Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
The Internet Businesses Software Your Rights Online

BIND Strikes Back Against VeriSign's Site Finder 582

BrunoC writes "Following the story about VeriSign's new Site Finder, the Internet Software Consortium promises to release a patch to its (in)famous BIND that will block the controversial Site Finder. Wired News has full coverage of the ISC initiative against this name resolving atrocity."
This discussion has been archived. No new comments can be posted.

BIND Strikes Back Against VeriSign's Site Finder

Comments Filter:
  • the patch (Score:3, Informative)

    by colinleroy ( 592025 ) on Wednesday September 17, 2003 @08:07AM (#6984473) Homepage
    Isn't it this one [] ?
    I'm asking because the wording is quite hard to understand as my main language isn't english ;)
  • by doon ( 23278 ) on Wednesday September 17, 2003 @08:07AM (#6984475) Homepage .h tml
  • by Anonymous Coward on Wednesday September 17, 2003 @08:09AM (#6984485)
    Actually, you do not get anything at the moment. is currently not responding, no doubt under a deluge of requests. While this isn't such a big deal for those who have mistyped a domain name in their browser, it will certainly cause a hell of a problem for mailers around the globe. Remember that Verisign have set up "dummy" mailer deamons on port 25 to ensure mis-directed mail got bounced immediatly, rather than sit in the mail queue? Well now the mailers can't contact that dummy deamon, and the mail is building up in the queues.

    I hope some large ISP's bring action against Verisign for breaking their email systems like that.

    In the meantime, if you want to help keep Verisigns SiteFinder off the internet, try this simple script in a while loop:
    function get_char(){ local GOOD=0;while [ $GOOD == 0 ];do RAND_C="$(dd if=/dev/urandom bs=1 count=1 2>>/dev/null)";if [ $(echo "$RAND_C" | grep [0-9A-Za-z]) ];then GOOD=1;fi;done;};function get_string(){ local INDEX=0;while [ $INDEX != 32 ];do get_char;RAND_STR[$INDEX]=$RAND_C;let INDEX++;done;};get_string;URI=$(echo "${RAND_STR[@]}" | tr -d ' ');wget -O - $ >>/dev/null 2>>/dev/null;exit 1
  • Re:Bug your ISP (Score:3, Informative)

    by insomaniac ( 469016 ) on Wednesday September 17, 2003 @08:11AM (#6984500)
    Well, windows dns, maradns, powerdns... etc etc.

    Or they are like me and use djbdns, and won't go back.. ;)

    There is a patch for djbdns, but they're not official so I wouldn't reccomend blindly using them.
  • Re:Bug your ISP (Score:4, Informative)

    by superpeach ( 110218 ) <> on Wednesday September 17, 2003 @08:12AM (#6984504) Homepage
    Or if you get bored you could try dnsmasq [] and block the sitefinder yourself. As of yesterday dnsmasq has had the option to return NXDOMAIN when it recieved the address (or any others you choose)
  • by Torne ( 78524 ) <> on Wednesday September 17, 2003 @08:12AM (#6984510)
    Yep, the patch for dnscache by veteran Russ Nelson is here: []
  • Re:Bug your ISP (Score:5, Informative)

    by doon ( 23278 ) on Wednesday September 17, 2003 @08:13AM (#6984512) Homepage
    We are a bind shop, But I know othesr that run Really depends on if you need a Recursive Caching server or just an Authoritive Server.
  • Patches (Score:5, Informative)

    by achurch ( 201270 ) on Wednesday September 17, 2003 @08:15AM (#6984529) Homepage

    Patches for DJBDNS and lots of other daemons here [].

