Today VeriSign is adding a wildcard A record to the .com and .net zones. The wildcard record in the .net zone was activated from 10:45AM EDT to 13:30PM EDT. The wildcard record in the .com zone is being added now. We have prepared a white paper describing VeriSign's wildcard implementation, which is available here: http://www.verisign.com/resources/gd/sitefinder/implementation.pdf By way of background, over the course of last year, VeriSign has been engaged in various aspects of web navigation work and study. These activities were prompted by analysis of the IAB's recommendations regarding IDN navigation and discussions within the Council of European National Top-Level Domain Registries (CENTR) prompted by DNS wildcard testing in the .biz and .us top-level domains. Understanding that some registries have already implemented wildcards and that others may in the future, we believe that it would be helpful to have a set of guidelines for registries and would like to make them publicly available for that purpose. Accordingly, we drafted a white paper describing guidelines for the use of DNS wildcards in top-level domain zones. This document, which may be of interest to the NANOG community, is available here: http://www.verisign.com/resources/gd/sitefinder/bestpractices.pdf Matt -- Matt Larson <mlarson@verisign.com> VeriSign Naming and Directory Services
I'm going to hack my BIND so it'll discard wildcard RRs in TLDs, as a matter of reducing the flood of advertising junk reaching my desktop. I think BIND & resolver developers would do everyone a service by adding an option having the same effect. Thank you, VeriSign, I will never do business with you again. You are as bad as any spammer lowlife simply because you leave everyone with no choice to opt out of your advertising blitz. --vadim On Mon, 15 Sep 2003, Matt Larson wrote:
Today VeriSign is adding a wildcard A record to the .com and .net zones. The wildcard record in the .net zone was activated from 10:45AM EDT to 13:30PM EDT. The wildcard record in the .com zone is being added now. We have prepared a white paper describing VeriSign's wildcard implementation, which is available here:
http://www.verisign.com/resources/gd/sitefinder/implementation.pdf
By way of background, over the course of last year, VeriSign has been engaged in various aspects of web navigation work and study. These activities were prompted by analysis of the IAB's recommendations regarding IDN navigation and discussions within the Council of European National Top-Level Domain Registries (CENTR) prompted by DNS wildcard testing in the .biz and .us top-level domains. Understanding that some registries have already implemented wildcards and that others may in the future, we believe that it would be helpful to have a set of guidelines for registries and would like to make them publicly available for that purpose. Accordingly, we drafted a white paper describing guidelines for the use of DNS wildcards in top-level domain zones. This document, which may be of interest to the NANOG community, is available here:
http://www.verisign.com/resources/gd/sitefinder/bestpractices.pdf
Matt -- Matt Larson <mlarson@verisign.com> VeriSign Naming and Directory Services
On Mon, 15 Sep 2003, Vadim Antonov wrote:
I'm going to hack my BIND so it'll discard wildcard RRs in TLDs, as a matter of reducing the flood of advertising junk reaching my desktop.
Please share your hack ! ========================================================== Chris Candreva -- chris@westnet.com -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
On Mon, 15 Sep 2003, Christopher X. Candreva wrote:
On Mon, 15 Sep 2003, Vadim Antonov wrote:
I'm going to hack my BIND so it'll discard wildcard RRs in TLDs, as a matter of reducing the flood of advertising junk reaching my desktop.
Please share your hack !
I've implemented the official ISC Bind hack on every single one of my name servers and am pushing it and the configuration changes out to my customers as a *required* upgrade. Justin
I've implemented the official ISC Bind hack on every single one of my name servers and am pushing it and the configuration changes out to my customers as a *required* upgrade.
that seems a bit extreme. shouldn't they get to decide this for themselves?
