Post #117,922
9/16/03 8:29:01 AM
|
Verisign adds wildcard domain to root DNS servers
[link|http://www.theregister.co.uk/content/6/32852.html|http://www.theregist...tent/6/32852.html] "This breaks all sorts of things horribly. It makes it very difficult for mail servers to reject mail from invalid domains", Bellis said..
"Even worse, if an MX record points to an invalid host name, that host will now resolve, the SMTP connection accepted and the mail then rejected. Because the rejection is a 550 error, that mail will not get retried *ever* again. If that MX was the highest priority mail server than all mail to that domain name will bounce."
Already a backlash is building, with Net admins being urged to block Verisign's catch-all domain. This could get very messy. Regards,
-scott anderson
"Welcome to Rivendell, Mr. Anderson..."
|
Post #117,926
9/16/03 9:03:15 AM
|
Was just talking about this last week
We're working on setting up a new webserver. I asked the sysadmin if it was possible to do a wildcard in our DNS and just let Apache's name-based virtual hosting take care of resolving it. He said he'd never heard of or thought about it and to give him a minute.
Took him about half that to realize that every other service that relies on DNS would also have to handle name-based resolution, and mail would be an impossible situation. If he figured out the problem in less than a minute, why didn't anyone at Verisign figure it out?
===
Implicitly condoning stupidity since 2001.
|
Post #117,929
9/16/03 9:26:31 AM
|
The difference:
Verisign is hyarge, and Just Doesn't Care.
Regards,
-scott anderson
"Welcome to Rivendell, Mr. Anderson..."
|
Post #117,941
9/16/03 11:14:15 AM
|
this bit us yesterday
Our SVR4 UNIX box stopped printing all of a sudden. Messed with lp services for an hour, finally decided to reboot the box (after TWO YEARS, NINE MONTHS and FOURTEEN DAYS uptime no less!!). When that didn't work, I attempted to ping a printer by name instead of IP address...
pklowesd@peter:PK-USA > ping PITS
PING sitefinder-idn.verisign.com (64.94.110.11): 56 data bytes
to which ping hangs on.
Changing the resolver order to use /etc/hosts before DNS fixed it.
Bastards.
BTW, here's a /. link [link|http://slashdot.org/articles/03/09/16/0034210.shtml?tid=126&tid=95&tid=98&tid=99|http://slashdot.org/...=95&tid=98&tid=99]
-----
Steve
|
Post #117,942
9/16/03 11:15:03 AM
9/16/03 11:15:08 AM
|
Nice to have their insanity and arrogance confirmed
Now I gotta figure out how to block it on my dns. Yay.
--\n-------------------------------------------------------------------\n* Jack Troughton jake at consultron.ca *\n* [link|http://consultron.ca|http://consultron.ca] [link|irc://irc.ecomstation.ca|irc://irc.ecomstation.ca] *\n* Kingston Ontario Canada [link|news://news.consultron.ca|news://news.consultron.ca] *\n-------------------------------------------------------------------
Edited by jake123
Sept. 16, 2003, 11:15:08 AM EDT
|
Post #117,975
9/16/03 9:31:10 PM
|
This raises some interesting opportunities.