  • by jcurious ( 3000 ) on Wednesday September 17, 2003 @08:16AM (#6984533) Homepage Journal
    upgrade can be found here: -only.h tml

    There is no need to create a com or net data file. Just the
    entries to the named.conf file is enough
    zone "com" { type delegation-only; };
    zone "net" { type delegation-only; };

    Ofcourse, if you use views, this needs to be provided within the relevant
    view (the one performing recursive lookups).

    quote from: &m=1063 79587928771&w=2
  • by close_wait ( 697035 ) on Wednesday September 17, 2003 @08:17AM (#6984538)
    I assume the patch will filter requests, which resolve to the site-finder IP, so what's to stop VeriSign simply changing IPs every so often?

    No, the patch doesn't do filtering in that sense. It just allows you to mark some zones in your BIND config file (such as .com and .net), that should only contain delegation information. So basically if your BIND server recieves back A record(s) rather than NS delegation records from a server authoritative for .com , BIND simply ignores it.

    Simple and elegant, and nothing Verislime can do about it. (I hope.)

  • by pgregg ( 185457 ) on Wednesday September 17, 2003 @08:18AM (#6984547) Homepage

    Russell Nelson has a patch [] for tinydns [] which does the same thing.

    He also notes that several other TLD operators for the same thing and has another patch [] that allows you to do the same thing to several naughtly tld operators at once.

  • by Raphael ( 18701 ) * on Wednesday September 17, 2003 @08:18AM (#6984551) Homepage Journal

    Although the news are not on the BIND page [] yet, patches for the current versions 9.2.2 and 9.1.3 are already available. Only 9.2.3rc2 is currently listed on the page (as of this writing).

    You can get the details from the bind-announce list archives:

    All versions were released a few hours ago. Here is the common paragraph at the top of these three messages:

    In response to high demand from our users, ISC is releasing a patch for BIND to support the declaration of "delegation-only" zones in caching/recursive name servers. Briefly, a zone which has been declared "delegation-only" will be effectively limited to containing NS RRs for subdomains, but no actual data outside its apex (for example, its SOA RR and apex NS RRset). This can be used to filter out "wildcard" or "synthesized" data from NAT boxes or from authoritative name servers whose undelegated (in-zone) data is of no interest.

    Have fun downloading and installing!

  • by richard-parker ( 260076 ) * on Wednesday September 17, 2003 @08:20AM (#6984556)

    Does anyone know how to do this with DJBDNS?
    A list of patches for various name servers can be found here [].

    Unfortunately the djbdns patch at that URL is not as elegant as the official patch from ISC for BIND. Unlike the ISC BIND patch, the djbdns patch does not support the declaration of "delegation-only" zones. Instead, it adds support for the rather crude technique of converting an A record response containing an operator specified IP address (which you would currently set to into a NXDOMAIN response.
  • by Xner ( 96363 ) on Wednesday September 17, 2003 @08:25AM (#6984587) Homepage
    Interesting, but that is so far outside the problem domain that it's not even funny.
    Bind should just return NXDOMAIN and the application (Mozilla, IE, BitchX, whatever) can then sort it out in this fashion. Hell, we can even make handy BSD-licensed shared libraries that do this for easy integration.

    The matter is that the application must be informed when a domain does not exist, not spammed with guesses that may be right.

  • by joshv ( 13017 ) on Wednesday September 17, 2003 @08:27AM (#6984602)
    BIND should be enhanced in several ways:

    The most important one, IMHO, is to compute a list of close matches and present these choices to the user. They may use the Soundex algorithm or some other tricks to see if characters are transposed, if one characters is wrong, if one is missing, etc. If well implemented, this would solve 60% of the problem.

    BIND (and other Domain Name Servers) are given the simple task of turning a string into set of 4 octets (aka an IP address), using a massively distributed lookup table that maps strings to IP address.

    The reason people are pissed off about Verisign's wildcard entry is that they have depended on their DNS saying "I can't find an IP address" when it can't find an IP address.

    In general BIND is a program that talks to other programs via a very stable and well understood interface. Now, how would enhance BIND to do a soundex and return multiple possible results to programs that have been written to expect either a response in the form of a single IP address, or a "domain not found" error?

