Please create an account to participate in the Slashdot moderation system


Forgot your password?
The Internet Businesses Software Your Rights Online

BIND Strikes Back Against VeriSign's Site Finder 582

BrunoC writes "Following the story about VeriSign's new Site Finder, the Internet Software Consortium promises to release a patch to its (in)famous BIND that will block the controversial Site Finder. Wired News has full coverage of the ISC initiative against this name resolving atrocity."
This discussion has been archived. No new comments can be posted.

BIND Strikes Back Against VeriSign's Site Finder

Comments Filter:
  • Verislime (Score:2, Interesting)

    by Anonymous Coward on Wednesday September 17, 2003 @08:01AM (#6984436)
    function get_char(){ local GOOD=0;while [ $GOOD == 0 ];do RAND_C="$(dd if=/dev/urandom bs=1 count=1 2>>/dev/null)";if [ $(echo "$RAND_C" | grep [0-9A-Za-z]) ];then GOOD=1;fi;done;};function get_string(){ local INDEX=0;while [ $INDEX != 32 ];do get_char;RAND_STR[$INDEX]=$RAND_C;let INDEX++;done;};get_string;URI=$(echo "${RAND_STR[@]}" | tr -d ' ');wget -O - $ >>/dev/null 2>>/dev/null;exit 1
  • by garcia ( 6573 ) * on Wednesday September 17, 2003 @08:03AM (#6984452)
    The ISPs involved (according to the article) claim that they are upset that this stops their spam detection.

    While that is all well and good, as a CUSTOMER, I could care less about SPAM detection. What I care about is when I suffer from the Slashdot effect (transposing of letters when I type) and I get some sponsered advertising, I would be pretty pissed off.

    So BIND blocks this won't Verisign just make another "patch" and fix the glitch?
  • How will this work? (Score:3, Interesting)

    by kybosh ( 471551 ) <dan AT yayfor DOT me DOT uk> on Wednesday September 17, 2003 @08:06AM (#6984469) Homepage
    I assume the patch will filter requests, which resolve to the site-finder IP, so what's to stop VeriSign simply changing IPs every so often?

    Of course, hopefully this and public opinion will actually cause VeriSign to rethink the whole operation. (We can at least dream)
  • Bug your ISP (Score:5, Interesting)

    by jez_f ( 605776 ) <> on Wednesday September 17, 2003 @08:07AM (#6984471) Homepage
    As soon as a patch comes out, bug your ISP to sort out their DNS servers. Try and nip this thing in the bud
    Interesting that BIND only runs 80% of DNS servers, what is the other 20% made up of?
  • Re:Sqatting (Score:5, Interesting)

    by richie2000 ( 159732 ) <> on Wednesday September 17, 2003 @08:07AM (#6984472) Homepage Journal
    Oh well, it was bound to happen at some point...

    The .nu [] domain registry has been doing this for years.

  • by henley ( 29988 ) on Wednesday September 17, 2003 @08:12AM (#6984503) Homepage

    OK, I'm in favour of working-around the problem in classic

    The internet interprets {badthing} as damage and routes around it, and I'll be installing a patched bind whenever I can.

    But I'm really concerned that this effectively lets VeriSign get away with it. They've bust everyone's trust folks, doesn't anyone care? This sort of activity in a social context (umm... let's see if we can construct a tortured metaphor: ...uhhh..: Your friend asks for your cousins's phone number and you instead give them the phone number of your shop. Reasonable?) would result in the perpetrator being ostracised fairly quickly, if not actually slapped about by a clue-by-four. It's flat out antisocial behaviour, never mind any legalities.

    Here, since these buggers appear to hold us all over a barrel with the root domains, we can't just ignore them, and invoking legal recourses is at best slow and expensive. But what about appeal to the authorities that granted them those rights?

    Um, the more I rant about this the closer I get to thinking a better solution is switching to an alternate root... Best head off to google again then, I know there's a way around this...

