Resolving Everything: VeriSign Adds Wildcards 1291
"(VeriSign is a company which purchased Network Solutions, another company which was given the task by the US government of running the .COM and .NET top-level domains (TLDs). VeriSign has been exploiting the Internet's DNS infrastructure ever since.)
This will have the immediate effect of making network trouble-shooting much more difficult. Before, a mis-typed domain name in an email address, web browser, or other network configuration item would result in an obvious error message. You might not have known what to do about it, but at least you knew something was wrong. Now, though, you will have to guess. Every time.
Some have pointed out that this will make an important anti-spam check impossible. A common anti-spam measure is to check and make sure the domain name of the sender really exists. (While this is easy to force, every little bit helps.) Since all .COM and .NET domain names now exist, that anti-spam check is useless.
VeriSign has published white papers about their implementation and also made some recommendations."
Re:wonder of wonders (Score:5, Informative)
Agreement by typo. (Score:5, Informative)
By making a typo, you supposedly agree that if their site overflows a buffer in your browser and wipes your HD, they are not liable.
Okay, terrible example for many reasons, but I still think it's pretty laughable that they claim that the "user" agrees to certain terms of service by "utilizing" this little piece of indirection.
-Lux
Re:Verisign just DDOSed itself (Score:3, Informative)
Re:This is a bitch (Score:5, Informative)
Those spam-catching tools work by doing a reverse-dns lookup of the IP address that is trying to send the mail. This is different than doing a "forward"-dns lookup.
Not so.
A common spam filtering method is to check the envelope sender to see if the domain exists. Any mail that is sent with a faked envelope sender to which bounces can't be sent is spam.
That means querying for either an MX record or A record for that domain, and bouncing all the spam that doesn't have either. Now, thanks to verisign, all spam sent with forged envelope senders in .com or .net wil go straight through this spam filter, increasing the amount of spam in many peoples mailboxes.
Yes, in theory you could look for the magic A record returned, but to do so is something of an operational nightmare, and impossible to do with most current MTAs.
Re:Which domains? (Score:3, Informative)
30% chance of failure (Score:5, Informative)
[~] edwin@k7>dnstracer -s . -o blaat.burps.ploeps.thisdomaindoesnotexistabcdef.c
Tracing to blaat.burps.ploeps.thisdomaindoesnotexistabcdef.c
A.ROOT-SERVERS.NET [.] (198.41.0.4)
|\___ M.GTLD-SERVERS.NET [com] (192.55.83.30)
|\___ E.GTLD-SERVERS.NET [com] (192.12.94.30)
|\___ K.GTLD-SERVERS.NET [com] (192.52.178.30)
|\___ J.GTLD-SERVERS.NET [com] (192.48.79.30)
|\___ F.GTLD-SERVERS.NET [com] (192.35.51.30)
|\___ L.GTLD-SERVERS.NET [com] (192.41.162.30)
|\___ D.GTLD-SERVERS.NET [com] (192.31.80.30) Got authoritative answer
|\___ B.GTLD-SERVERS.NET [com] (192.33.14.30) Got authoritative answer
|\___ I.GTLD-SERVERS.NET [com] (192.43.172.30)
|\___ C.GTLD-SERVERS.NET [com] (192.26.92.30) Got authoritative answer
|\___ H.GTLD-SERVERS.NET [com] (192.54.112.30)
|\___ G.GTLD-SERVERS.NET [com] (192.42.93.30)
\___ A.GTLD-SERVERS.NET [com] (192.5.6.30) Got authoritative answer
Personal opinion: stupid idiots who wrongly mix political goals with technical capabilities. Just because we can doesn't mean we should.
Re:wonder of wonders (Score:5, Informative)
Stewey
Send your queries to the GTLD servers direct (Score:5, Informative)
To see the real thing in action, query an authoritative nameserver directly. For example:
$ host www.bogusdomainname.com
Host www.bogusdomainname.com not found: 3(NXDOMAIN)
$ host www.bogusdomainname.com a.gtld-servers.net
Using domain server:
Name: a.gtld-servers.net
Address: 192.5.6.30#53
Aliases:
www.bogusdomainname.com has address 64.94.110.11
$
The first query uses the default resolver on my system, which is a local named which in turn forwards to my ISP's resolvers, which do who knows what. The second query says to ask a.gtld-servers.net, which causes the host utility to send the query directly to one of the authoritative nameservers for the GTLDs (Global Top Level Domains, as opposed to country-specific domains like
They at least gave us warning (Score:5, Informative)
Re:Which domains? (Score:4, Informative)
Presumably VeriSign will copy the wildcard to the other servers at some point. I wouldn't be surprised if they're ramping up slowly, monitoring the load as they expand the wildcard coverage.