Returning NXDOMAIN when a domain does not exist is a basic requirement. Failure to do so creates security problems. It is reasonable to require your customers to fix known breakage that creates security problems. VeriSign has a public trust to provide accurate domain information for the COM and NET zones. They have decided to put their financial interest in obscuring this information ahead of their public trust. Microsoft, for example, specifically designed IE to behave in a particular way when an unregistered domain was entered. Verisigns wildcard record is explicitly intended to break this detection. The wildcard only works if software does not treat it as if the domain wasn't registered even though it is not. Verisign has created a business out of fooling software through failure to return a 'no such domain' indication when there is no such domain, in breach of their public trust. As much as Verisign was obligated not to do this, others are obligated not to propogate the breakage. ISPs operate DNS servers for their customers just as Verisign operates the COM and NET domains for the public. DS
From: "David Schwartz" <davids@webmaster.com>
Returning NXDOMAIN when a domain does not exist is a basic requirement. Failure to do so creates security problems. It is reasonable to require your customers to fix known breakage that creates security problems.
I agree completely. However, this is a policy breakage, not a technial one. Strictly speaking, the com and net zones are perfectly valid, as far as DNS is concerned. While I too am outraged by the actions of Verisign, I've decided to NOT modify my servers in any way. I might decide to block the sitefinder IP, but I will not change my nameservers into modifying DNS responses. Doing so would be to break things, and that is not an acceptable fix even if the other thing is in itself broken. Of course, YMMV. - Kandra
On Wed, 17 Sep 2003, David Schwartz wrote:
Microsoft, for example, specifically designed IE to behave in a particular way when an unregistered domain was entered. Verisigns wildcard record is explicitly intended to break this detection.
Has Microsoft responded to this yet? Seems like Verisign's scam is running over Microsoft's scam. sam
Don't know, but I cannot get to the VSGN wildcard site. DNS is still returning the IP, but port 80 is not responding or is very slow. Bet they didn't allocate enough servers to this (hehehehe) or its being DOS'ed. ----- Original Message ----- From: "Sam Hayes Merritt, III" <sam@themerritts.org> To: <nanog@merit.edu> Sent: Wednesday, September 17, 2003 13:53 Subject: RE: Change to .com/.net behavior
On Wed, 17 Sep 2003, David Schwartz wrote:
Microsoft, for example, specifically designed IE to behave in a particular way when an unregistered domain was entered. Verisigns wildcard record is explicitly intended to break this detection.
Has Microsoft responded to this yet? Seems like Verisign's scam is running over Microsoft's scam.
sam
Paul Vixie wrote:
I've implemented the official ISC Bind hack on every single one of my name servers and am pushing it and the configuration changes out to my customers as a *required* upgrade.
that seems a bit extreme. shouldn't they get to decide this for themselves?
How about rewriting all DNS responses to your liking? :-) Like if you ask for www.register.com, you would get the A record for www.verisign.com ? Responses for the highest bidder! Pete
Why not just make your users use your servers for forwarding DNS and block outbound DNS requests @ your router for anything but your servers. I mean, if you're going to go to the extreme & force your users to not have access to something they might like (for some unknown reason), might as well go way overboard. william ----- Original Message ----- From: "Justin Shore" <listuser@numbnuts.net> To: "Christopher X. Candreva" <chris@westnet.com> Cc: "Vadim Antonov" <avg@kotovnik.com>; "Matt Larson" <mlarson@verisign.com>; <nanog@nanog.org> Sent: Wednesday, September 17, 2003 12:12 PM Subject: Re: Change to .com/.net behavior
On Mon, 15 Sep 2003, Christopher X. Candreva wrote:
On Mon, 15 Sep 2003, Vadim Antonov wrote:
I'm going to hack my BIND so it'll discard wildcard RRs in TLDs, as a matter of reducing the flood of advertising junk reaching my desktop.
Please share your hack !
I've implemented the official ISC Bind hack on every single one of my name servers and am pushing it and the configuration changes out to my customers as a *required* upgrade.