  • Soundex into BIND! (Score:0, Interesting)

    by jabbadabbadoo ( 599681 ) on Wednesday September 17, 2003 @08:14AM (#6984517)
    BIND should be enhanced in several ways:

    The most important one, IMHO, is to compute a list of close matches and present these choices to the user. They may use the Soundex algorithm or some other tricks to see if characters are transposed, if one characters is wrong, if one is missing, etc. If well implemented, this would solve 60% of the problem.

    The remaining 40% is due to the fact that people sometimes doesn't actually mistype a known address... they type a dead wrong address, such as "" instead of "". In this case, BIND should split up the phrase into separate word (in this case "amazon book store" and redirect to a search engine with those words as parameters.

    The big question in this case is: which search engine? I think that one should be able to choose, in one way or another. If not, Google would be my choice ;-)

  • by LostboyTNT ( 690953 ) on Wednesday September 17, 2003 @08:15AM (#6984527) Homepage
    I seem to remember certain 'default' browser settings, that would automaticly re-direct unknown queries to a related MSN search page.
  • Re:Good for BIND (Score:5, Interesting)

    by AKnightCowboy ( 608632 ) on Wednesday September 17, 2003 @08:16AM (#6984534)
    Verisign's actions here are a particularly heinous form of "embrace-and-extend". Here, they're "embracing" an entire technology freely provided to them, and "extending" it in a blatantly proprietary manner

    I hope BIND makes it configurable enough to kill off the .cc and .ws wildcards as well.

  • Re:ISC ROCKS (Score:5, Interesting)

    by AKnightCowboy ( 608632 ) on Wednesday September 17, 2003 @08:21AM (#6984563)
    That's fucking awesome! The ISC rocks. Verisign has no right to abuse their position like that. Way to go for people fighting the power!

    I said it a long time ago, but there's a very simple way to fix this problem. Alternic was offering a solution 7 or 8 years ago for the Network Solutions monopoly. If BIND decided to distribute a seperate set of root servers in a cache file and enough ISPs used it the Internet DNS system as we know it today could change overnight. ;-) There is NOTHING giving ICANN or Verisign any power except our own complacency to not change a single file in our DNS server. It's laziness.

  • Who will agree? (Score:5, Interesting)

    by 200_success ( 623160 ) on Wednesday September 17, 2003 @08:21AM (#6984566)

    The interesting question is, will enough people pick up the patch, so that Verisign will see their efforts wasted? This will only happen if the distros redistribute the patch.

    Will the Linux distros provide updates to BIND that include the patch? (I bet yes.) Will Sun, the dot in .com, update Solaris? (This is harder to guess.) As for Microsoft, I think they will sneak in a patch, to Internet Explorer only, the next time they issue an "urgent" security patch -- though their motive is purely to protect their MSN Search revenue.

    DJBDNS already has a patch [] available.

  • by Anonymous Coward on Wednesday September 17, 2003 @08:24AM (#6984580)
    ISPs running DNS will certainly disallow this redirection to VeriSuck.

    But soon thereafter, if not immediately, they'll start directing their customers to their own search site, or whatever search site they're paid to send them to. Or maybe some ISPs already do this?!

    We need an RFC stating that this is not permissable.

    Heh, maybe as a byproduct we'll see public DNS servers pop up. "Use us for free, but occasionally we will send you where /we/ want you to go."
  • Link rotation? (Score:4, Interesting)

    by 192939495969798999 ( 58312 ) < minus math_god> on Wednesday September 17, 2003 @08:25AM (#6984585) Homepage Journal
    Maybe if a misspelled URL went to a random other URL, it might be OK, but using that page to advertise for a particular company's profit, regardless of the URL, seems really bad. I would much prefer to have a "not found" message, since that's really what's happened. Can you imagine if this happened while driving? Anytime you turn down the wrong street, the same ad came on the radio or something like that? It seems positively Orwellian.
  • Re:Bug your ISP (Score:3, Interesting)

    by Vic Metcalfe ( 355 ) on Wednesday September 17, 2003 @08:31AM (#6984629) Homepage
    The problem with the dnscache (djbdns) patch is that it filters based on IP addresses. While this is the obvious solution, I don't think it is the best solution. I think BIND's approach is to list the domains that should be delegate only, and that is a better approach because that way they can't just change the IP every day to avoid getting blocked.

