Verisign's dumbass move and the fix

Place to discuss Fedora and/or Red Hat
Post Reply
User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Verisign's dumbass move and the fix

Post by Void Main » Thu Sep 18, 2003 10:02 pm

For those that don't know, Verisign is responsible for the .com and .net top level domains. A couple of days back they added a wildcard record to the root servers so basically all invalid *.net and *.com names point to a Verisign address. For instance if you make a typo in your browser like http://www.lkjlsdioufasdf.com/ you will get a sitefinder server from Verisign. Do an "nslookup", "dig" or any other DNS lookup in the *.com/*.net domain and everything that used to not resolve now goes to this Verisign address. Well, not only does verisign have instant access to all sorts of marketing data and advertising revenue but they have broken many many things, one that particularly pisses me off is SPAM filtering. I am now getting more spam because I was blocking invalid domains before and now there are no invalid domains in *.com/*.net.

Well, thankfully the author of BIND (the main DNS software) has created a patch so these wildcard records will be ignored. I created a RedHat 9 RPM for BIND 9.2.2 with the patch installed. If you are running your own DNS server and are also annoyed by this you can upgrade your bind with my bind RPMS and add these entries to your /etc/named.conf next to your other zones after upgrading:

Code: Select all

zone "com" { 
     type delegation-only; 
};
zone "net" { 
     type delegation-only; 
};
You can either install/upgrade your bind using apt for RedHat if you have my repository in your sources.list or you can grab them directly from here:

http://voidmain.is-a-geek.net/files/RPMS/

For more information see:
http://isc.org/products/BIND/delegation-only.html
http://www.theregister.co.uk/content/6/32852.html
http://www.theregister.co.uk/content/6/32872.html
http://www.theregister.co.uk/content/6/32873.html
http://www.theregister.co.uk/content/6/32926.html
http://www.theregister.co.uk/content/6/32933.html
http://www.icann.org/announcements/advisory-19sep03.htm

TheQuirk
programmer
programmer
Posts: 114
Joined: Wed Jan 22, 2003 4:11 pm

Post by TheQuirk » Sat Sep 20, 2003 7:11 pm

I'd like to make a small update: ICANN issued an advisory telling Verisign to stop the practice (for now, at least).

You can read it here.

Verisign followed the advisory, BTW.

Post Reply