Verisign needs to respond to traffic hitting its websites. The namespace is...large. They also need to respond to mail sent to the namespace, if only to say "we can't deliver this". The namespace is again...large. And a dictionary attack against a...large namespace is...large and then some. There's the added overhead of resolving this large space at both root and secondary DNS servers. \r\n\r\n One of the immediate benefits is that we now have a vastly larger space of possible email addresses with which to seed spammers. Given that domain validation itself is a signficiant cost of mail delivery (as much as email has costs), the task of filtering through some tens or hundreds of thousands, or millions, of email domains, is not inconsequential. \r\n\r\n Of course, what's necessary is a system to generate seed addresses. While more sophisticated methods will doubtless emerge, one quick contingency is: \r\n\r\n \r\n\r\nwhile :\r\ndo \r\n rand=$( ( date +%s%N; echo $RANDOM ) | md5sum | cut -b 1-14 )\r\n echo http://www.$rand.com/index.html jp@$rand.com\r\ndone \r\n \r\n \r\n\r\n Pipe that through head -nn to generate the desired number of output domains. The namespace is over 18 quadrillion domains, and duplicates in a sample run of 1 million (360 minutes on P4 1.7 GHz) were zero. Some sed magic will generate HTML [link|http://kmself.home.netcom.com/Verisign/Verisign7.html|suitable for posting]. Suggested enhancements would be to incorporate dictionary words or common names, a simple Perl or Python enhancement. --\r\n
Karsten M. Self [link|mailto:kmself@ix.netcom.com|kmself@ix.netcom.com]\r\n
[link|http://kmself.home.netcom.com/|http://kmself.home.netcom.com/]\r\n
What part of "gestalt" don't you understand?\r\n
[link|http://twiki.iwethey.org/twiki/bin/view/Main/|TWikIWETHEY] -- an experiment in collective intelligence. Stupidity. Whatever.\r\n
\r\n
Keep software free. Oppose the CBDTPA. Kill S.2048 dead.\r\n[link|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html]\r\n
|
Post #117,982
9/16/03 11:24:13 PM
|
Heh.. takes one to know one
I OTOH, as a tad, having recently comprehended how a Bazooka worked, on travelling across the Golden Gate bridge enroute to school session .. generated a similar sort of recipe:
{why today - it coulda been spelled with 4 syllables!}
Based upon -
a)the bandolier
b)the visible circumference ergo dia. of the two support multi-multi-strand cable containers
c) hardly comprehensive math concerning tensile strengths, ft-poundals per pound of unstable substance + The Cone
concluding -
Yup, were I a (pre-007), why
Baad Karsten
Or, to move on to your line of dysfunction contrivance -
Beware the appearance of the random Clock-activated maybe circuit, generator of barely-too-slow risetimes to just-within the ambiguous band of voltages.. (for most discriminators to reliably filter out) and its next appearance -
looking very like an innocent local voltage regulator - to the other IC sub-mask litho-checkers at the fab
I Love techno and twi-blade axes
sorta
|
Post #118,007
9/17/03 10:35:29 AM
|
ICLRPD (gosh, it's been a few weeks) (new thread)
Created as new thread #118006 titled [link|/forums/render/content/show?contentid=118006|ICLRPD (gosh, it's been a few weeks)]
===
Implicitly condoning stupidity since 2001.
|
Post #117,991
9/17/03 4:53:08 AM
|
Verisign reinvents SMTP:
[link|http://www.merit.edu/mail.archives/nanog/msg13664.html|Nanog discussion post]. \r\n\r\n The response sequence is fixed. \r\n\r\n \r\n\r\n$ telnet akdjflasdf.com 25\r\nTrying 64.94.110.11...\r\nConnected to akdjflasdf.com.\r\nEscape character is '^]'.\r\n220 snubby4-wceast Snubby Mail Rejector Daemon v1.3 ready\r\nsdfg\r\n250 OK\r\nsdfgsdfgsdfgsdf\r\n250 OK\r\nsdfgdfgaegqaergqaergvav\r\n550 User domain does not exist.\r\nasdfgasdfgasdf\r\n250 OK\r\nsdfasdfadsfasdf\r\n221 snubby4-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel\r\nConnection closed by foreign host.\r\n \r\n --\r\n