Justin
You mean you have been studying a way for more people to buy domain through you. I also am modifying BIND to convert your wildcard #$%^^% to NXDOMAIN. Between the domains that I have with you and all the problems we've had with it each time you 'change' your web interface, I've already made my decision to avoid VeriSign/NetworkSolutions for rest of my life. Before I figure out this BIND thing, for now.. box02jp5-cr01.twdx.net# set routing-options static route 64.94.110.11/32 discard; -hc -- Sincerely, Haesu C. TowardEX Technologies, Inc. WWW: http://www.towardex.com E-mail: haesu@towardex.com Cell: (978) 394-2867 On Mon, Sep 15, 2003 at 07:24:29PM -0400, Matt Larson wrote:
Today VeriSign is adding a wildcard A record to the .com and .net zones. The wildcard record in the .net zone was activated from 10:45AM EDT to 13:30PM EDT. The wildcard record in the .com zone is being added now. We have prepared a white paper describing VeriSign's wildcard implementation, which is available here:
http://www.verisign.com/resources/gd/sitefinder/implementation.pdf
By way of background, over the course of last year, VeriSign has been engaged in various aspects of web navigation work and study. These activities were prompted by analysis of the IAB's recommendations regarding IDN navigation and discussions within the Council of European National Top-Level Domain Registries (CENTR) prompted by DNS wildcard testing in the .biz and .us top-level domains. Understanding that some registries have already implemented wildcards and that others may in the future, we believe that it would be helpful to have a set of guidelines for registries and would like to make them publicly available for that purpose. Accordingly, we drafted a white paper describing guidelines for the use of DNS wildcards in top-level domain zones. This document, which may be of interest to the NANOG community, is available here:
http://www.verisign.com/resources/gd/sitefinder/bestpractices.pdf
Matt -- Matt Larson <mlarson@verisign.com> VeriSign Naming and Directory Services
Haesu wrote: []
Before I figure out this BIND thing, for now..
box02jp5-cr01.twdx.net# set routing-options static route 64.94.110.11/32 discard;
Please do no do that. You, or your users, will end up having TONS of undeliverable bounces for forged/bogus domains sitting in mail spools... /mjt
Looks like they pulled it now. star@extremepcgaming:/var/log$ host rarrarrarrarblah.com rarrarrarrarblah.com does not exist (Authoritative answer) thanks, -a- ---------------------------------------------------- Adam 'Starblazer' Romberg Appleton: 920-738-9032 System Administrator ExtremePC LLC -=- http://www.extremepcgaming.net On Tue, 16 Sep 2003, Michael Tokarev wrote:
Haesu wrote: []
Before I figure out this BIND thing, for now..
box02jp5-cr01.twdx.net# set routing-options static route 64.94.110.11/32 discard;
Please do no do that. You, or your users, will end up having TONS of undeliverable bounces for forged/bogus domains sitting in mail spools...
/mjt
On Mon, Sep 15, 2003 at 07:28:51PM -0500, Adam 'Starblazer' Romberg wrote:
Looks like they pulled it now.
star@extremepcgaming:/var/log$ host rarrarrarrarblah.com rarrarrarrarblah.com does not exist (Authoritative answer)
; <<>> DiG 8.4 <<>> any rarrarrarrarblah.com. ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58435 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 13 ;; QUERY SECTION: ;; rarrarrarrarblah.com, type = ANY, class = IN ;; ANSWER SECTION: rarrarrarrarblah.com. 15M IN A 64.94.110.11 -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Yeah, speaking too quickly. *hides* Thanks -a- ---------------------------------------------------- Adam 'Starblazer' Romberg Appleton: 920-738-9032 System Administrator ExtremePC LLC -=- http://www.extremepcgaming.net On Mon, 15 Sep 2003, Jared Mauch wrote:
On Mon, Sep 15, 2003 at 07:28:51PM -0500, Adam 'Starblazer' Romberg wrote:
Looks like they pulled it now.
star@extremepcgaming:/var/log$ host rarrarrarrarblah.com rarrarrarrarblah.com does not exist (Authoritative answer)
; <<>> DiG 8.4 <<>> any rarrarrarrarblah.com. ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58435 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 13 ;; QUERY SECTION: ;; rarrarrarrarblah.com, type = ANY, class = IN
;; ANSWER SECTION: rarrarrarrarblah.com. 15M IN A 64.94.110.11
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
On Mon, Sep 15, 2003 at 07:39:20PM -0500, Adam 'Starblazer' Romberg wrote:
Yeah, speaking too quickly.
