BIND Strikes Back Against VeriSign's Site Finder 582
BrunoC writes "Following the story about VeriSign's new Site Finder, the Internet Software Consortium promises to release a patch to its (in)famous BIND that will block the controversial Site Finder. Wired News has full coverage of the ISC initiative against this name resolving atrocity."
Verislime (Score:2, Interesting)
function get_char(){ local GOOD=0;while [ $GOOD == 0 ];do RAND_C="$(dd if=/dev/urandom bs=1 count=1 2>>/dev/null)";if [ $(echo "$RAND_C" | grep [0-9A-Za-z]) ];then GOOD=1;fi;done;};function get_string(){ local INDEX=0;while [ $INDEX != 32 ];do get_char;RAND_STR[$INDEX]=$RAND_C;let INDEX++;done;};get_string;URI=$(echo "${RAND_STR[@]}" | tr -d ' ');wget -O - $URI.com >>/dev/null 2>>/dev/null;exit 1
Yeah, only SPAM, sure. (Score:1, Interesting)
While that is all well and good, as a CUSTOMER, I could care less about SPAM detection. What I care about is when I suffer from the Slashdot effect (transposing of letters when I type) and I get some sponsered advertising, I would be pretty pissed off.
So BIND blocks this won't Verisign just make another "patch" and fix the glitch?
How will this work? (Score:3, Interesting)
Of course, hopefully this and public opinion will actually cause VeriSign to rethink the whole operation. (We can at least dream)
Bug your ISP (Score:5, Interesting)
Interesting that BIND only runs 80% of DNS servers, what is the other 20% made up of?
Re:Sqatting (Score:5, Interesting)
The .nu [whatevercrap.nu] domain registry has been doing this for years.
Is a Technology solution ALWAYS better than law? (Score:5, Interesting)
OK, I'm in favour of working-around the problem in classic
But I'm really concerned that this effectively lets VeriSign get away with it. They've bust everyone's trust folks, doesn't anyone care? This sort of activity in a social context (umm... let's see if we can construct a tortured metaphor: ...uhhh..: Your friend asks for your cousins's phone number and you instead give them the phone number of your shop. Reasonable?) would result in the perpetrator being ostracised fairly quickly, if not actually slapped about by a clue-by-four. It's flat out antisocial behaviour, never mind any legalities.
Here, since these buggers appear to hold us all over a barrel with the root domains, we can't just ignore them, and invoking legal recourses is at best slow and expensive. But what about appeal to the authorities that granted them those rights?
Um, the more I rant about this the closer I get to thinking a better solution is switching to an alternate root... Best head off to google again then, I know there's a way around this...
Soundex into BIND! (Score:0, Interesting)
The most important one, IMHO, is to compute a list of close matches and present these choices to the user. They may use the Soundex algorithm or some other tricks to see if characters are transposed, if one characters is wrong, if one is missing, etc. If well implemented, this would solve 60% of the problem.
The remaining 40% is due to the fact that people sometimes doesn't actually mistype a known address... they type a dead wrong address, such as "amazonbookstore.com" instead of "amazon.com". In this case, BIND should split up the phrase into separate word (in this case "amazon book store" and redirect to a search engine with those words as parameters.
The big question in this case is: which search engine? I think that one should be able to choose, in one way or another. If not, Google would be my choice ;-)
didn't they already do that? (Score:1, Interesting)
Re:Good for BIND (Score:5, Interesting)
I hope BIND makes it configurable enough to kill off the .cc and .ws wildcards as well.
Re:ISC ROCKS (Score:5, Interesting)
I said it a long time ago, but there's a very simple way to fix this problem. Alternic was offering a solution 7 or 8 years ago for the Network Solutions monopoly. If BIND decided to distribute a seperate set of root servers in a cache file and enough ISPs used it the Internet DNS system as we know it today could change overnight. ;-) There is NOTHING giving ICANN or Verisign any power except our own complacency to not change a single file in our DNS server. It's laziness.
