Beefy Boxes and Bandwidth Generously Provided by pair Networks
Welcome to the Monastery
 
PerlMonks  

Re: Verisign Hijack - Patches may be available

by Limbic~Region (Chancellor)
on Sep 30, 2003 at 06:03 UTC ( #295188=note: print w/ replies, xml ) Need Help??


in reply to Verisign Hijack all possible .com .net domains and destroy Email::Valid, Net::DNS, gethostbyname() etc

tachyon,
I thought I had seen this article posted here at the Monastery, but I could be wrong. It is an interview between O'Reilly Networks and Paul Vixie. chromatic is listed as the author. Currently there is something you might be able to do. Pressure your DNS provider to apply a patch and enable a feature if possible.

Cheers - L~R


Comment on Re: Verisign Hijack - Patches may be available
Re: Re: Verisign Hijack - Patches may be available
by Anonymous Monk on Sep 30, 2003 at 07:24 UTC
    Pressure your DNS provider to apply a patch and enable a feature if possible.

    That's a start, but it definately isn't a solution. Verisign does not own the .com and .net domains. Verisign needs to be reminded of its responsibilities and how easily they could be taken away. They should also have realized the plethora of legal problems this will create for them (think trademarks amoung others).

    Common sense would dictate that Verisign will remember (or be forcefully reminded of) its responsibilities and put this silly action behind them. Unfortunately common sense is in short supply these days.

    If you're truly interested in preventing these type of abuses in the future (and fixing this situation) I'd suggest getting involved immediately. Write your representatives (standard rules apply: be nice, coherent, and know what you're talking about) and take further steps as necessary.

      If you're truly interested in preventing these type of abuses in the future (and fixing this situation) I'd suggest getting involved immediately. Write your representatives (standard rules apply: be nice, coherent, and know what you're talking about) and take further steps as necessary.
      For the people who don't live in the States, do as I did, and sign the online petition.
      "Stop Verisign DNS Abuse"
      http://www.whois.sc/verisign-dns/
Re: Re: Verisign Hijack - Patches may be available
by tachyon (Chancellor) on Sep 30, 2003 at 07:33 UTC

    Thanks for the link. For anyone who is patching their BIND servers details are here. You add this to named.conf (if what is shown on the patch page seems a little obique :-)

    zone "com" { type delegation-only; }; zone "net" { type delegation-only; };

    Happiness, all is back to normal :-)

    [root@devel3 root]# dig @localhost verisign-are-pirates.com ; <<>> DiG 9.2.3rc4 <<>> @localhost verisign-are-pirates.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12600 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;verisign-are-pirates.com. IN A ;; Query time: 116 msec ;; SERVER: 127.0.0.1#53(localhost) ;; WHEN: Tue Sep 30 07:26:26 2003 ;; MSG SIZE rcvd: 42 [root@devel3 root]#

    cheers

    tachyon

    s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

      (if what is shown on the patch page seems a little obique :-)

      The way this works is actually pretty simple. The DNS servers for .com and .net should only send to you NS records. NS records are like pointers to other DNS servers. This patch rejects everything except NS records when they come from the VeriSign servers. Now when they send to you an A record (which has the IP address inside it), it will ignore it and the patch will instead give you the "does not exist" response.

      This is a good way to work around the problem, because it will still work correctly even if VeriSign changes the IP address that they use.

      The Acme::DNS::Correct module does not work this way. It merely looks for the hardcoded IP address in the response and filters it out. It will not work if the IP address is ever changed. Well, it's only an Acme module, after all.

        Sadly it would be a trivial hack at Verisign to return NS records to their own NS servers at which point you simply could not tell if they were faking it. They have said they won't. I trust them ;-)

        cheers

        tachyon

        s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://295188]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others chilling in the Monastery: (12)
As of 2014-09-02 10:47 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite cookbook is:










    Results (21 votes), past polls