Re:Which domains? (Score:3, Informative)
Oh common, the workaround is so obvious... (Score:5, Informative)
This a stupid stupid stupid move by them, Akin to shooting themselves in the foot with a 45 caliber pistol; it's going to anger a lot of people in the IT industry.
Make sure you let Scott and Matt know .... (Score:5, Informative)
And while you are at it, you may consider a friendly note for W.G. Champion Mitchell (wmitchell@verisign.com) [mailto], President, NetSol and Stratton Sclavos (ssclavos@verisign.com) [mailto], Chairman and CEO, VeriSign.
mail will still return 550 errors... (Score:2, Informative)
different protocols will be treated differently
Complain to ICANN *NOW* (Score:5, Informative)
comments@icann.org
MSN search hasn't changed. (Score:4, Informative)
'slashhhdot' - would bring up MSN's search.
'www.slashhhdot.com' - would bring a 404 (or now, Verisign's site-finder)
After this change by Verisign, MSN's search operates 100% the same. At least, on my IE6 SP1 with no customizations.
Re:I can't confirm this is true.... (Score:3, Informative)
Today VeriSign is adding a wildcard A record to the
zones. The wildcard record in the
10:45AM EDT to 13:30PM EDT. The wildcard record in the
being added now. We have prepared a white paper describing VeriSign's
wildcard implementation, which is available here:
http://www.verisign.com/resources/gd/sitefinder
By way of background, over the course of last year, VeriSign has been
engaged in various aspects of web navigation work and study. These
activities were prompted by analysis of the IAB's recommendations
regarding IDN navigation and discussions within the Council of
European National Top-Level Domain Registries (CENTR) prompted by DNS
wildcard testing in the
that some registries have already implemented wildcards and that
others may in the future, we believe that it would be helpful to have
a set of guidelines for registries and would like to make them
publicly available for that purpose. Accordingly, we drafted a white
paper describing guidelines for the use of DNS wildcards in top-level
domain zones. This document, which may be of interest to the NANOG
community, is available here:
http://www.verisign.com/resources/gd/sitefinder
Matt
--
Matt Larson
VeriSign Naming and Directory Services
Re:Verisign would look nice in gasoline and flame (Score:2, Informative)
It looks like they added only an "A" record -- records which denote web addresses, not mail "MX" addresses, thus they will not be receiving bounced e-mail.
Yet.
Re:This is a bitch (Score:1, Informative)
Illegal? (Score:2, Informative)
Changed Already? (Score:2, Informative)
Re:I think Verisign now owes... (Score:5, Informative)
Network Solutions "bought" InterNIC way back when. VeriSign bought Network Solutions. Now Network Solutions sells domains as a registrar, and VeriSign (VeriSign Naming and Directory Services, specifically) is the registry. Every registrar, including Network Solutions, pays VNDS $6 per year per domain. VNDS doesn't pay anyone anything.
It's VNDS that is doing the wildcard entry.
-Todd
They've been waiting for a critical mass (Score:3, Informative)
Other articles about this (Score:3, Informative)
Inventor Says Search Service Won't Break DNS [cbronline.com]
VeriSign Looks At Earning Money on Domain Typos [slashdot.org]
VeriSign Mulls Way to Make Money from Typos [cbronline.com]
Re:Strike Back with Poor Typing (Score:5, Informative)
Wrong. Their SMTP server rejects all DATA commands with a 550:
$ nc 64.94.110.11 25
220 snubby1-wceast Snubby Mail Rejector Daemon v1.3 ready
MAIL FROM: <>
250 OK
RCPT TO: <anyone@example.com>
250 OK
DATA
550 User domain does not exist.
Re:patches? (Score:3, Informative)
Someone's already asked [google.com] WRT BIND. I would be more interested in a fix for djbdns [cr.yp.to], though.
