (2677) <paul+slashdot@jakma.org> on Wednesday September 17, 2003 @09:22AM (#6984943) Homepage Journal
          That approach is fucking dangerous.

          Why? Glue records. You are _meant_ to receive certain As from the parent servers of a domain delegated to nameservers which live within its own namespace.


          However, you're missing a crucial part: when you ask the delegating server for the NS records, the glue A records are given out in the additional section, not in the answer section.

          The ISC patch disregards /authoritative/ non-apex data from zones configured as delegate only. however, it can still make use of additional data (ie glue). Glue records are never queried directly AFAIK when a DNS server is sending queries to determine the set of authoratitive servers for a zone, so the patch does not cause any problems.
      • by lazlo (15906)
        Well, the thing that bugs me about this solution is that it seems really easy to get around.

        Right now verisign has the equivalent of, in the .com zone:

        * IN A 64.94.110.11

        Now, it seems to me that it would be really simple for them to change that to something more like:

        * IN NS ns.searchstation.com

        (and, of course, a wildcard A record in ns.searchstation.com)
        To me, it looks like the only way to get around this more permanently is to have BIND check periodically for some known-not-to-exist domain name

  • Bug your ISP (Score:5, Interesting)

    by jez_f (605776) <jeremy@jeremyfrench.co.uk> on Wednesday September 17, 2003 @08:07AM (#6984471) Homepage
    As soon as a patch comes out, bug your ISP to sort out their DNS servers. Try and nip this thing in the bud
    Interesting that BIND only runs 80% of DNS servers, what is the other 20% made up of?
  • the patch (Score:3, Informative)

    by colinleroy (592025) on Wednesday September 17, 2003 @08:07AM (#6984473) Homepage
    Isn't it this one [isc.org] ?
    I'm asking because the wording is quite hard to understand as my main language isn't english ;)
    • Re:the patch (Score:5, Interesting)

      by Spazmania (174582) on Wednesday September 17, 2003 @08:45AM (#6984704) Homepage
      That's the one.

      Clever solution. They rigged it so that you can declare the .com zone as "delegation only." If you do, then your name server will only accept referrals from the .com servers (NS records and any associated glue).

      So, if BIND makes a non-recursive query for www.verisign-is-really-bad.com from a server authorative for .com and it gets back an A record for 10.0.0.1 instead of an NS record for ns.verisign-is-really-bad.com, it responds to the host querying it with NXDOMAIN instead of the A record.

      Verisign could work around this by replacing the A record with a wildcard NS record pointing to ns.sitefinder.verisign.com or some such, and then having that new name server return an IP address for any query made of it.

      The question is: is Verisign willing to escalate the matter or will they back off?

  • by doon (23278) on Wednesday September 17, 2003 @08:07AM (#6984475) Homepage

    http://www.isc.org/products/BIND/delegation-only .h tml
  • by mwise (16339) on Wednesday September 17, 2003 @08:07AM (#6984476)
    "VeriSign did not respond requests for comment."

    Isn't that what caused the problem in the first place?

    Thanks, I'll be here all week!
  • by henley (29988) on Wednesday September 17, 2003 @08:12AM (#6984503) Homepage

    OK, I'm in favour of working-around the problem in classic

    The internet interprets {badthing} as damage and routes around it
    ..fashion, and I'll be installing a patched bind whenever I can.

    But I'm really concerned that this effectively lets VeriSign get away with it. They've bust everyone's trust folks, doesn't anyone care? This sort of activity in a social context (umm... let's see if we can construct a tortured metaphor: ...uhhh..: Your friend asks for your cousins's phone number and you instead give them the phone number of your shop. Reasonable?) would result in the perpetrator being ostracised fairly quickly, if not actually slapped about by a clue-by-four. It's flat out antisocial behaviour, never mind any legalities.

    Here, since these buggers appear to hold us all over a barrel with the root domains, we can't just ignore them, and invoking legal recourses is at best slow and expensive. But what about appeal to the authorities that granted them those rights?