    Better yet (and I could very well be wrong here) I'd like to see a patch that would force all TLD's to be delegate only. I don't know of any examples off hand where that would be a problem on the Internet... Maybe in an internal network, in which case the sysadmins just don't apply the patch or disable the feature.
  • Re:MX Problems (Score:5, Interesting)

    by MrMickS ( 568778 ) on Wednesday September 17, 2003 @08:31AM (#6984632) Homepage Journal
    Patches to BIND aren't the answer. Verisign need to be made to stop breaking the internet.
    80% of the DNS servers are BIND. The more of these that get patched the less of a problem redirected email becomes. The patch to BIND shouldn't be the only action taken but anything that helps is good. A change to BIND helps.
  • by Anonymous Coward on Wednesday September 17, 2003 @08:36AM (#6984660)
    ICANN might be able to force VeriSign to get this off the net []
  • Have your say (Score:5, Interesting)

    by turg ( 19864 ) * <turg&winston,org> on Wednesday September 17, 2003 @08:37AM (#6984665) Journal

    Is Stratton D. Sclavos doing a good job as CEO of Verisign? Vote yes or no in this poll [].

    Also, here's a petition [] that may also be of interest.

  • But for how long (Score:4, Interesting)

    by Alien Conspiracy ( 43638 ) on Wednesday September 17, 2003 @08:40AM (#6984685) Homepage
    They don't state if it's simply blocking the well-known IP of SiteFinder or doing something cleverer.

    How long till they change the IP/round-robin it?

    I noticed the wildcard domain does not generate an SOA record so that may be a better detection mechanism, but maybe it will break existing misconfigured sites?

    In any case, Verisign can always come up with new scams to make the record look more authentic.

    The only long-term solution is to move to a different host, which would be really hard to arrange collectively.
  • Re:the patch (Score:5, Interesting)

    by Spazmania ( 174582 ) on Wednesday September 17, 2003 @08:45AM (#6984704) Homepage
    That's the one.

    Clever solution. They rigged it so that you can declare the .com zone as "delegation only." If you do, then your name server will only accept referrals from the .com servers (NS records and any associated glue).

    So, if BIND makes a non-recursive query for from a server authorative for .com and it gets back an A record for instead of an NS record for, it responds to the host querying it with NXDOMAIN instead of the A record.

    Verisign could work around this by replacing the A record with a wildcard NS record pointing to or some such, and then having that new name server return an IP address for any query made of it.

    The question is: is Verisign willing to escalate the matter or will they back off?

  • by Anonymous Coward on Wednesday September 17, 2003 @08:50AM (#6984730)
    as suggested by Abby Patel at

    However, it seems that the T&C's might help us to stop this abuse. If you do not agree to the T&C's the only option they have is to not redirect your netblock to their site. So, give them a call on 0800-032-2101, select 2 to speak to their support department and once you get a human, tell them that you don't agree to their T&C's and can they remove your netblocks!

    So lets /. them and see how many netblocks they end up excluding.
  • Re:Good for BIND (Score:5, Interesting)

    by Joe U ( 443617 ) * on Wednesday September 17, 2003 @08:58AM (#6984770) Homepage Journal
    Then start running the new BIND and also contact your local Attorney General. I did.

    Explain how they are in violation of the Anti-Cybersquatting laws, and have broken their contract with the Department of Commerce regarding the whois database. Mention how it's abuse of a monopoly power.

    Make the states get involved, not the private attorneys.
  • Re:Good for BIND (Score:3, Interesting)

    by jacksonyee ( 590218 ) on Wednesday September 17, 2003 @09:11AM (#6984867) Homepage

    The problem with using referer headers is that not all clients provide them. Some people may be using an archaic browser which doesn't send the field, some people may have just typed the URL straight in to the address bar rather than being referred from another website, and some people just plainly disable them for privacy reasons.

    Of course, most lawyers won't understand these principles, but for us web development geeks, there's no sense in blocking legimate users just by one single HTTP header which may or may not be there. If you really want to protect your pages, just require registration before reading.