*hides*
I also typed a bit too quickly. I'm guessing due to the uprising they've pulled this. I was just going to call the dept of commerce tomorrow and file a complaint myself. perhaps I still will. - jared % dig any rarrarrarrarblah.com. @f.gtld-servers.net. ; <<>> DiG 8.4 <<>> any rarrarrarrarblah.com. @f.gtld-servers.net. ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 43204 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUERY SECTION: ;; rarrarrarrarblah.com, type = ANY, class = IN ;; AUTHORITY SECTION: com. 2D IN SOA a.gtld-servers.net. nstld.verisign-grs.com. ( 2003091500 ; serial 30M ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum ;; Total query time: 213 msec ;; FROM: puck.nether.net to SERVER: 192.35.51.30 ;; WHEN: Mon Sep 15 20:39:47 2003 ;; MSG SIZE sent: 38 rcvd: 111
Thanks
-a-
---------------------------------------------------- Adam 'Starblazer' Romberg Appleton: 920-738-9032 System Administrator ExtremePC LLC -=- http://www.extremepcgaming.net
On Mon, 15 Sep 2003, Jared Mauch wrote:
On Mon, Sep 15, 2003 at 07:28:51PM -0500, Adam 'Starblazer' Romberg wrote:
Looks like they pulled it now.
star@extremepcgaming:/var/log$ host rarrarrarrarblah.com rarrarrarrarblah.com does not exist (Authoritative answer)
; <<>> DiG 8.4 <<>> any rarrarrarrarblah.com. ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58435 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 13 ;; QUERY SECTION: ;; rarrarrarrarblah.com, type = ANY, class = IN
;; ANSWER SECTION: rarrarrarrarblah.com. 15M IN A 64.94.110.11
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
% dig any rarrarrarrarblah.com. @f.gtld-servers.net.
;; AUTHORITY SECTION: com. 2D IN SOA a.gtld-servers.net. nstld.verisign-grs.com. ( 2003091500 ; serial 30M ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum
Unless I'm missing something here.. Why not just block root servers or nstld.verisign-grs.com being listed as an authority? I can not find any instance where a root server should be listed as an authority.. I've been seeing varying results between .com and .net today. .net *always* has the root servers listed as its authoratitive servers .com sometimes does.. but often its just listing: ;; AUTHORITY SECTION: com. 172800 IN SOA a.gtld-servers.net. nstld.verisi gn-grs.com. 2003091500 1800 900 604800 86400 Blocking the Answer response isn't going to work, as you know they'll change the IP.. However, one crappy thing for them.. When kids start DoS'ing the verisign IP. hey can just pick any domain they feel like that doesn't exist, and hard code it.
From the news, Micrsoft and AOL are both fairly upset of their.. I imagine Google probably will be too, since Verisign is teaming with Yahoo on this one, and Yahoo is trying to revive their own engine and stop using google.
Anyhow.. What am I missing about this fix.. why won't this work?
On Mon, 15 Sep 2003, Jared Mauch wrote:
I also typed a bit too quickly.
I'm guessing due to the uprising they've pulled this.
I was just going to call the dept of commerce tomorrow and file a complaint myself. perhaps I still will.
It appears GTLD servers A-D are running a serial number of 2003091501 and contain the wildcard record in .com. The other GTLD servers are running 2003091500 and don't have the wildcard record. So, unless there's a 2003091502 floating around out there somewhere that I haven't seen, it doesn't look to me like they pulled it. For .net, I'm now seeing 2003091501 everywhere, with the wildcard record. It doesn't look like they pulled that either. In other news, Verisign has a press release on their website announcing something called "Next Registration Rights Service," where you can place an order to have somebody else's domain transferred to you if they ever don't pay their bill. The press release goes on to say that this is a great way for holders of existing domain names to buy insurance to protect themselves from the loss of their domain names if their bill doesn't get paid, but apparrently only if nobody beats them to it. -Steve -------------------------------------------------------------------------------- Steve Gibbard scg@gibbard.org +1 510 528-1035 http://www.gibbard.org/~scg
In other news, Verisign has a press release on their website announcing something called "Next Registration Rights Service," where you can place an order to have somebody else's domain transferred to you if they ever don't pay their bill. The press release goes on to say that this is a great way for holders of existing domain names to buy insurance to protect themselves from the loss of their domain names if their bill doesn't get paid, but apparrently only if nobody beats them to it.