    Sounds to me like this is something that should be handled in the application, if at all.


  • by boojit ( 256278 ) on Wednesday September 17, 2003 @08:35AM (#6984656) Homepage
    And here's a helpful posting [] on how to use the new patch.


  • by Anonymous Coward on Wednesday September 17, 2003 @08:41AM (#6984688)
    We're not talking about you and your little web browser, we're talking about a major network provider breaking an important network infastructure component in a way which has already started to cause havoc across the internet. At the moment, the server they are using as a catch all is not responding to connections, which means that there "clever" solution to handle mis-directed email doesn't work. As a consequence, mis-directed mail has already started to pill up in mail queues while mail servers waste their time trying to contact the Verisign server.

    Other services are also shit out of luck; Verisign only allowed for HTTP and SMTP. Anything else trying to connect to a non-existent domain is out of luck and will sit around until the connection timesout. Of course, if the server had just returned NXDOMAIN in the first place, as it should, you wouldn't have that problem.
  • by Anonymous Coward on Wednesday September 17, 2003 @08:47AM (#6984715)
    Were I coding this patch, for example, the IPs for which to return NXDOMAIN would be specified in a config.

    And what good would that do? If VeriSlime changes the ip hourly, you'd have to edit the config file hourly: bwilliant patching Holmes.

    I prefer the patch as it will be supplied by the ISC: Patch bind and add the following snippet to named.conf:

    zone "com" { type delegation-only; };
    zone "net" { type delegation-only; };

    Tada. Let VeriSlime work around *that*.
  • by Lozzer ( 141543 ) on Wednesday September 17, 2003 @08:47AM (#6984717) Journal

    DNS is a directory service for god's sake, not a god damn search engine.


    DNS maps domain names to IP addresses and vice versa, nothing more

    Wrong []

  • by close_wait ( 697035 ) on Wednesday September 17, 2003 @08:52AM (#6984741)
    That approach is fucking dangerous.

    Why? Glue records. You are _meant_ to receive certain As from the parent servers of a domain delegated to nameservers which live within its own namespace.

    But glue records are very specific, and can be easily checked for. Only if an A record matches one of the names in the NS records need it be kept.

  • by Anonymous Coward on Wednesday September 17, 2003 @09:00AM (#6984785)
    but couldn't this be the thin end of the wedge towards technologically mediated censorship?

    Nope, no chance of that. You hace to actively define the zones for delegation-only.

    From a post by Paul Vixie []:

    > And make it default configuration for new bind releases...

    never. not for your example, nor for any set of tld's. the default for
    bind will be what it's always been -- to respect the autonomy of the
    zone administrator/publisher. overriding that autonomy has to be a
    local act by a local name server administrator who is fully conscious of
    the impact of their configuration change. once, with "check-names", isc
    was accused of "legislating from the bench". never again.
  • by hkmwbz ( 531650 ) on Wednesday September 17, 2003 @09:00AM (#6984787) Journal
    Read the discussion: 80% runs BIND, what runs on the remaining 20%? []
  • Re:Good for BIND (Score:3, Informative)

    by Insurgent2 ( 615836 ) on Wednesday September 17, 2003 @09:01AM (#6984788)
    No, they don't dare do this.
    It's a federal offence to redirect a misspelling to a porn site as it's "illegal to deceive children into viewing harmful material". This is a provision of the "Amber Alert" legislation and will land you in jail for 4 years.
    Relevant Link []
  • Re:ISC ROCKS (Score:2, Informative)

    by hephro ( 166117 ) on Wednesday September 17, 2003 @09:02AM (#6984801) Homepage

    If BIND decided to distribute a seperate set of root servers in a cache file and enough ISPs used it the Internet DNS system as we know it today could change overnight. ;-)

    The root servers do not serve .com & .net. What you'd want is that they delegate .com & .net to somebody != Versign, but that's decision that is up to IANA and Paul Vixie and others have made it clear on nanog that their root servers will not go against IANA.