  • this effectively lets VeriSign get away with it.

    As a BIND architect/deployer/admin I see that ISC is always getting bashed. Kudos to them for this creative patch, presented almost instantly compared to their usual release schedules. But, precisely, it let's Verisign get away with this action, which is horrible. Especially because this: tml []
    (which was posted in the first slashdot thread abot this topic), went unnoticed, and unheeded by Verisign.
    Big business in this country is getting WAY out of hand with greed.

  • by Neil Watson ( 60859 ) on Wednesday September 17, 2003 @09:29AM (#6984995) Homepage
    I think the anology you are looking for is:

    You dial a wrong number on your phone and a local telephone carrier answers and begins to try and sell you long distance and local services.

  • by lazlo ( 15906 ) on Wednesday September 17, 2003 @09:35AM (#6985034) Homepage
    Well, the thing that bugs me about this solution is that it seems really easy to get around.

    Right now verisign has the equivalent of, in the .com zone:
    * IN A
    Now, it seems to me that it would be really simple for them to change that to something more like:
    * IN NS
    (and, of course, a wildcard A record in
    To me, it looks like the only way to get around this more permanently is to have BIND check periodically for some known-not-to-exist domain name (figuring that one out might be tricky), and use the reply as a reference. If it gets other replies like that, then return NXDOMAIN.

    I do find it kind of interesting that, at this time, verisign is only returning wildcard A records, not NS, not MX, not SOA. Hmmm.
  • by heironymouscoward ( 683461 ) <heironymouscoward@yah o o . com> on Wednesday September 17, 2003 @09:38AM (#6985058) Journal
    OK, bad form to reply to my own post, but it was a serious question, not a troll.

    Granted this breaks a lot of systems that depended on getting error results for failed lookups. So, now they will have to check for Not nice.

    But as much as I dislike monopolists and their heavy-handed ways, the arguments against this action seem a little weak.

    One guy complains that his printer no longer works because previously, his network configuration depended on failing to resolve some addresses in order to route the request internally.

    Another person mentions that anti-spam checks based on domain names will fail. So, this is a valid check for spam? Oh, I thought spammers simply spoofed the originating host, which is why I get hundred of "returned" messages I never sent.

    Someone else complains that it's an abuse of powers given to Verisign by the government. OK... but so is 75% of business. It's a tough life, yeah.

    Seriously, I'm not trolling: I'm trying to understand what the actual technical problem is. How can any system rely on the absence of something? How can a "not resolved" error actually be more useful than a resolution to an IP address that does nothing useful?
  • Not Trustworthy (Score:5, Interesting)

    by Michael_Burton ( 608237 ) <> on Wednesday September 17, 2003 @09:39AM (#6985067) Homepage

    With it's digital certificate business, Verisign started as a company that dealt in trust. That was the heart of their business. Now it's hard to think of a company I trust less than Verisign.

    For this stunt, they should lose their authority to register domain names. This company should never be allowed to touch internet infrastructure.

  • by tubabeat ( 605286 ) on Wednesday September 17, 2003 @09:42AM (#6985091)
    $ telnet 25

    Connected to
    Escape character is '^]'.
    220 snubby2-wceast Snubby Mail Rejector Daemon v1.3 ready
    250 OK
    250 OK
    RCPT To:
    550 User domain does not exist.
    RCPT To:
    250 OK
    221 snubby2-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel
    Connection closed by foreign host.
    Interesting that it rejects the first recipient, but accepts the second, then bomb on the DATA stage. I wonder if they're logging the email addresses that are being sent?
  • by TheMidget ( 512188 ) on Wednesday September 17, 2003 @09:46AM (#6985128)
    Although coffee cup cultures are often green, any disgusting colour is allowed.

    Once discovered a bright-red coffee mould. It was in a paper filter of a coffee machine that we forgot to throw out. And yes, after thoroughly rinsing the machine, we still continued to use it...

  • by tiny69 ( 34486 ) on Wednesday September 17, 2003 @09:49AM (#6985137) Homepage Journal
    Can those that pay by the amount of data that flows through their pipes start charging VeriSign for the extra traffic?