Re:Verisign would look nice in gasoline and flame (Score:5, Informative)
Already discussed on the ICANN/GNSO mailing list (Score:5, Informative)
Re: Re:Verisign would look nice in gasoline and (Score:1, Informative)
Site Finder Developer's Guide available... (Score:4, Informative)
Available here [verisign.com]
How nice of them to let us know...
Re:Changed Already? (Score:1, Informative)
glad I moved all my domains off NSI a long time ago.
Re:Contact ICANN comments@icann.org (Score:2, Informative)
No direct contact addresses, but hostmaster@domain for these is a good start, but a list of CIOs (ot the equiv) for these orgs would be more apppropriate...
http://www.icann.org/committees/
The root nameservers are operated by all these different entities for the precise reason of preventing this sort of shennanigans. John Postel saw this coming.
Re:Mail trap (Score:3, Informative)
Shouldn't that be a 5xx condition returned, to cause the MTA to bounce the message immediately rather than keep trying (as is the case for 2xx and 4xx conditions)?
[alex@penguin alex]$ telnet 098237498273649287364.com 25
Trying 64.94.110.11...
Connected to 098237498273649287364.com.
Escape character is '^]'.
220 snubby4-wceast Snubby Mail Rejector Daemon v1.3 ready
HELO
250 OK
MAIL FROM:234@29387239487234.com
250 OK
RCPT TO:234@587235987234.com
550 User domain does not exist.
RCPT TO:234@587235987234.com
250 OK
DATA
221 snubby4-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel
Connection closed by foreign host.
Re:wonder of wonders (Score:2, Informative)
Re:network operators are pissed at this (Score:3, Informative)
Now, any good ISP wiz will be doing what my folks are doing right now and rewriting their SMTP servers to handle this address as a special case, and to watch for address changes. But even if you do that for your mail servers, if you run a network, you have to worry about all those people with their own mail servers on your backbone, and their little admins probably aren't rewriting Exchange...
Here is a form letter for everybody: (Score:5, Informative)
To whom it may concern,
Verisign is commiting a major injustice that cannot be allowed to continue. It is important ICANN consider what is best for the internet community as a whole and take proper action. Proper action would be to immediately stop this monopolistic behavior from Verisign.
Please read below for more information taken from Slashdot.org:
As of a little while ago (it is around 7:45 PM US Eastern on Mon 15 Sep 2003 as I write this), VeriSign added a wildcard A record to the
This will have the immediate effect of making network trouble-shooting much more difficult. Before, a mis-typed domain name in an email address, web browser, or other network configuration item would result in an obvious error message. You might not have known what to do about it, but at least you knew something was wrong. Now, though, you will have to guess. Every time.
Some have pointed out that this will make an important anti-spam check impossible. A common anti-spam measure is to check and make sure the domain name of the sender really exists. (While this is easy to force, every little bit helps.) Since all
The internet belongs to everyone. It is not something that can be bought and sold by any one entity. Please put a stop to this behavior.
Thank you.
---insert name here---
---insert city and state of residence here---
The damage is already beginning (Score:5, Informative)
A few hours ago I was trying to troubleshoot a lame delegation to another zone. It seemed to be working which puzzled me to no end. It turns out the lame DNS server was returning 64.94.110.11.
Lame delegation is a very common phenomenon and (in the case of a typo) can often be diagnosed with NXDOMAIN being returned for the glue RR record. Never returning NXDOMAIN means that many types of lame delegation will no longer be caught.
One of my peer zones had a typo'ed MX record. Before VeriSign's sabotage (yes, sabotage) the lookup of the corresponding address record would simply fail with NXDOMAIN. The source MTA would then try to deliver to the secondary MTAs on the list of MX records in order of priority. Mail delivery would proceed normally using the secondary MTA(s).
However to my complete and utter astonishment, 64.94.110.11 has a working MTA listening on port 25 (why???). This means that any MX records with typos in the primary record will have all their e-mail redirected to VeriSign's MTA. Mail that would normally automatically be re-routed to the secondary MTA instead now gets bounced by Verisign's ''Snubby Mail Rejector Daemon v1.3''. Not returning NXDOMAIN will break mail delivery to secondary MTAs.
And what about spam filters? It will break any spam filter that tries to verify that the source MTA hostname claimed in the HELO request is resolvable (i.e. that the claimed HELO name is not fictious).