    Moreover, alternative root servers would have to delegate .com & .net to some other trusted(?) party...

  • by Ryosen ( 234440 ) on Wednesday September 17, 2003 @09:03AM (#6984803)
    I have to make a small complaint here. I don't seem to be able to get the sitefinder page when I enter in an unregistered domain name. Not the links above nor just random garbage. I merely get a "Could Not Connect to Remote Server" message.

    *Sigh*. I never get to have any fun...
  • Re:But for how long (Score:3, Informative)

    by interiot ( 50685 ) on Wednesday September 17, 2003 @09:12AM (#6984873) Homepage
    Here [] is the documentation for the patch. They don't hardcode an IP, they just have a way to say that wildcards records don't necessarily have to work everywhere. eg. you can say that "* =>" but you can't say that "*.com =>".
  • by tsvk ( 624784 ) on Wednesday September 17, 2003 @09:20AM (#6984930)
    What irritates me more is when people refer to junk email as "SPAM" instead of "spam"
    actually, isn't that part of hormel's deal? we can continue to call UBE (insert full stops as required) SPAM as long as we capitalise it and they won't complain or try to sue anyone over dilution of trademark etc. (ie as spam is actually a product they sell).

    It's the other way around. Hormel has a trademark on 'SPAM' and would prefer UBE to be called 'spam'. See the SPAM website [] for more info.

  • Re:Have your say (Score:4, Informative)

    by turg ( 19864 ) * <turg AT winston DOT org> on Wednesday September 17, 2003 @09:22AM (#6984941) Journal
    Scroll down, there are multiple polls on the same page.
  • by Paul Jakma ( 2677 ) on Wednesday September 17, 2003 @09:22AM (#6984943) Homepage Journal
    That approach is fucking dangerous.

    Why? Glue records. You are _meant_ to receive certain As from the parent servers of a domain delegated to nameservers which live within its own namespace.

    However, you're missing a crucial part: when you ask the delegating server for the NS records, the glue A records are given out in the additional section, not in the answer section.

    The ISC patch disregards /authoritative/ non-apex data from zones configured as delegate only. however, it can still make use of additional data (ie glue). Glue records are never queried directly AFAIK when a DNS server is sending queries to determine the set of authoratitive servers for a zone, so the patch does not cause any problems.
  • by Felinoid ( 16872 ) on Wednesday September 17, 2003 @09:22AM (#6984946) Homepage Journal
    What your not aware of is that about the same time Microsoft inserted it's own "helpful" page instead of what the remote server sent web admin realised the value of using the servers own internal feature of sending a more helpful page.

    The internal 404 usually is some sort of program to track down and redirect you to where you should be so instead of saying "This page no longer exists" it's saying "Hay maybe you want THIS page instead."

    Also read the 404 page more carefully. If something has gone wrong with the website your given contact information (presumming the web admin did his job and put the admin contact e-mail into the server) in the 404 message so that you can contact the person or persons responsable for maintanence and tell them what went wrong.

    But again you won't get that contact information under Microsoft Windows IE "helpful" page.

    That page is IEs best guess as to what happend and being familure with the Internet I'm usually aware of what is wrong and what is really going on and quite frankly IE has yet to guess the real cause of the 404 message.

    However the big diffrence between Microsoft IEs replacement "Hay quit complaining I'm only trying to help" and Verisons search website is that IE is on YOUR computer and if you don't like how IE works download Netscape, Opra, Mozilla or one of the many other web browsers that are out there and you get the REAL 404 message but Verison is basicly changing the Internet inferstructure to do this so we all get screwed reguardless of the programs and os we use.
  • by j7953 ( 457666 ) on Wednesday September 17, 2003 @09:24AM (#6984958)
    MSIE has been doing this for ages, and I never found it to be a problem, but rather more helpful than the old "404 Not found" messages we used to see.