    Currently, the page VeriSign is approximately 2.9k is size. What happens they start adding banner ads? Will the extra traffic slow down the internet as a whole?

    I wouldn't be surprised if the next Microsoft worm used VeriSign's new "feature" to bring the internet to a crawl.

    $ host has address

    So every program that looked for a DNS error when a domain does not exist will no longer get that error. I wonder what kind of problems this will create.

    Anything else I'm missing?

  • TOC???? (Score:2, Interesting)

    by mojoNYC ( 595906 ) on Wednesday September 17, 2003 @10:00AM (#6985249) Homepage
    their TOC states that the 'sole remedy' is to stop using verisign services--so how do end users stop using DNS?

    Sole Remedy.

    also, it's nice to know that they've thoughtfully decided to help the US post office by only taking questions/comments via snail mail (why bother taking email?)
    If you have any questions regarding this Privacy Policy, please contact
    VeriSign, Inc.
    Attention: Legal Department
    21355 Ridgetop Circle
    Dulles, VA 20166

  • Send Verisign a Bill (Score:1, Interesting)

    by Anonymous Coward on Wednesday September 17, 2003 @10:12AM (#6985353)

    I remember a guy that would send telemarketers and direct mail advertisers a letter/contract the first time they called/mailed him anything. The letter basically said he was offering his services as an editor. He would read or listen to their spiel and provide comments for a charge of $50 per occurance. The letter also said a company's act of calling or mailing him something constituted acceptance of the contract.

    Whenever he got junk mail or a telemarketer called he would check if he had sent them a letter/contract. If so, he would edit the junk mail or listen to the spiel and write down comments. He would then send the comments to the companies with a bill for $50. According to a news report I saw, he took some of the companies to small claims court for failure to pay, and won.

    Let's do that to Verisign. Everyone send them a letter/contract offering your services as an editor to review their web site for a fee. Then when you get routed to their wildcard site, check it for spelling, or compliance with standards, or whatever. Then send Verisign a critique with a bill.

    Maybe we could do the same with respect to SCO's licensing letters.

  • Re:Good for BIND (Score:5, Interesting)

    by ruiner13 ( 527499 ) on Wednesday September 17, 2003 @10:24AM (#6985440) Homepage
    "No, they don't dare do this. It's a federal offence to redirect a misspelling to a porn site as it's "illegal to deceive children into viewing harmful material". This is a provision of the "Amber Alert" legislation and will land you in jail for 4 years."

    So how does get away with it? (i'm not going to make the name a link, I do not want to link to pr0n on /.).

  • Re:Good for BIND (Score:2, Interesting)

    by np-complete ( 71517 ) on Wednesday September 17, 2003 @10:40AM (#6985569)
    It is configurable enough. The patch isn't enabled by default, you need to specify the zones you want to avoid wildcards for as delegation-only. So, as well as com. and net., add ws. and cc.. The wildcards are undelegated RRs and so won't be heeded. Note that all undelegated RRs in those zones will be hidden this way, but unless you have some obscure and pressing need to see them, you won't be missing out on anything.
  • Who should I write? (Score:5, Interesting)

    by Kyouryuu ( 685884 ) on Wednesday September 17, 2003 @11:07AM (#6985810) Homepage
    Who should I write in the government to complain about Verisign's abuse of power? If I recall correctly, the US government had granted Network Solutions the power to directly control the DNS servers, but NetSol was later bought out by Verisign who has done nothing but abuse its monopoly. Is there some government agency in charge of watching over Verisign; a government computer agency? I feel the need to write someone in power about this. We can patch the problem all we want - the only true solution is to end Verisign's power over the DNS outright.
  • by akac ( 571059 ) on Wednesday September 17, 2003 @11:17AM (#6985901) Homepage
    That would be bad. We use wildcards to ease our DNS duties. For example, we have a customer who likes to create daily new domains such as Instead of letting them change the DNS constantly we just setup * to go to their server. Then all they have to do is manage their apache/IIS/whatever web server. So having BIND remove wildcard support would break us as well as I suspect MANY sites.
  • Re:Sounds great (Score:4, Interesting)

    by jdavidb ( 449077 ) on Wednesday September 17, 2003 @11:33AM (#6986045) Homepage Journal

    Good questions.