I could probably list another half dozen problems if I thought about it. I can't believe the arrogance (read: stupidity) of this act.
I can't wait to see reaction reaction from the backbone cabal on NANOG.
Waste of time (Score:5, Informative)
How do you fix this problem? DON'T USE THE ICANN ROOT SERVERS. Easy as that.
Plug: OpenNIC (for ICANN users) [unrated.net] and OpenNIC (for OpenNIC (and its peers) users) [opennic.glue]
Re:Complain to Verisign as well (Score:2, Informative)
Domain Names & Related Services
U.S. & Canada: 888-642-9675
Also check their contact info [verisign.com]
I'm not sure if they care about complaints about this but they might care about the other effects of the quantity of complaints.
Re:Already taken down?? (Score:5, Informative)
If you have a Linux box, you can see this with:
host verisigniscrooked.com a.gtld-servers.net
host verisigniscrooked.com i.gtld-servers.net
I think we should all call tech support on their 800 number and complain.
U.S. and Canada: 888-642-9675
Worldwide: 1-703-742-0914
Lets see if we can get their hold queue time to several hours. Perhaps even ask to speak to a supervisor. Be sure to get names of everyone you talk to. Ask for names and phone number of the corporate officers. Compare them to SCO (ok, a bit off topic but I couldn't resist).
BIND Blocking Configuration (Score:5, Informative)
Not every root nameserver is serving the A record (Score:5, Informative)
I am removing those broken nameservers from my root zone hints at all of the places that I administer. Hopefully enough root servers will remain clean of this aborration to keep up a good level of service.
I encourage others everywhere to do the same and ask their ISPs follow suit. If you don't play fairly with the public trust, the public should stop trusting you.
If Verisign can hijack *.COM and *.NET, what is to keep resolving ISPs from hijacking unused domains at the resolver level to suit their own purposes?
Where was the RFC on this practice? It would never have passed peer review.
--
Eric Ziegast
Former TLD administrator.
Former hostmaster at a major ISP.
PLEASE DO NOT CLICK ON ANY SEARCH ENGINE RESULTS (Score:5, Informative)
Took a look at their setup, and from what I can see, they have partnered with Overture to get their search results. Overture is a pay per click search engine, meaning advertisers bid to get to the top of the search results - anywhere from $0.10 to $50. Most arrangements involve Overture getting half of the the bid, and VeriSign getting the other half.
What this means is that they are making money (probably hundreds of thousands if not millions daily) from most of the searches you make.
Topics which attract high bids (up to $50 per click, it is shocking) include online casinos, dedicated servers, refinancing, and a few others.
I implore you all:
If you want this to stop, please do not click on any of the search results from this 'search engine'. Doing so will contribute to the profit VeriSign will make from this. If you really really want to click on one of the listings plase go to www.overture.com and get it directly from them.
Other things we can do include:
1) Putting them on the spam RBLs for spamming the entire internet. This will have the effect of blackholing them from some parts of the internet that drop packets based on those RBLs right at the router level.
2) Encourage your vendors to modify their DNS server packages to change results for that IP to NXDOMAIN.
3) Encourage your admins to run such modified DNS servers.
Re:Waste of time (Score:3, Informative)
Definitely, I'm setting up a local DNS at home and have it talk to the OpenNIC root until Speakeasy gets an OpenNIC box up and running.
In the meantime, 64.94.110.11 is blocked on my NAT - it takes a hell of a long time to time out, but it does the trick for now.
It's in the ccTLDs too, sadly (Score:3, Informative)
On a global scale, it's not so recent, and it's not just Verisign. A bunch of the ccTLDs have been indulging in this unpleasant behaviour for a while: .ac [woijgworgwri.ac], .cc [woijgworgwri.cc], .cx [woijgworgwri.cx], .mp [woijgworgwri.mp], .nu [woijgworgwri.nu], .ph [woijgworgwri.ph], .pw [woijgworgwri.pw], .sh [woijgworgwri.sh], .td [woijgworgwri.td], .tk [woijgworgwri.tk], .tm [woijgworgwri.tm], and .ws [woijgworgwri.ws] (of course, some of those are run by the same registrar as one another). I was shocked when I first saw this, but I never thought the rot would spread into .com and .net. :/
Re:Renegade DNS (Score:3, Informative)
OpenNIC does exactly that.