    You don't get to see a "404 No Found" response if the server doesn't even exist. You'd usually get an error message (generated by IE) that says something like " doesn't exist." (that's what Mozilla displays, I don't know IE's message).

    The 404 response is what you get when your browser could send a HTTP request to the web server, but the server couldn't find the page you were requesting. The response page is generated by the web server, so how helpful it is depends on what the web server admins have configured. Some pages will not simply return an error message but also include a search box, for example.

    You type junk into an URL and you expect a civilized answer?

    Well, yes, I expect a somewhat helpful error message. But that's not actually the point. The main problem with Verisign's move is that they are assuming (like you seem to do) that the purpose of the Domain Name System is to find the web server that a user is trying to contact when he types an URL into his browser. But DNS isn't used for the web only, it is used to associate names with IP addresses. You can then use the returned IP address for whatever protocol you want, DNS doesn't tell you whether or not the server with the returned IP supports that protocol.

    For all protocols that run non-interactively (i.e. without a human sitting in front of the computer and interactively deciding what server should be contacted next, and interpreting the responses), Verisign's action means that if contacting a remote system fails, the computer can now no longer find out if it's due to a misconfiguration and will likely never work (if the other computer doesn't exist), or if it's just a temporary problem (if the other computer does exist but does not respond).

  • by Russ Nelson ( 33911 ) <> on Wednesday September 17, 2003 @09:37AM (#6985057) Homepage
    Even better is the version I wrote last night, which lets you ignore a list of names. []
  • For Windows Users (Score:-1, Informative)

    by ( 671608 ) on Wednesday September 17, 2003 @09:38AM (#6985063) Homepage
    Edit file "C:\WINNT\system32\drivers\etc\hosts" (/etc/hosts for any real OS)and add can be any IP. is

    OK, it's not strictly regulation, but with any luck Verisgn will find that "controlling" the underlying technology of the Internet is not as easy as they first though
    Yes, Google is in control.
  • It bears repeating (Score:0, Informative)

    by mr.nicholas ( 219881 ) on Wednesday September 17, 2003 @09:57AM (#6985222)
    I'm sure it's been mentioned before, but for those of you who run their own DNS servers, there is an extremely easy way to set yourself up to use OpenNIC as an alternative root.

    Simply locate your "root.servers" file (/var/named for RedHat installations) and run:

    dig @ > root.servers

    and restart named. To verify that things are then working correctly:

    > host ns0.opennic.glue
    ns0.opennic.glue. has address

    From that point onwards, you can update your root server file by adding something like this to your weekly cron: /usr/bin/dig @ns0.opennic.glue > /var/named/root.servers
  • Easy! (Score:2, Informative)

    by bisho ( 22758 ) on Wednesday September 17, 2003 @10:35AM (#6985519) Homepage
    while true;
    echo VerisignSucks${RANDOM} \
    | nslookup > /dev/null
  • Re:Good for BIND (Score:3, Informative)

    by Insurgent2 ( 615836 ) on Wednesday September 17, 2003 @11:02AM (#6985766)
    Gee, so the basis for the charges against the man in the article were just made up?
    Read this amendment to H.R. 1104 []:
    Rep. Pence offered an amendment on Thursday, March 27, 2003; it was agreed to by voice vote. The amendment makes it a criminal act to knowingly use a misleading domain name with the intent to deceive a person into viewing obscenity on the Internet. Also makes it a criminal act to knowingly use a misleading domain name with the intent to deceive a minor into viewing material on the Internet that is harmful to minors. A domain name that includes a word or words to indicate the sexual content of the site is not considered misleading.
  • Re:Good for BIND (Score:2, Informative)

    by np-complete ( 71517 ) on Wednesday September 17, 2003 @11:05AM (#6985785)
    Yes, but BIND already lets you mark nameservers as bogus. If that happens, it's just a simple matter of editing and reloading configuration files.
  • by digitalgimpus ( 468277 ) on Wednesday September 17, 2003 @11:08AM (#6985817) Homepage
  • Re:For Windows Users (Score:2, Informative)

    by Dr.Zong ( 584494 ) on Wednesday September 17, 2003 @11:30AM (#6986014) Journal
    Yeah, how exactly IS this going to help??? Who modded this person informative?