    Um, the more I rant about this the closer I get to thinking a better solution is switching to an alternate root... Best head off to google again then, I know there's a way around this...

  • by jcurious (3000) on Wednesday September 17, 2003 @08:16AM (#6984533) Homepage Journal
    upgrade can be found here:
    http://www.isc.org/products/BIND/delegation -only.h tml

    There is no need to create a com or net data file. Just the
    entries to the named.conf file is enough
    zone "com" { type delegation-only; };
    zone "net" { type delegation-only; };

    Ofcourse, if you use views, this needs to be provided within the relevant
    view (the one performing recursive lookups).

    quote from:
    http://marc.theaimsgroup.com/?l=bind9-users &m=1063 79587928771&w=2
  • by pgregg (185457) on Wednesday September 17, 2003 @08:18AM (#6984547) Homepage

    Russell Nelson has a patch [tinydns.org] for tinydns [tinydns.org] which does the same thing.

    He also notes that several other TLD operators for the same thing and has another patch [tinydns.org] that allows you to do the same thing to several naughtly tld operators at once.

  • Although the news are not on the BIND page [isc.org] yet, patches for the current versions 9.2.2 and 9.1.3 are already available. Only 9.2.3rc2 is currently listed on the page (as of this writing).

    You can get the details from the bind-announce list archives:

    All versions were released a few hours ago. Here is the common paragraph at the top of these three messages:

    In response to high demand from our users, ISC is releasing a patch for BIND to support the declaration of "delegation-only" zones in caching/recursive name servers. Briefly, a zone which has been declared "delegation-only" will be effectively limited to containing NS RRs for subdomains, but no actual data outside its apex (for example, its SOA RR and apex NS RRset). This can be used to filter out "wildcard" or "synthesized" data from NAT boxes or from authoritative name servers whose undelegated (in-zone) data is of no interest.

    Have fun downloading and installing!

  • MX Problems (Score:5, Insightful)

    by tinla (120858) on Wednesday September 17, 2003 @08:20AM (#6984561) Homepage Journal

    So you have 2 mail servers with mx priorities as follows:

    mail.someplace.com 10
    mail.otherplace.com 20

    if your someplace.com domain expires (hey, it happens) all your mail bounces thanks to verisigns ace "Snubby Mail Rejector Daemon v1.3". The backup mx record, which is there to cover failures like domains expiring, is never tried. In the 'real' world.. where lookups on dead domains fail... the backup server would be used.

    Thats a bigger problem than all this spam checking people are getting worked up about. If they both had priority 10 (a simple load balancing arrangement) then half your mail would bounce and half would be ok.

    Some improvement! Patches to BIND aren't the answer. Verisign need to be made to stop breaking the internet.

    • Re:MX Problems (Score:5, Interesting)

      by MrMickS (568778) on Wednesday September 17, 2003 @08:31AM (#6984632) Homepage Journal
      Patches to BIND aren't the answer. Verisign need to be made to stop breaking the internet.
      80% of the DNS servers are BIND. The more of these that get patched the less of a problem redirected email becomes. The patch to BIND shouldn't be the only action taken but anything that helps is good. A change to BIND helps.
    • Re:MX Problems (Score:5, Insightful)

      by TheViewFromTheGround (607422) on Wednesday September 17, 2003 @09:13AM (#6984882) Homepage

      Some improvement! Patches to BIND aren't the answer. Verisign need to be made to stop breaking the internet.

      There's been this silly thread in this conversation that stakes out two sides. Either a) fix anti-social, monopolistic behavior with technology, or b) fix it with laws and legal action. This is a moronic dichotomy. A technological solution mitigates the immediate problem while the lawyers have time to file their briefs and sort out the damage done. A combination of technical solutions and legal action is a possibility and even a sometimes a Good Thing, not some binary choice.

    • by bluGill (862)

      Anyone have a lawyer and a small site to try this on. I suspect that you have a case of some sort. "Your honor, we had planned for this type of mistake by having some.other.domain.com as a backup, but verisign illegally stole the expired domain and started bouncing our messages." Or some such. Of course that backup wouldn't work in the case of the domain expiring and someone else registering it instead, but you tried.