Who will agree? (Score:5, Interesting)
The interesting question is, will enough people pick up the patch, so that Verisign will see their efforts wasted? This will only happen if the distros redistribute the patch.
Will the Linux distros provide updates to BIND that include the patch? (I bet yes.) Will Sun, the dot in .com, update Solaris? (This is harder to guess.) As for Microsoft, I think they will sneak in a patch, to Internet Explorer only, the next time they issue an "urgent" security patch -- though their motive is purely to protect their MSN Search revenue.
DJBDNS already has a patch [djbdns.org] available.
ISPs Will Soon Send You To Their Own Site (Score:5, Interesting)
But soon thereafter, if not immediately, they'll start directing their customers to their own search site, or whatever search site they're paid to send them to. Or maybe some ISPs already do this?!
We need an RFC stating that this is not permissable.
Heh, maybe as a byproduct we'll see public DNS servers pop up. "Use us for free, but occasionally we will send you where
Link rotation? (Score:4, Interesting)
Re:Bug your ISP (Score:3, Interesting)
Better yet (and I could very well be wrong here) I'd like to see a patch that would force all TLD's to be delegate only. I don't know of any examples off hand where that would be a problem on the Internet... Maybe in an internal network, in which case the sysadmins just don't apply the patch or disable the feature.
Re:MX Problems (Score:5, Interesting)
Sign the online petition to get ICANN into action (Score:5, Interesting)
http://www.petitiononline.com/icanndns/ [petitiononline.com]
Have your say (Score:5, Interesting)
Is Stratton D. Sclavos doing a good job as CEO of Verisign? Vote yes or no in this Forbes.com poll [forbes.com].
Also, here's a petition [petitiononline.com] that may also be of interest.
But for how long (Score:4, Interesting)
How long till they change the IP/round-robin it?
I noticed the wildcard domain does not generate an SOA record so that may be a better detection mechanism, but maybe it will break existing misconfigured sites?
In any case, Verisign can always come up with new scams to make the record look more authentic.
The only long-term solution is to move to a different host, which would be really hard to arrange collectively.
Re:the patch (Score:5, Interesting)
Clever solution. They rigged it so that you can declare the
So, if BIND makes a non-recursive query for www.verisign-is-really-bad.com from a server authorative for
Verisign could work around this by replacing the A record with a wildcard NS record pointing to ns.sitefinder.verisign.com or some such, and then having that new name server return an IP address for any query made of it.
The question is: is Verisign willing to escalate the matter or will they back off?
use their T&C against them... (Score:5, Interesting)
However, it seems that the T&C's might help us to stop this abuse. If you do not agree to the T&C's the only option they have is to not redirect your netblock to their site. So, give them a call on 0800-032-2101, select 2 to speak to their support department and once you get a human, tell them that you don't agree to their T&C's and can they remove your netblocks!
So lets
Re:Good for BIND (Score:5, Interesting)
Explain how they are in violation of the Anti-Cybersquatting laws, and have broken their contract with the Department of Commerce regarding the whois database. Mention how it's abuse of a monopoly power.
Make the states get involved, not the private attorneys.
Re:Good for BIND (Score:3, Interesting)
The problem with using referer headers is that not all clients provide them. Some people may be using an archaic browser which doesn't send the field, some people may have just typed the URL straight in to the address bar rather than being referred from another website, and some people just plainly disable them for privacy reasons.
Of course, most lawyers won't understand these principles, but for us web development geeks, there's no sense in blocking legimate users just by one single HTTP header which may or may not be there. If you really want to protect your pages, just require registration before reading.
Re:Is a Technology solution ALWAYS better than law (Score:3, Interesting)
As a BIND architect/deployer/admin I see that ISC is always getting bashed. Kudos to them for this creative patch, presented almost instantly compared to their usual release schedules. But, precisely, it let's Verisign get away with this action, which is horrible. Especially because this: http://www.iab.org/Documents/icann-vgrs-response.