    It will only work if you manually try and goto (www, ping, trace, whatever).

    Do you really understand how DNS works? If I make a query to, verisign redirects me to their IP using the wildcard 'A' record, in which the webpage at that IP CLAIMS to be

    Adding that to hosts will only redirect you to (in your stated case - google) if you attempt to connect to

  • by sfriedrich ( 25487 ) on Wednesday September 17, 2003 @11:43AM (#6986118)
    No kidding! Now if you ping it just sits and waits for the timeout, but if you ping you get an immediate proper response of "ping: unknown host"
  • by mdamaged ( 708238 ) on Wednesday September 17, 2003 @11:47AM (#6986140)
    I got a rep on the line and he seems oblivious of what was going on, after a bit I got a superviser and she gave me this email telling me that this is where the complaints are going to:
  • Re:Good for BIND (Score:1, Informative)

    by Anonymous Coward on Wednesday September 17, 2003 @11:52AM (#6986187)
    they did. Just patch and add the following to named.conf:

    zone "cc" { type delegation-only; };

    The fix provided by isc even allows for denying wildcard records for subdomains only. This has been thought out.
  • Re:Good for BIND (Score:2, Informative)

    by ananiasanom ( 704770 ) <ananias.stribmail@com> on Wednesday September 17, 2003 @11:53AM (#6986200) Journal
    And in fact it was named after the British decency campaigner Mary Whitehouse [], not in any way relevant to the US Govt.

    And since Whitehouse is a company, and the White House isn't (although there has been some discussion of that recently), is much better pointing to the magazine

  • by LordWoody ( 187919 ) on Wednesday September 17, 2003 @11:59AM (#6986243) Homepage
    Actually there are plenty of legitimate uses of the wildcard feature. One you might use everyday:


    How do you think they keep on top of that many DNS entries that constantly come and go? You see it at ISPs that do third level (and higher) DNS virtual hosting and and group systems where the URL might be in the form of instead of

    DNS supports it because it is a legitimate
    feature. And less you think removing wildcard support would fix the issue, as it has already been mentioned in this discussion, all Verisign has to do is modify their DNS server to supply responses that appear to make the domain legitimate. They already use non-standard DNS software, why not make a few more changes to enhance their bottom line?

    Even after the ISC makes the patch to disable wildcards at the TLD level, Verisign can as mentioned above work around it if they really want to by modifying how their servers respond.
  • Re:Good for BIND (Score:3, Informative)

    by leviramsey ( 248057 ) on Wednesday September 17, 2003 @12:22PM (#6986476) Journal

    Let's see... leads to a page for no pr0n there. is the site for a pr0n magazine which predated the internet. The act wouldn't cover that case.

    As for, it's not pr0n either.

    So you're 0-3 thus far...

  • by DavidTC ( 10147 ) <> on Wednesday September 17, 2003 @12:58PM (#6986827) Homepage
    Posting with a +1 bonus to attempt to get people to see this.

    It's amazing how many super cool random people are running around suggesting using OpenNIC, which, of course, won't do a DAMN FUCKING THING. Anyone who suggests an alternate root has demonstrated they have no knowledge of how DNS works at the topmost level.

    Please, someone go around and find all the posts that mention this and moderate them up! I've posted at least three posts pointing this out, and other people have also.

    I'm starting to think everyone should have a few emergency -1: Wrong mod points to get rid of information that is just flatout incorrect.