OpenNIC [unrated.net]
Verisign has continued to be the #1 DNS provider (monopoly root control over the internet, supposedly) through intertia.
Not that I don't hate the bastards, given their effective monopoly.
My only point is that very little has to change to eliminate them.
Rejector isn't even parsing (Score:5, Informative)
telnet 64.94.110.11 25
Trying 64.94.110.11...
Connected to 64.94.110.11.
Escape character is '^]'.
220 snubby3-wceast Snubby Mail Rejector Daemon v1.3 ready
250 OK
250 OK
550 User domain does not exist.
250 OK
221 snubby3-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel
Connection closed by foreign host.
That's right. It doesn't parse the input at all (I just hit Enter a bunch of times). If you have multiple RCPT lines, or have an extra command in there anywhere, you will get an OK in the wrong place and it will look like you have succeeded.
Adam
they're only running smtp and http (Score:4, Informative)
The server is only running smtp and http, and theoretically it could be running services on the tens of thousands of other ports you didn't scan, but it almost certainly isn't.
Those filtered ports are why the nmap scan took 24.611 seconds; system without filtered ports will go faster then that under normal circumstances.
Patch to djbdns (Score:3, Informative)
http://tinydns.org/djbdns-1.05-ignoreip.patch
Re:Which domains? (Score:3, Informative)
-russ
NANOG threads on this topic (Score:5, Informative)
An exploit (Score:2, Informative)
Re:wonder of wonders (Score:4, Informative)
First, Verisign put an exclude: / in their robots.txt.
Second, do you really think Google doesn't know how to handle wildcards by now? Think about it for a second. Even Slashdot has a wildcard - anything dot slashdot.org goes to the homepage. Does Google index Slashdot an infinite amount of times? Of course not. Why should it be different for anything dot com?
Physical Location of Verisign Offices (Score:5, Informative)
VeriSign Worldwide Headquarters
487 East Middlefield Road
Mountain View, CA 94043
Phone: 650-961-7500
FAX: 650-961-7300
Have fun!
Re:Rejector *IS* parsing (Score:1, Informative)
puto
250 OK
laputamadre
250 OK
laconchadelalora
550 User domain does not exist. -- Whoa! it wants a real domain name huh?
laconchadelalora@kagate.com
250 OK
It gets worse (Score:1, Informative)
Here's a neat idea: (Score:5, Informative)
thatdog said:
The most amusing part of this to me is they take whatever is passed in the url parameter and shove it into the html of their page, no questions asked. Remote scripting exploits will be ever so easy!
If you don't get what I'm talking about, just check out this link [verisign.com].
Would be fun to see redirects on major isps and backbones...or even forwarding to an alternate site hosted elsewhere with an explanation.
Re:Strike Back with Poor Typing (Score:3, Informative)
So, one could theoretically spam them like so: Of course I am not advocating that anyone do this. Especially anyone with scads of bandwidth. That would be terrible. Oh, the humanity.
Re:wonder of wonders (Score:4, Informative)
And you can't ignore domains that resolve to identical addresses. Virtual web servers share the same address with different domain names. The web server uses the name to decide which set of web pages to serve up.
A quick post on the damage caused by this action.. (Score:2, Informative)
-- a concerned netizen
Re:Do not leave it is not real. (Score:2, Informative)
ICANN said no.... (Score:4, Informative)
<http://www.icann.org/correspondence/iab-message-t o-lynn-25jan03.htm> [icann.org]
What happened? I STRONGLY URGE that complaints be made to ICANN and the US DoC...right now.
This is so much worse than many folks think.
Re:attn: BIND/djbdns/whatever wizards (Score:2, Informative)
Preliminary BIND8 patch:
http://achurch.org/bind-verisign-patch.html
Patch to Dan Bernsteins DJBDNS:
http://tinydns.org/djbdns-1.05-ignoreip.patch
libverisignfix.c (Score:5, Informative)
Re:Waste of time (Score:4, Informative)
Re:Security Geniuses (Score:1, Informative)
Re:actually the sitefinder page is kinda useful. (Score:3, Informative)
Look -- the root name servers are at the absolute core of the usefulness of the Internet. Using a hey just hijacked every non-existent URL on the planet & pointed it directly at their own money-making, pay-per-click-thru search engine. For crissake man, are you paying attention here?