-Steve
If you make the mistake of letting a domain reach the 'redemption' period Verisign holds it hostage and dead for a couple of weeks unless you pay them a $150 extortion fee to get it back. Apparently ICANN approved the redemption period and allows the registrar to set whatever fee they like. I can not prove but I suspect that Verislime is now leaving expired domain in the GTLD servers until they reach the redemption period in the hope that people will not notice the domain not resolving until it reaches the extortion period. Why are we still putting up with this garbage from Verisign and ICANN? Mark Radabaugh Amplex (419) 720-3635
Dear Incredibly Bright Chaps over at Verisign, I accidentally typed www.msnnn.net and was redirected to a page that displayed your Terms of Use for a platform that I have not signed up for, nor do I wish to be signed up for: ------------------------------------------------------------------- AGREEMENT TO BE BOUND. By using the service(s) provided by VeriSign under these Terms of Use, you acknowledge that you have read and agree to be bound by all terms and conditions here in and documents incorporated by reference. -------------------------------------------------------------------- I do not wish to be bound to your terms and I do not agree with them. Please take this as notice of such. Please can you remove the configuration that forces me to use your "superb" service that is liable to cause more confusion for net users who have eyes in their head and can see that they have mis-typed something. I do not wish to be bound to your terms of use as I do not wish to use your service. You are forcing me to use this service by the incredibly short sighted deployment of a wildcard domain record for the NET TLD. Please confirm that you will remove this configuration as soon as possible, there by not forcing me to agree to terms for something that I don't want. Regards, Neil.
Hi Neil Maybe I'm being naive(or silly ;-) but wouldn't complaining to FTC.gov be more effective ? -- Thanks, Rafi ## On 2003-09-16 08:40 +0100 Neil J. McRae typed: NJM> NJM> Dear Incredibly Bright Chaps over at Verisign, NJM> NJM> I accidentally typed www.msnnn.net and NJM> was redirected to a page that displayed your Terms NJM> of Use for a platform that I have not signed up for, nor NJM> do I wish to be signed up for: NJM> NJM> ------------------------------------------------------------------- NJM> AGREEMENT TO BE BOUND. NJM> By using the service(s) provided by VeriSign under these Terms of NJM> Use, you acknowledge that you have read and agree to be bound by NJM> all terms and conditions here in and documents incorporated by NJM> reference. NJM> -------------------------------------------------------------------- NJM> NJM> I do not wish to be bound to your terms and I do not agree NJM> with them. Please take this as notice of such. NJM> NJM> Please can you remove the configuration that forces me to use NJM> your "superb" service that is liable to cause more confusion for NJM> net users who have eyes in their head and can see that they NJM> have mis-typed something. NJM> NJM> I do not wish to be bound to your terms of use as I do not wish NJM> to use your service. You are forcing me to use this service by NJM> the incredibly short sighted deployment of a wildcard domain NJM> record for the NET TLD. Please confirm that you will remove NJM> this configuration as soon as possible, there by not forcing me NJM> to agree to terms for something that I don't want. NJM> NJM> Regards, NJM> Neil. NJM>
Neil J. McRae(neil@DOMINO.ORG)@2003.09.16 08:40:54 +0000:
I do not wish to be bound to your terms and I do not agree with them. Please take this as notice of such.
