BIND Strikes Back Against VeriSign's Site Finder 582
BrunoC writes "Following the story about VeriSign's new Site Finder, the Internet Software Consortium promises to release a patch to its (in)famous BIND that will block the controversial Site Finder. Wired News has full coverage of the ISC initiative against this name resolving atrocity."
Excellent! (Score:5, Insightful)
Good for BIND (Score:5, Insightful)
hmmm don't want to be alarmist (Score:2, Insightful)
after all, almost anything is possible with the a patch... it just takes the will to do it.
____________________________________________
I
Re:How will this work? (Score:5, Insightful)
I'd say that's quite an assumption. Were I coding this patch, for example, the IPs for which to return NXDOMAIN would be specified in a config. That config would be able to take single IPs and also ranges.
I wouldn't write this off as ineffective yet. We need to see what methodolgy is being chosen before we can comment on its technical effectiveness.
Cheers,
Ian
Advice on switching to another registrar (Score:2, Insightful)
I really want to get away from these jerks. There seem to be lots of registrars out there, but I've heard horror stories about totally unresponsive registrars that are glad to take your money, but ignore you if there's any problem at all. Also, if I switch, doesn't that just improve Verisign's profit margin? I've paid till 2007, now they don't have to do anything at all for that money. If I transfer to another registrar does Verisign get to keep my money?
Advice?
MX Problems (Score:5, Insightful)
So you have 2 mail servers with mx priorities as follows:
mail.someplace.com 10
mail.otherplace.com 20
if your someplace.com domain expires (hey, it happens) all your mail bounces thanks to verisigns ace "Snubby Mail Rejector Daemon v1.3". The backup mx record, which is there to cover failures like domains expiring, is never tried. In the 'real' world.. where lookups on dead domains fail... the backup server would be used.
Thats a bigger problem than all this spam checking people are getting worked up about. If they both had priority 10 (a simple load balancing arrangement) then half your mail would bounce and half would be ok.
Some improvement! Patches to BIND aren't the answer. Verisign need to be made to stop breaking the internet.
Re:Soundex into BIND! (Score:5, Insightful)
NO NO NO NO NO NO NO! DNS is a directory service for god's sake, not a god damn search engine. If you want a search engine then go to Google like everyone else does. If people are too stupid to assume typing in "www.whitehouse.com" will take them to the White House's homepage then they deserve to get tits in the face. Type in White House in Google, hit feeling lucky and you'll get the right page right off. DNS maps domain names to IP addresses and vice versa, nothing more. Don't pervert it into some god damn spell checking search engine.
Re:didn't they already do that? (Score:5, Insightful)
Having an application do that is completely different than having what is essentially one of the only Internet "utilities" do it without your consent. Redirecting queries is the job of an application, not the DNS root servers. There's a reason looking up non-registered domains returns an NXDOMAIN, because the RFC says it is should!
Re:Yeah, only SPAM, sure. (Score:5, Insightful)
Re:Good for BIND (Score:5, Insightful)
I can't help but think of the contraversy over deep linking and how all those stupid suits could have been avoided if server operators would have just detected the referer header and bounced deep links back to the home page...
Re:How will this work? (Score:3, Insightful)
Why? Glue records. You are _meant_ to receive certain As from the parent servers of a domain delegated to nameservers which live within its own namespace.
For example, let's say I have the domain movezig.com. I fill in a host template to for the two nameservers, base.movezig.com (3.214.8.19) and cats.movezig.com (3.217.21.40), then delegate it to those nameservers. Obviously, if the
So, nameservers are designed to respond with A records for authoritative nameservers when a domain is delegated to NSs within its own zone.
Since these records are sent by the servers authoritative for the parent zone (they live in the same zonefile as the NS records do), filtering them would break resolution of roughly 20% of the internet.
Bad idea.
A much better idea is to merely filter out any responses under a configurable set of parent TLDs where the authority section returned matches a preconfigured list of NSs.