--Mid
Re:Waste of time (Score:3, Informative)
Nope. Hosts files map name->IP, not vice versa.
No, the only way to truly counteract this would be to get your local caching DNS server to intercept these bogus replies and replace them with the nonexistent-domain error.
- Peter
Complaint Form ICANN (Score:5, Informative)
To quote from the site in question:
Although ICANN's limited technical mission does not include resolving individual customer-service complaints, ICANN does monitor such complaints to discern trends.
Let your voices be heard!
Re:OpenNIC anyone? (Score:1, Informative)
This _does_ mean, however, that our servers will return a "no such domain" error correctly on non-exixtent
-robin
done! (Score:4, Informative)
done: [icann.org] the patch is here [tinydns.org]
Patch available for djbdns (Score:3, Informative)
It gives the server a new feature to answer that a
host is nonexistent if it actually resolves to certain IP address.
It was specifically designed for Verisign
It works extremely well and brings back the DNS caching the way it was working until the Verisign change.
Get it here
http://tinydns.org/djbdns-1.05-ignoreip.patch
Or if you want a pre-patched djbdns including this patch and other recommended patches (like the Linux glibc patch and other patches that don't break the stability)
ftp://ftp.fr.pureftpd.org/misc/djbdns-jedi.tar.
Re:Contact ICANN comments@icann.org (Score:3, Informative)
The poster was suggesting that we email the root nameserver operators and complain. All that is in the root nameservers are NS records for each of the Top Level Domains (.com, .net, .org, .us, etc.), NOT the .com and .net NS records.
As a result, there is absolutely nothing the root nameserver owners (I.E. [a-m].root-servers.net) can do about this wildcard resolution, short of removing .com and .net from the internet which would be worse than the current situation.
The .com and .net zones are on the [a-m].gtld-servers.net servers. These are 100% owned and operated by Verisign/Netsol last time I checked.
The wildcard is on the these .com and .net nameservers, and as such, nobody other than Verisign can make any changes to these zones.
Re:wonder of wonders (Score:5, Informative)
Google caches IP info a good deal longer than is specified by TTL and such, and a lot of other fancy bandwidth reducing (but frustrating) tricks). Its known by people who pay a lot of attention to google, based on observations. Many people have good reason to pay attention to google - they make their living from the traffic they get from google.
Re:Correction (need resolver workaround) (Score:2, Informative)
--
Eric Ziegast
Re:Legal degree from Play Skool? (Score:4, Informative)
Remedy:
1) blackhole that IP - PERMANENTLY. (blacklist their entire IP assignement(s))
2) modify bind to return NXDOMAIN for any query containing that IP.
3) make aformenttioned modification a configuration option (list) thus making it easy to adjust when the assh^W^Wthey change the address.
4) add my own choice wildcard entries
5) kill every living thing at Verisign/Network Solutions even remotely involved with this bullshit (as an example to others who have not learned to participate in a civilized society.)
There's a real big difference between me adding *.bar.com and someone adding *.com.. The wildcard record was originally intended to reduce the number of records -- specifically to negate the need for an MX record for every host. And honestly, it's never worked to anyone's satisfaction (e.g. the ability to send email to bob@[censored].bar.com)
Complaint submitted - the text (Score:5, Informative)
Email the Department of Commerce (Score:3, Informative)
Re:Already taken down?? (Score:3, Informative)
It will be interesting to see the EU's response to this mess.
Re:wonder of wonders (Score:2, Informative)
Alteratives (Score:2, Informative)
Re:wonder of wonders (Score:3, Informative)
We lost half a day of email because of this (Score:2, Informative)
We have several RBL blacklists enabled, and one of them wasn't spelled right. Before, nobody noticed, because even in testing, the RBL check of the non-existing name would return NXDOMAIN and nothing would be blocked.
But after Verisign's change, suddenly the non-existing RBL domain would return IP's for every single RBL lookup. So every email was blocked!
Suddenly all our email was bounced back as being RBL blocked! All because of a typo and Verisign's stupid change.
We lost half a days worth of email until we found out. That translates into lost sales in the hundred thousands.
And if we did it... how many more thousands of typos are out there?
I got yer reference right here (Score:2, Informative)
Giving up mods to reply to this, but oh well...