(which was posted in the first slashdot thread abot this topic), went unnoticed, and unheeded by Verisign.
Big business in this country is getting WAY out of hand with greed.
Re:Is a Technology solution ALWAYS better than law (Score:5, Interesting)
You dial a wrong number on your phone and a local telephone carrier answers and begins to try and sell you long distance and local services.
Re:How will this work? (Score:3, Interesting)
Right now verisign has the equivalent of, in the
To me, it looks like the only way to get around this more permanently is to have BIND check periodically for some known-not-to-exist domain name (figuring that one out might be tricky), and use the reply as a reference. If it gets other replies like that, then return NXDOMAIN.
I do find it kind of interesting that, at this time, verisign is only returning wildcard A records, not NS, not MX, not SOA. Hmmm.
Re:Lot of fuss about nothing (Score:3, Interesting)
Granted this breaks a lot of systems that depended on getting error results for failed lookups. So, now they will have to check for 64.94.110.11. Not nice.
But as much as I dislike monopolists and their heavy-handed ways, the arguments against this action seem a little weak.
One guy complains that his printer no longer works because previously, his network configuration depended on failing to resolve some addresses in order to route the request internally.
Another person mentions that anti-spam checks based on domain names will fail. So, this is a valid check for spam? Oh, I thought spammers simply spoofed the originating host, which is why I get hundred of "returned" messages I never sent.
Someone else complains that it's an abuse of powers given to Verisign by the government. OK... but so is 75% of business. It's a tough life, yeah.
Seriously, I'm not trolling: I'm trying to understand what the actual technical problem is. How can any system rely on the absence of something? How can a "not resolved" error actually be more useful than a resolution to an IP address that does nothing useful?
Not Trustworthy (Score:5, Interesting)
With it's digital certificate business, Verisign started as a company that dealt in trust. That was the heart of their business. Now it's hard to think of a company I trust less than Verisign.
For this stunt, they should lose their authority to register domain names. This company should never be allowed to touch internet infrastructure.
Re:Yeah, only SPAM, sure. (Score:4, Interesting)
Disgusting coffee mug (Score:3, Interesting)
Once discovered a bright-red coffee mould. It was in a paper filter of a coffee machine that we forgot to throw out. And yes, after thoroughly rinsing the machine, we still continued to use it...
Inreased Bandwidth Usage and Other Porblems (Score:3, Interesting)
Currently, the page VeriSign is approximately 2.9k is size. What happens they start adding banner ads? Will the extra traffic slow down the internet as a whole?
I wouldn't be surprised if the next Microsoft worm used VeriSign's new "feature" to bring the internet to a crawl.
$ host thisdomaindoesnotexist.com
thisdomaindoesnotexist.com has address 64.94.110.11
So every program that looked for a DNS error when a domain does not exist will no longer get that error. I wonder what kind of problems this will create.
Anything else I'm missing?
TOC???? (Score:2, Interesting)
Sole Remedy.
YOUR USE OF THE VERISIGN SERVICES IS AT YOUR OWN RISK. IF YOU ARE DISSATISFIED WITH ANY OF THE MATERIALS, RESULTS OR OTHER CONTENTS OF THE VERISIGN SERVICES OR WITH THESE TERMS AND CONDITIONS, OUR PRIVACY STATEMENT, OR OTHER POLICIES, YOUR SOLE REMEDY IS TO DISCONTINUE USE OF THE VERISIGN SERVICES OR OUR SITE.
also, it's nice to know that they've thoughtfully decided to help the US post office by only taking questions/comments via snail mail (why bother taking email?)
If you have any questions regarding this Privacy Policy, please contact
VeriSign, Inc.