The best thing is that they appear to filter search results on some basis. And they set cookies (long-term) to "store the preferences". ``Filtering attempts to block content containing explicit and adult material. While no filter is 100% effective, Site Finder uses industry-leading technology to identify explicit content and reduce undesired results.'' The best thing would be simply to switch it off. While folks got used to the strange MSIE error messages, they have the same "learning curve" now again, but they also need to understand the privacy implications. ``Third Party Search Results and Cookies We use third-party companies to serve paid and unpaid search results and other content to our Site Finder. In the course of serving these results, these companies may place or recognize a cookie on your browser, and may use information (not including your name, address, e-mail address, or telephone number) about your visits to this and other web sites in order to serve content to our site, improve the services offered on our site, or measure advertising effectiveness of paid search results. For more information about this practice and to know your choices about not having your information used by these companies, please visit http://www.content.overture.com/d/Usm/about/company/privacypolicy.jhtml.'' This is really ugly. IANAL, but is this fair and common business behaviour? As I am located in "Old Europe", I say "it's not" and it might have one or the other legal implication in Germany. Regards, /k --
Examining the world's major religions. I'm looking for something that's light on morals, has lots of holidays, and with a short initiation period. webmonster.de -- InterNetWorkTogether -- built on the open source platform http://www.webmonster.de/ - ftp://ftp.webmonster.de/ - http://www.rohrbach.de/ GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6 Please do not remove my address from To: and Cc: fields in mailing lists. 10x
On Mon, 15 Sep 2003, Adam 'Starblazer' Romberg wrote:
Looks like they pulled it now.
star@extremepcgaming:/var/log$ host rarrarrarrarblah.com rarrarrarrarblah.com does not exist (Authoritative answer)
They haven't implemented it on .com, only .net . -- Jay Hennigan - CCIE #7880 - Network Administration - jay@west.net WestNet: Connecting you to the planet. 805 884-6323 WB6RDV NetLojix Communications, Inc. - http://www.netlojix.com/
It looks like it broke. Your web server (64.94.110.11) is inoperative. How about backing out the change!!!! Matt Larson wrote:
Today VeriSign is adding a wildcard A record to the .com and .net zones. The wildcard record in the .net zone was activated from 10:45AM EDT to 13:30PM EDT. The wildcard record in the .com zone is being added now. We have prepared a white paper describing VeriSign's wildcard implementation, which is available here:
http://www.verisign.com/resources/gd/sitefinder/implementation.pdf
.....
On Mon, 15 Sep 2003 17:29:43 -0700 Roy <garlic@garlic.com> wrote:
It looks like it broke. Your web server (64.94.110.11) is inoperative. How about backing out the change!!!!
Chances are your ISP has null-routed that IP address. Two of the larger ISPs in my area (Ontario, Canada) have, as well as the upstreams for a number of incidental networks I have access to.
On Mon, 15 Sep 2003 17:29:43 -0700 Roy <garlic@garlic.com> wrote:
It looks like it broke. Your web server (64.94.110.11) is inoperative. How about backing out the change!!!!
Chances are your ISP has null-routed that IP address. Two of the larger ISPs in my area (Ontario, Canada) have, as well as the upstreams for a number of incidental networks I have access to.
Sorry for the double-post folks, I got a bounce and didn't look closely at it. If somebody could check the subscriber list for an address that might result in postmaster@ldmi.com filtering really innocent emails (I know this has happened to others too), and contacting the owner, that would be great. Thanks.
I want my root servers back Matt Larson wrote:
Today VeriSign is adding a wildcard A record to the .com and .net zones. The wildcard record in the .net zone was activated from 10:45AM EDT to 13:30PM EDT. The wildcard record in the .com zone is being added now. We have prepared a white paper describing VeriSign's wildcard implementation, which is available here:
http://www.verisign.com/resources/gd/sitefinder/implementation.pdf
By way of background, over the course of last year, VeriSign has been engaged in various aspects of web navigation work and study. These activities were prompted by analysis of the IAB's recommendations regarding IDN navigation and discussions within the Council of European National Top-Level Domain Registries (CENTR) prompted by DNS wildcard testing in the .biz and .us top-level domains. Understanding that some registries have already implemented wildcards and that others may in the future, we believe that it would be helpful to have a set of guidelines for registries and would like to make them publicly available for that purpose. Accordingly, we drafted a white paper describing guidelines for the use of DNS wildcards in top-level domain zones. This document, which may be of interest to the NANOG community, is available here:
http://www.verisign.com/resources/gd/sitefinder/bestpractices.pdf
Matt -- Matt Larson <mlarson@verisign.com> VeriSign Naming and Directory Services
In <20030915232429.GA15402@chinook.rgy.netsol.com> Matt Larson <mlarson@verisign.com> writes:
Today VeriSign is adding a wildcard A record to the .com and .net zones. The wildcard record in the .net zone was activated from 10:45AM EDT to 13:30PM EDT. The wildcard record in the .com zone is being added now.
