Full Disclosure mailing list archives
RE: Verisign abusing .COM/.NET monopoly, BIND r eleases new
From: Sam Pointer <sam.pointer () hpdsoftware com>
Date: Wed, 17 Sep 2003 14:52:54 +0100
Thor Larholm wrote:
For now, it is returning the same IP address, but I have no trouble imagining Verisign evading DNS filters by changing the A records every now and then. Any solution to prevent Verisigns greed should keep this in mind.
AFAIK the BIND patch (when setup) accepts delegation RRs *only* from configured domains (ie. SOA and NS records) and forces any in-zone replies (ie A records such as the one used by Verisign in this instance) in these domains to be interpreted as NXDOMAIN responses (paraphrase of the ISC's text at http://www.isc.org/products/BIND/delegation-only.html); giving normal DNS behaviour. In short: it doesn't matter what the A record changed to, if you apply and configure the patch and you get an A record back from a delegation only domain then it's discarded. What IP address is returned is immaterial, so moving it about is a no-go. This is much better than any hard-coded constant or updated list of IP address options I've seen on various lists. IMHO I think that this system will die a death as soon as the major BIND shops have time to test and implement this patch. Most do not run their own nameservers and when the major ISPs completely bypass this 'feature' Verisign will give it up as a hopeless task. That combined with the fact that they seem to have trouble merely keeping the boxes at the other end of 'sitefinder' alive. This email and any attachments are strictly confidential and are intended solely for the addressee. If you are not the intended recipient you must not disclose, forward, copy or take any action in reliance on this message or its attachments. If you have received this email in error please notify the sender as soon as possible and delete it from your computer systems. Any views or opinions presented are solely those of the author and do not necessarily reflect those of HPD Software Limited or its affiliates. At present the integrity of email across the internet cannot be guaranteed and messages sent via this medium are potentially at risk. All liability is excluded to the extent permitted by law for any claims arising as a re- sult of the use of this medium to transmit information by or to HPD Software Limited or its affiliates. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Verisign abusing .COM/.NET monopoly, BIND r eleases new Sam Pointer (Sep 17)
- RE: Verisign abusing .COM/.NET monopoly, BIND r eleases new Dan Rowles (Sep 17)