For example, doing a lookup for f00bw1tz.com (which i presume doesn't exist) returns an A of 64.94.110.11 as expected, with the Authority section claiming com. IN NS (a-m).gtld-servers.net.
This would be the tricky way of doing it.
Re:Has anyone.. (Score:5, Insightful)
Ah. Bless. Cuddle up nice and warm.
Verisign is the root domain authority. This is them overstepping bounds and trying to get into the search engine game, something which is 'forbidden' by ICANN. They're farming information that comes in, and if you'd read the handy terms and conditions, you'd notice some real oddity.
So, you type in a mispelled URL...what if your competitor is in their database but you aren't? Furthermore, what if they get the domain wrong? Verisign only has
Then there's the email angle. They're running an MTA that barfs after the 550 for 'From: '. So they're grabbing 'legitimate' email addresses. Trust verisign? As a 'trusted' third party for certificate signing, they're supposed to remain impartial to a certain degree, except they're pushing webservices.
TRUST (Score:5, Insightful)
Had trust. Who can take them seriously now?
Re:MX Problems (Score:5, Insightful)
Some improvement! Patches to BIND aren't the answer. Verisign need to be made to stop breaking the internet.
There's been this silly thread in this conversation that stakes out two sides. Either a) fix anti-social, monopolistic behavior with technology, or b) fix it with laws and legal action. This is a moronic dichotomy. A technological solution mitigates the immediate problem while the lawyers have time to file their briefs and sort out the damage done. A combination of technical solutions and legal action is a possibility and even a sometimes a Good Thing, not some binary choice.
Talk to a lawyer... (Score:3, Insightful)
Anyone have a lawyer and a small site to try this on. I suspect that you have a case of some sort. "Your honor, we had planned for this type of mistake by having some.other.domain.com as a backup, but verisign illegally stole the expired domain and started bouncing our messages." Or some such. Of course that backup wouldn't work in the case of the domain expiring and someone else registering it instead, but you tried.
Re:Good for BIND (Score:5, Insightful)
If someone is so gung ho about privacy that they disable the referer header and refuse cookies, then they must accept that sites with policies that require them to come through the front door and accept a token will be unavailable to them. Publishers are under no obligation to provide their material without at least a nominal quid pro quo from the user.
Re:Yeah, only SPAM, sure. (Score:2, Insightful)
Of course, they would need to customize their DNS software to do that, as opposed to just adding a line to a config file.
Re:very cool.. dnscache? (Score:3, Insightful)
-russ
-russ
Re:But for how long (Score:3, Insightful)
What the patch does is saying that if I query server Foo, running this version of Bind, and Foo has to go and ask Bar about it, Foo will only consider delegation data from Bar, not other resources.
So if Bar sends NS and SOA records back, all is well, and Foo happily tries to ask the delegated servers to resolve the name. If Bar sends an A record back, Foo will ignore it, and report a failure to the client.
Problem with this is that if it gets widespread, Verisign might decide to serve these A records from other nameservers and add SOA and NS records for all the unregistered names as well, essentially fully delegating the names.
The end result of that would be even more bandwidth wasted.
Re:Lot of fuss about nothing (Score:4, Insightful)
And the reason that we have standards bodies is so that we don't have to do "soft-ware main-ten-ance" three times a week every time somebody on a hunch decides to break the standard. Suppose AOL decided BGP isn't a good protocol and starts broadcasting AOLBGP instead - which looks like BGP to a BGP-speaking router but isn't, and is misinterpreted to cause all their routes to get scrambled. Suppose somebody has a backup MX record which doesn't get consulted because the primary is down and Verisign unhelpfully reports that it still exists and accepts but does not deliver the email. Ditto for 100 other protocols other that http.
What if the company contracted to do road-work decided that roads are an inefficient technology and decided to go ahead and replace them with rails instead. No problem, you just need to do a little car main-ten-ance...
Re:Lot of fuss about nothing (Score:2, Insightful)
Re:Sign the online petition to get ICANN into acti (Score:4, Insightful)
Petitions only work if a) the petitioners represent a threat to the petitionee's livelyhood, or b) the petition is to force a state government to put something to a vote (e.g. referendum process). ICANN viewa us, the lowly internet users, as riff-raff. They are the lord, we are their serfs. What threat does a petition hold for them? They have absolute power and don't care what we think.