Well, I hope you have the worlds most secure server running on this IP address as it is going to be a prime target for crackers. And, just to give you some idea how carefully VeriSlim considered this aspect, I saw this link on /. http://sitefinder.verisign.com/lpc?url='%3E%3Ch1%3Ehi%20mom%3C/h1%3E -wayne
On Mon, 15 Sep 2003, Matt Larson wrote:
Today VeriSign is adding a wildcard A record to the .com and .net zones.
The Web Proxy Auto-discovery Protocol (WPAD) is another reason to fear and loathe this change. If your host has a bogus name and makes a WPAD request, they can send your browser a proxy config function and take full control of your browsing. Not that they would ever stoop so low... *cough* Duane W.
On Mon, 15 Sep 2003, Matt Larson wrote: Don't you think this kind of change should have been discussed first? Or at the *very* least - a 3 day pre-change notice? Or did mgmt think a pre-notice would have caused a firestorm of sufficient size to make you backoff such a plan? Once done - things are harder to undo. -Hank
Today VeriSign is adding a wildcard A record to the .com and .net zones.The wildcard record in the .net zone was activated from 10:45AM EDT to 13:30PM EDT.The wildcard record in the .com zone is being added now.We have prepared a white paper describing VeriSign's wildcard implementation, which is available here:
http://www.verisign.com/resources/gd/sitefinder/implementation.pdf
By way of background, over the course of last year, VeriSign has been engaged in various aspects of web navigation work and study.These activities were prompted by analysis of the IAB's recommendations regarding IDN navigation and discussions within the Council of European National Top-Level Domain Registries (CENTR) prompted by DNS wildcard testing in the .biz and .us top-level domains.Understanding that some registries have already implemented wildcards and that others may in the future, we believe that it would be helpful to have a set of guidelines for registries and would like to make them publicly available for that purpose.Accordingly, we drafted a white paper describing guidelines for the use of DNS wildcards in top-level domain zones.This document, which may be of interest to the NANOG community, is available here:
http://www.verisign.com/resources/gd/sitefinder/bestpractices.pdf
Matt -- Matt Larson <mlarson@verisign.com> VeriSign Naming and Directory Services
Hank Nussbacher
On Tue, 16 Sep 2003 09:50:07 +0300 (IDT) Hank Nussbacher <hank@att.net.il> wrote:
Don't you think this kind of change should have been discussed first? Or at the *very* least - a 3 day pre-change notice? Or did mgmt think a pre-notice would have caused a firestorm of sufficient size to make you backoff such a plan? Once done - things are harder to undo.
"It's much easier to ask for forgiveness than it is to ask for permission." -- Unknown
Today VeriSign is adding a wildcard A record to the .com and .net zones. The wildcard record in the .net zone was activated from 10:45AM EDT to 13:30PM EDT. The wildcard record in the .com zone is being added now. We have prepared a white paper describing VeriSign's wildcard implementation, which is available here:
This is an insane idea and the other registries doing this should remove this "feature" also. Goodbye network security. Neil.
participants (29)
-
Adam 'Starblazer' Romberg
-
Christopher X. Candreva
-
David B Harris
-
David Schwartz
-
Duane Wessels
-
Haesu
-
Hank Nussbacher
-
Jared Mauch
-
Jared Mauch
-
Jay Hennigan
-
Joe Maimon
-
John Palmer
-
Justin Shore
-
Kandra Nygårds
-
Karsten W. Rohrbach
-
Mark Radabaugh
-
Matt Larson
-
Michael Tokarev
-
neil@DOMINO.ORG
-
netmask
-
Paul Vixie
-
Petri Helenius
-
Rafi Sadowsky
-
Roy
-
Sam Hayes Merritt, III
-
Steve Gibbard
-
Vadim Antonov
-
wayne
-
William Devine, II