Just googling "bush nuclear "first use" ' brings up all sorts of links - here [nukewatch.com] and here [counterpunch.org] for starters. This shite was on the news for a few instants, among all the other obnoxious noise and probably juxtaposed with unemployment news or the abortion debate. The neocon cabal (tinnc) uses this type of 'shiny thing/booga booga' distraction to great effect lately, coupled with the 'Dopeler effect' - the effect of stupid ideas seeming smarter if they come at you fast.
Thank Heaven that Michael Powell is there to ensure diversity in the horrid liberal media
Or did you want a reference to the original 'no first use' doctrine? I'm sure many of my fellow Merkins weren't aware of it in the first place!
Change your hosts file (Score:2, Informative)
127.0.0.1 sitefinder.verisign.com
By using your loopback address, you effectively short-circuit their method.
This is, of course, a limited fix. It will not have any effect outside of your machine, so contact ICANN, Verisign, and your ISP and tell them what you think.
But this will at least give you some relief.
Clue-by-four (Score:5, Informative)
Reply-To: uknot@uk.com
To: uknot@uk.com
Subject: [uknot] Cluebyfour verisign HOWTO for the UK
Date: Tue, 16 Sep 2003 11:32:55 +0100
Call 0800-032-2101 and select option 2 for Support.
Explain to the engineer that you have typed in an non-existant domain name and
been directed to their sitefinder service.
Explain that you have read the "Terms of Use" and do not agree to abide by
them.
Explain that, as you don't agree to the ToU, you are explicitly forbidden from
using their service.
Ask them to exclude your IP block from those that will be given the sitefinder
IP rather than NXDOMAIN.
Give them your name, company (if appropriate) and a contact telephone number.
US and Canada: The contact page number is 888-642-9675. Apparently they will also refer you to 866-345-0330 (which isn't listed on that page), but you should of course check the number given on their official contact page and call that first. The postal address is VeriSign, Inc., Attention: Legal Department, 21355 Ridgetop Circle, Dulles, VA 20166, USA.
Re:What I did (Score:2, Informative)
The Internet Architecture Board responds (Score:3, Informative)
From: http://www.iab.org/Documents/icann-vgrs-response.h tml [iab.org]
Subject: Re: Request for Advice on VGRS IDN Announcement
To: "M. Stuart Lynn"
Cc: Leslie Daigle
Chuck Gomes
Brad Verd
Masanobu Katoh
Steve Crocker
Vint Cerf
Louis Touton
Andrew McLaughlin
iab@ietf.org
Date: Sat, 25 Jan 2003 10:19:37 +1100
Dear Stuart,
Thanks for your message. After reviewing the announcement, examining the behavior of the deployed system, discussing the issue with colleagues external to the IAB, and meeting with VeriSign's technical staff to go over the system's aim and implementation, the IAB has come to the following consensus.
The IAB feels that the system VeriSign had deployed for
The IAB has begun the process of shepherding the creation of an Informational RFC on concerns with operational practices with the DNS. We anticipate discussing the issues raised in your notes in more detail as part of that document. Given the scope of the issue, and our desire to ensure that it will have adequate review by the (DNS) operational community, we will be enlisting the help of the broader IETF community through relevant IETF working groups. In advance of that document, we have outlined below the issues with the VeriSign system which led us to the conclusion above.
As a lookup system, the DNS is designed to provide authoritative answers to queries. The DNS protocol specifies behavior for queries whose targets do occur in a zone by describing the data format for the specific resource records and the wire format for the response. The DNS protocol also specifies behavior for queries whose targets do not occur in a zone by describing the wire format for a negative response.
The system deployed for
It would, of course, be theoretically possible to add zone entries for all records containing code points above 127. Given that the Verisign system does not recognize "." as a label delimiter for testing these records, the size of the resulting zone is unimaginably large. VeriSign confirms that they are not managing a zone of the size this would imply and is, instead, synthesizing these entries. This implies that the zone as currently served by VeriSign cannot be transferred using either AXFR or file transfers in master file format. Though the choice of who may employ AXFR or file transfer to get copies of a zone is a policy decision, the IAB notes that the current system does
Experimental Postfix patch to do NS and MX lookups (Score:2, Informative)
Petition (Score:2, Informative)