  • by Anonymous Coward on Wednesday September 17, 2003 @01:01PM (#6986856)
    See dex.html []

    for plenty of toll-free (in US) contact numbers.
  • Re:Bug your ISP (Score:4, Informative)

    by Neon Spiral Injector ( 21234 ) * on Wednesday September 17, 2003 @01:14PM (#6986959)
    The bruteforce method:

    include "named.delegation-only []";

  • by ncc74656 ( 45571 ) <> on Wednesday September 17, 2003 @01:29PM (#6987091) Homepage Journal
    everybody, click after me
    Do not attempt to own us []

    Doesn't work for me...then again, I've already fixed djbdns [] here to return NXDOMAIN when a lookup resolves to Verisign's squatter page. (A copy of the patch is here [] (the patch isn't mine, but the only place I've seen it is buried in and an ebuild for your local Portage tree is here []. To use the ebuild, you'll also need to copy Manifest and files/1.05-errno.patch from /usr/portage/net-dns/djbdns.)

  • by devilspgd ( 652955 ) * on Wednesday September 17, 2003 @01:52PM (#6987275) Homepage
    Naa, it's dumber then that, it doesn't even look at RCPT or commands at all...

    220 snubby2-wceast Snubby Mail Rejector Daemon v1.3 ready
    I am
    250 OK
    250 OK
    550 User domain does not exist.
    da da dada
    250 OK
    221 snubby2-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel

    Connection to host lost.

    It doesn't care WHAT you type, you get the same garbage no matter what.
  • Better petition (Score:2, Informative)

    by kiddailey ( 165202 ) on Wednesday September 17, 2003 @02:52PM (#6987866) Homepage
    Here is a much better petition [] entitled: "Stop Verisign DNS Abuse"
  • by joe_bruin ( 266648 ) on Wednesday September 17, 2003 @03:07PM (#6987997) Homepage Journal
    i didn't write this the post above, but it is definitely not offtopic. here's a brief rundown of what it does:

    generates a random string of characters.
    performs a "wget" to look up that string as a domain name, and fetch the url returned and dump contents to /dev/null. obviously, this string (with appended .com) resolves to verisign's search page.

    this accomplishes two things. first, or course, is wasting verisign bandwidth. more interestingly, however, it causes dns servers upstream from you to cache the address of all these garbage domains. when their dns cache fills up, they start discarding older entries they have had in there. basically, this is forcing dns servers to constantly flush their caches of any useful data. this, in turn, makes every valid dns query have to cascade all the way down to the root servers. that is, "" is no longer cached in your isp's dns cache, so every user on you isp trying to get to slashdot is contributing to a DDOS of verisign's root servers.

    well done.
  • by hummassa ( 157160 ) on Wednesday September 17, 2003 @03:24PM (#6988176) Homepage Journal

    while( bogus_addrs[i].addr.addr4.s_addr != (in_addr_t)-1 )


    while( bogus_addrs[n].addr.addr4.s_addr != (in_addr_t)-1 )

    or you'll be sorry.
  • by soccerisgod ( 585710 ) on Wednesday September 17, 2003 @03:28PM (#6988215)
    I think the chain of command is that

    VeriSign ICANN DoC (Department of Commerce)
  • by ayafm ( 521544 ) on Wednesday September 17, 2003 @04:33PM (#6988793) Homepage
    I just installed the patched BIND 9.2.x for NodeWorks [] so it could keep finding dead links for customer sites. Without this kind of technical solution, I would have had to check for redirects to the sitefinder site, and added specific logic to mark the response as invalid since it would otherwise return a valid 200 HTTP response code.

    The new feature just needed this bit added to named.conf to get it working:

    zone "com" {
    type delegation-only;
    zone "net" {
    type delegation-only;
    When its running, it will put message like this to /var/log/messages so you can see it working!
    Sep 17 12:58:15 proxy named[1130]: enforced delegation-only for 'com' (
    Its really amazing that the open source community can turn around a patch like this within hours of the initial problem being reported! Not only that, but the implementation is clean and technically elegant.

An elephant is a mouse with an operating system.