--On Tuesday, February 10, 2004 10:21 +0530 Suresh Ramasubramanian <suresh@outblaze.com> wrote: <>
You are of course right. The problem posed by sitefinder in its previous form has been discussed already, and our bind / djbdns resolvers have been patched appropriately to ignore the aberrant behavior introduced by verisign.
There ends the operational impact of verisign's decision, till such time as they revive sitefinder, and till such time as resolver patches in existence are modified if necessary to cope with the new edition of sitefinder.
But that's a HUGE operational impact. Now we're all expected to go around and run patched versions of our resolvers or nameservers to get around a company using shady tactics to just increase it's bottom line! Lets say it takes on average about 10 minutes per machine to do the necessary changes, I'll have to spend several hours installing patched software for something that is harmful. They remove the ONLY method for testing if a domain exists or not, and certainly the only 'lightweight' method. Not to mention there is no guarantee the patch will continue to work. Well already know of a few ways in which it can break, and anything we do to get around those surely introduces maintenance or other headaches. Who's going to pay me to maintain these parts of systems that until now just worked? Who's going to pay any of us? Not VeriSign. But they'll be making quite likely millions off of the hijacked hits. So I ask again, who's going to pay for my time to that? Last time they turned this thing on globally I also spent at least two hours on the phone trying to explain it to various users. And what about the systems or platforms that *CAN'T* be patched? What about systems that have long depended on the way things are supposed to work? -- Michael Loftis