Re:Yeah, only SPAM, sure. (Score:5, Insightful)
* IN NS screw-isc.verisign.com. and use that to deliver their stupid A records. Of course, if they do that, then things are going to degenerate rapidly. Verisign will not back down because there is money involved, the DNS admins will not back down because of the principle of the thing.
Should this happen, then ICANN is going to have to step up to the plate, since they are the body to which Verisign is responsible, and make a decision. So, on one side we will have the Internet DNS community, the IAB and IETF, while on the other we have Verisign exceeding their mandate for a chunk of cash. It should be a no-brainer, but given ICANN's track record I certainly wouldn't put any money on which way they would make the call.
Re:Good for BIND (Score:3, Insightful)
The technical workaround is good, but I think this is one rare case where legal action might be reasonable.
If you don't want deep linking, you're objecting to how various random individuals on the internet interact with your computers. You should restrict that interaction on your own computer and not whine about the rest of the world.
Verisign are not some random external party - they exclusively control chunks of the internet infrastructure. They should be held to a higher standard of behaviour.
Of course, the real technical solution is for everyone to use an alternative root server. Given the economic network effects in the internet, that's very difficult to arrange. (If Verisign's abuse got much worse, it would be just conceivable).
Re:Bug your ISP (Score:2, Insightful)
There is a patch for djbdns, but they're not official so I wouldn't reccomend blindly using them.
What would you call `official patch for djbdns', one released by DJB? Forget it. ;) There are no `official' patches for any djbware.
The ignoreip2-patch [tinydns.org] with ignoreip-update [ely.ath.cx] posted on dns@list.cr.py.to seem to be the Right Way for now.
Re:Yeah, only SPAM, sure. (Score:3, Insightful)
I'm not sure if you intended it that way or not, but you make it sound like this has become a corporate versus long-haired hippy DNS admins battle. I dare say it's much more severe than that. Even my small (by comparison) mail servers are churning like sum'bitches now that they've got all sorts of "hjkvashjklfasdhl.com"-esque domains to send bounce messages to. Imagine the hapless provider with millions of e-mail accounts and, correspondingly, millions of SPAM messages per day. Formerly, forged domains could be easily chucked to the virtual circular file. Now, however, they quite happily resolve to a server that answers to SMTP queries. (Also a black hole, I imagine, but it still has to traverse half the Internet to get there)
DNS/Sys Admins have to spend time troubleshooting this problem and attempting to work around it in several different arenas. This is definately a money versus money issue. It just so happens that we also have principals on our side.
Re:It bears repeating (Score:3, Insightful)
I repeat, this will not fix anything. Verisign controls the
Moderators, please mod this up.
Beginning of an arms race (aka Spam) (Score:3, Insightful)
The BIND patch is very simple and elegant. It relies on the particular technical method that Verisign used to implement their wildcard responses. But we can make some assumptions here.
If Verisign truely believe they have the "right" to do whatever they want to do with the root zone files, they can easily circumvent the patch.
One design that they might try is to take the inbound domain name, hash it, take a modulo of the hash and create a "fake" SOA and NS for that domain name on a unique IP address. With a pool of only several thousand real IP addresses they could create what looks like 100% real zones for everything. They could even send the traffic to one of many different IP addresses. This could be an arms race that never ends.
The only "real" solution is that the root zone files must be "trusted".
If Verisign refuses to change their behaviour then one of several things must happen.
o ICANN / IANA must force them to
o DOC must force them to
o Private lawsuits must force them to
o State AGs must force them to
o Everying must blackhole "ALL" Verisign owned IP addresses and effectively take them off of the net.
Strong language (Score:3, Insightful)
You're welcome.
==========
Re:offtopic? i think not. (Score:3, Insightful)
Well, actually I do see the point in doing just that, but are we prepared to destroy DNS in order to save it?