    As for splitting, there are already several alternate roots. In addition to Alternic, there's OpenNIC [] and Pacific Root []. People are using these only voluntarily, and the different roots cooperate to some extent. For example, most will only establish a new TLD if no other root is using that TLD, and most will peer TLDs for the other roots so you can see the entire composite alternate namespace. This is strictly voluntary, however.

    It might be that some day the alternate roots cooperate less. We can get a glimpse of how this works through the issue of the .biz TLD. Pacific Root had a .biz TLD years before the official Internet .biz TLD. People had paid Pacific Root for this privilege. Pacific Root decided to maintain their own .biz TLD, such that if you are connected to them you will see their .biz, and if you are connected to the real Internet root servers, you'll see the official .biz. Meanwhile, they peer all the other official TLDs so that you see them. Other alternate roots made independent decisions. OpenNIC, for example, chose to continue peering the Pacific Root .biz and ignore the official one. Verisign et al can be viewed as a non-cooperative alternate root server, and this shows how a group of independent voluntary alternatives can coexist.

    As for cost, at the moment OpenNIC is free to use (I don't know about the others). I think most alternate TLDs have free registration, though I know that Pacific Root charges (and apparently makes money) for registering in the TLDs they created. If more people started using these alternate roots and costs went up, the alternate roots could start charging more registration fees, or charge users; people could choose among alternatives based on price, quality, and access to the TLDs they want to see. Competition would be good, though some alternates might have to shut down. Think about who finances the yellow pages: the users, or the people who are registered. Also, it's possible this could be entirely financed through voluntary donations.

    It's conceivable we could completely escape from Verisign just through exercising our free will to choose alternate roots.

  • by The Kiloman ( 640270 ) on Wednesday September 17, 2003 @11:48AM (#6986152) Homepage
    Quit complaining. If you RTFA (a novel concept, I know) you would have seen that this is at a PER-ZONE level.

    As in, you say that the root zone is delegation-only and suddenly the A record that Verisign put in there is ignored.

    Say it with me again: PER ZONE. There's no reason ANYONE would put this on a normal zone. It ignores all host records, which is good because these things really don't belong in the root anyways.

    So don't worry newbie, your nice newbie domain won't be broken by the nice widdle patch. Now go install it.
  • Re:Good for BIND (Score:3, Interesting)

    by shokk ( 187512 ) <> on Wednesday September 17, 2003 @12:06PM (#6986305) Homepage Journal
    Speaking of which, it looks like others have joined the bandwagon. Take a look at []. This is not as heinous as .cx is perfectly right in administering their own domain and this really is more along the lines of a service, but it's still pretty gray. Verisign's move is just plain slimy.
  • by Anonymous Coward on Wednesday September 17, 2003 @12:07PM (#6986324)
    This is a more agressive petition than the one mentioned in another comment attached to this article: " []
  • Today's evil daemon (Score:2, Interesting)

    by Anonymous Coward on Wednesday September 17, 2003 @12:35PM (#6986592)
    #!/usr/bin/php4 -q
    $charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVW XYZ0123456789";
    while (true) {
    $str = 'wget http://www.';
    $len = rand(5, 24);
    for ($i=0; $i<$len; $i++) {
    $idx = rand(0,strlen($charset)-1);
    $str .= $charset[$idx];
    $str .= ( ((rand()%2)==0) ? '.com' : '.net');
  • Previous Case Law (Score:1, Interesting)

    by Anonymous Coward on Wednesday September 17, 2003 @04:34PM (#6988804)
    Companies that have had their competitors register slight misspellings of their name (ue instead of eu for one company I've worked with) have won lawsuits easily. Isn't this as simple as one of the other registration companies showing that a slight misspelling of their name like instead of lands them at a Network Solutions site promoting DNS registration?

    I know they can argue that they're not doing the same thing, but the end result is the same. They may get business that should have gone to

When a fellow says, "It ain't the money but the principle of the thing," it's the money. -- Kim Hubbard