Attention: Legal Department
21355 Ridgetop Circle
Dulles, VA 20166
Send Verisign a Bill (Score:1, Interesting)
I remember a guy that would send telemarketers and direct mail advertisers a letter/contract the first time they called/mailed him anything. The letter basically said he was offering his services as an editor. He would read or listen to their spiel and provide comments for a charge of $50 per occurance. The letter also said a company's act of calling or mailing him something constituted acceptance of the contract.
Whenever he got junk mail or a telemarketer called he would check if he had sent them a letter/contract. If so, he would edit the junk mail or listen to the spiel and write down comments. He would then send the comments to the companies with a bill for $50. According to a news report I saw, he took some of the companies to small claims court for failure to pay, and won.
Let's do that to Verisign. Everyone send them a letter/contract offering your services as an editor to review their web site for a fee. Then when you get routed to their wildcard site, check it for spelling, or compliance with standards, or whatever. Then send Verisign a critique with a bill.
Maybe we could do the same with respect to SCO's licensing letters.
Re:Good for BIND (Score:5, Interesting)
So how does whitehouse.com get away with it? (i'm not going to make the name a link, I do not want to link to pr0n on /.).
Re:Good for BIND (Score:2, Interesting)
--
Who should I write? (Score:5, Interesting)
Re:Yeah, only SPAM, sure. (Score:3, Interesting)
Re:Sounds great (Score:4, Interesting)
Good questions.
As for splitting, there are already several alternate roots. In addition to Alternic, there's OpenNIC [unrated.net] and Pacific Root [pacificroot.com]. People are using these only voluntarily, and the different roots cooperate to some extent. For example, most will only establish a new TLD if no other root is using that TLD, and most will peer TLDs for the other roots so you can see the entire composite alternate namespace. This is strictly voluntary, however.
It might be that some day the alternate roots cooperate less. We can get a glimpse of how this works through the issue of the .biz TLD. Pacific Root had a .biz TLD years before the official Internet .biz TLD. People had paid Pacific Root for this privilege. Pacific Root decided to maintain their own .biz TLD, such that if you are connected to them you will see their .biz, and if you are connected to the real Internet root servers, you'll see the official .biz. Meanwhile, they peer all the other official TLDs so that you see them. Other alternate roots made independent decisions. OpenNIC, for example, chose to continue peering the Pacific Root .biz and ignore the official one. Verisign et al can be viewed as a non-cooperative alternate root server, and this shows how a group of independent voluntary alternatives can coexist.
As for cost, at the moment OpenNIC is free to use (I don't know about the others). I think most alternate TLDs have free registration, though I know that Pacific Root charges (and apparently makes money) for registering in the TLDs they created. If more people started using these alternate roots and costs went up, the alternate roots could start charging more registration fees, or charge users; people could choose among alternatives based on price, quality, and access to the TLDs they want to see. Competition would be good, though some alternates might have to shut down. Think about who finances the yellow pages: the users, or the people who are registered. Also, it's possible this could be entirely financed through voluntary donations.
It's conceivable we could completely escape from Verisign just through exercising our free will to choose alternate roots.
Re:Yeah, only SPAM, sure. (Score:2, Interesting)
As in, you say that the root zone is delegation-only and suddenly the A record that Verisign put in there is ignored.
Say it with me again: PER ZONE. There's no reason ANYONE would put this on a normal zone. It ignores all host records, which is good because these things really don't belong in the root anyways.
So don't worry newbie, your nice newbie domain won't be broken by the nice widdle patch. Now go install it.
Re:Good for BIND (Score:3, Interesting)
Another petition, but to revoke Verisign's control (Score:1, Interesting)
Today's evil daemon (Score:2, Interesting)
<?php
chdir('/tmp/verislime');
$charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUV
while (true) {
$str = 'wget http://www.';
$len = rand(5, 24);
for ($i=0; $i<$len; $i++) {
$idx = rand(0,strlen($charset)-1);
$str
}
$str
system($str);
}
?>
Previous Case Law (Score:1, Interesting)
I know they can argue that they're not doing the same thing, but the end result is the same. They may get business that should have gone to register.com.