  • Who will agree? (Score:5, Interesting)

    by 200_success (623160) on Wednesday September 17, 2003 @08:21AM (#6984566)

    The interesting question is, will enough people pick up the patch, so that Verisign will see their efforts wasted? This will only happen if the distros redistribute the patch.

    Will the Linux distros provide updates to BIND that include the patch? (I bet yes.) Will Sun, the dot in .com, update Solaris? (This is harder to guess.) As for Microsoft, I think they will sneak in a patch, to Internet Explorer only, the next time they issue an "urgent" security patch -- though their motive is purely to protect their MSN Search revenue.

    DJBDNS already has a patch [djbdns.org] available.

  • by Anonymous Coward on Wednesday September 17, 2003 @08:24AM (#6984580)
    ISPs running DNS will certainly disallow this redirection to VeriSuck.

    But soon thereafter, if not immediately, they'll start directing their customers to their own search site, or whatever search site they're paid to send them to. Or maybe some ISPs already do this?!

    We need an RFC stating that this is not permissable.

    Heh, maybe as a byproduct we'll see public DNS servers pop up. "Use us for free, but occasionally we will send you where /we/ want you to go."
  • Who cares? (Score:3, Funny)

    by SuperBanana (662181) on Wednesday September 17, 2003 @08:25AM (#6984584)
    I for one welcome our new DNS overlords! All our domain name are belong to THEM! Mwuhahahaha...
  • Link rotation? (Score:4, Interesting)

    by 192939495969798999 (58312) <info@NoSpam.devinmoore.com> on Wednesday September 17, 2003 @08:25AM (#6984585) Homepage Journal
    Maybe if a misspelled URL went to a random other URL, it might be OK, but using that page to advertise for a particular company's profit, regardless of the URL, seems really bad. I would much prefer to have a "not found" message, since that's really what's happened. Can you imagine if this happened while driving? Anytime you turn down the wrong street, the same ad came on the radio or something like that? It seems positively Orwellian.
  • by mseeger (40923) on Wednesday September 17, 2003 @08:29AM (#6984621)
    Hi,

    this is just a trick. They just want to get rid of all those obsolete BIND-versions out in the internet.

    So they did this to goat all admins into patching their bind.

    Tricky they are...

    Regards, Martin

  • by Anonymous Coward on Wednesday September 17, 2003 @08:36AM (#6984660)
    ICANN might be able to force VeriSign to get this off the net
    http://www.petitiononline.com/icanndns/ [petitiononline.com]
    • How about we pre-empt Verisign by redirecting the 404 pages to this petition?
    • by Dun Malg (230075) on Wednesday September 17, 2003 @10:41AM (#6985578) Homepage
      ICANN might be able to force VeriSign to get this off the net http://www.petitiononline.com/icanndns/

      Petitions only work if a) the petitioners represent a threat to the petitionee's livelyhood, or b) the petition is to force a state government to put something to a vote (e.g. referendum process). ICANN viewa us, the lowly internet users, as riff-raff. They are the lord, we are their serfs. What threat does a petition hold for them? They have absolute power and don't care what we think.

  • Have your say (Score:5, Interesting)

    by turg (19864) * <turgNO@SPAMwinston.org> on Wednesday September 17, 2003 @08:37AM (#6984665) Journal

    Is Stratton D. Sclavos doing a good job as CEO of Verisign? Vote yes or no in this Forbes.com poll [forbes.com].

    Also, here's a petition [petitiononline.com] that may also be of interest.

  • But for how long (Score:4, Interesting)

    by Alien Conspiracy (43638) on Wednesday September 17, 2003 @08:40AM (#6984685) Homepage
    They don't state if it's simply blocking the well-known IP of SiteFinder or doing something cleverer.

    How long till they change the IP/round-robin it?

    I noticed the wildcard domain does not generate an SOA record so that may be a better detection mechanism, but maybe it will break existing misconfigured sites?

    In any case, Verisign can always come up with new scams to make the record look more authentic.

    The only long-term solution is to move to a different host, which would be really hard to arrange collectively.
    • Re:But for how long (Score:3, Informative)

      by interiot (50685)
      Here [isc.org] is the documentation for the patch. They don't hardcode an IP, they just have a way to say that wildcards records don't necessarily have to work everywhere. eg. you can say that "*.foobar.com => 1.2.3.4" but you can't say that "*.com => 64.94.110.11".
      • by vidarh (309115)
        Ah, after reading your documentation, I realised that the explanation you give is wrong.

        What the patch does is saying that if I query server Foo, running this version of Bind, and Foo has to go and ask Bar about it, Foo will only consider delegation data from Bar, not other resources.

        So if Bar sends NS and SOA records back, all is well, and Foo happily tries to ask the delegated servers to resolve the name. If Bar sends an A record back, Foo will ignore it, and report a failure to the client.

        Problem w

  • by Anonymous Coward on Wednesday September 17, 2003 @08:50AM (#6984730)
    as suggested by Abby Patel at http://www.theregister.co.uk/content/6/32872.html

    However, it seems that the T&C's might help us to stop this abuse. If you do not agree to the T&C's the only option they have is to not redirect your netblock to their site. So, give them a call on 0800-032-2101, select 2 to speak to their support department and once you get a human, tell them that you don't agree to their T&C's and can they remove your netblocks!

    So lets /. them and see how many netblocks they end up excluding.
  • Google (Score:5, Funny)

    by Spazmania (174582) on Wednesday September 17, 2003 @08:57AM (#6984766) Homepage
    And not to be outdone by Verisign, Google has added a default route to the global BGP table which brings any formerly unroutable web traffic to their search engine.

    NOT!
  • Not Trustworthy (Score:5, Interesting)

    by Michael_Burton (608237) <michaelburton@brainrow.com> on Wednesday September 17, 2003 @09:39AM (#6985067) Homepage

    With it's digital certificate business, Verisign started as a company that dealt in trust. That was the heart of their business. Now it's hard to think of a company I trust less than Verisign.

    For this stunt, they should lose their authority to register domain names. This company should never be allowed to touch internet infrastructure.

  • by tiny69 (34486) on Wednesday September 17, 2003 @09:49AM (#6985137) Homepage Journal
    Can those that pay by the amount of data that flows through their pipes start charging VeriSign for the extra traffic?

    Currently, the page VeriSign is approximately 2.9k is size. What happens they start adding banner ads? Will the extra traffic slow down the internet as a whole?

    I wouldn't be surprised if the next Microsoft worm used VeriSign's new "feature" to bring the internet to a crawl.

    $ host thisdomaindoesnotexist.com
    thisdomaindoesnotexist.com has address 64.94.110.11

    So every program that looked for a DNS error when a domain does not exist will no longer get that error. I wonder what kind of problems this will create.

    Anything else I'm missing?

  • Who should I write? (Score:5, Interesting)

    by Kyouryuu (685884) on Wednesday September 17, 2003 @11:07AM (#6985810) Homepage
    Who should I write in the government to complain about Verisign's abuse of power? If I recall correctly, the US government had granted Network Solutions the power to directly control the DNS servers, but NetSol was later bought out by Verisign who has done nothing but abuse its monopoly. Is there some government agency in charge of watching over Verisign; a government computer agency? I feel the need to write someone in power about this. We can patch the problem all we want - the only true solution is to end Verisign's power over the DNS outright.
  • by digitalgimpus (468277) on Wednesday September 17, 2003 @11:08AM (#6985817) Homepage
    http://www.petitiononline.com/verisign/
  • by mdamaged (708238) on Wednesday September 17, 2003 @11:47AM (#6986140)
    I got a rep on the line and he seems oblivious of what was going on, after a bit I got a superviser and she gave me this email telling me that this is where the complaints are going to:

    sitefinder@verisign-grs.com

Our informal mission is to improve the love life of operators worldwide. -- Peter Behrendt, president of Exabyte

Working...