Karsten M. Self [link|mailto:kmself@ix.netcom.com|kmself@ix.netcom.com]\r\n
[link|http://kmself.home.netcom.com/|http://kmself.home.netcom.com/]\r\n
What part of "gestalt" don't you understand?\r\n
[link|http://twiki.iwethey.org/twiki/bin/view/Main/|TWikIWETHEY] -- an experiment in collective intelligence. Stupidity. Whatever.\r\n
\r\n
Keep software free. Oppose the CBDTPA. Kill S.2048 dead.\r\n[link|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html]\r\n
|
Post #118,077
9/18/03 4:19:22 AM
|
Outsourced snooping by Omniture, per Richard M. Smith
[link|http://www.circleid.com/article/260_0_1_0_C/|Bug Reveals the Snooper in VeriSign's Site Finder], Richard M. Smith, Sep 17, 2003 \r\n\r\n \r\nVeriSign has hired a company called Omniture to snoop on people who make domain name typos. I found this Omniture Web bug on a VeriSign Site Finder Web page: \r\n\r\n... \r\n\r\nThe query string of the URL contains the usual things such as the Web page URL, the referring URL, browser type, screen size, etc. This query string is built on the fly by about 50 lines of JavaScript embedded in the Verisign Web page. \r\n\r\nThe Omniture server sets a cookie so that people can be watched over time to see what typos they are making. \r\n \r\n\r\n Another reason to turn off Javascript and disable cookies when browseing.... \r\n\r\n Hope they like random content... \r\n\r\n \r\n\r\nwhile :\r\ndo\r\n rand=$(( date +%s%N; echo $RANDOM ) | md5sum | cut -b 1-10 )\r\n lynx -dump http://${rand}.THIS-QUERY-SHOULD-RETURN-NXDOMAIN.NET > /dev/null\r\ndone\r\n\r\n \r\n\r\n There's also some indication Verisign is [link|http://www.smh.com.au/articles/2003/09/18/1063625123998.html|seeing the light] (Sam Varghese, SMH.AU). An unsurprising title shows up at a surprising place: [link|http://weblog.infoworld.com/techwatch/archives/000077.html|Verisign's lesson in stupidity]. --\r\n
Karsten M. Self [link|mailto:kmself@ix.netcom.com|kmself@ix.netcom.com]\r\n
[link|http://kmself.home.netcom.com/|http://kmself.home.netcom.com/]\r\n
What part of "gestalt" don't you understand?\r\n
[link|http://twiki.iwethey.org/twiki/bin/view/Main/|TWikIWETHEY] -- an experiment in collective intelligence. Stupidity. Whatever.\r\n
\r\n
Keep software free. Oppose the CBDTPA. Kill S.2048 dead.\r\n[link|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html]\r\n
|
Post #118,098
9/18/03 9:45:12 AM
|
Karsten: you were asking about charters
[link|http://www.ntia.doc.gov/ntiahome/domainname/6_5_98dns.htm|Management of Internet Names and Addresses (Statement of Policy)]
[link|http://www.ntia.doc.gov/ntiahome/domainname/icann-memorandum.htm|\nMEMORANDUM OF UNDERSTANDING BETWEEN THE U.S. DEPARTMENT OF COMMERCE AND INTERNET CORPORATION FOR ASSIGNED NAMES AND NUMBERS]
Is this what you were looking for?
Regards,
-scott anderson
"Welcome to Rivendell, Mr. Anderson..."
|
Post #118,173
9/18/03 11:44:43 PM
|
.com / .net domain resolver test base posted
A test base for resolving arbitrary domains in the .com and .net TLDs has been posted to the [link|http://www.iwethey.org/|IWeThey] website. \r\n\r\n The test base consists of 4 million randomly generated URLs and a corresponding mailing address. These are divided among 30,000 files of 100 lines each, in 385 subdirectories under the link [link|http://www.iwethey.org/verisign/|Verisign]. \r\n\r\n Use these as you see fit. This is a resource others are welcome to use. The files may be copied and distributed without restriction. --\r\n
Karsten M. Self [link|mailto:kmself@ix.netcom.com|kmself@ix.netcom.com]\r\n
[link|http://kmself.home.netcom.com/|http://kmself.home.netcom.com/]\r\n
What part of "gestalt" don't you understand?\r\n
[link|http://twiki.iwethey.org/twiki/bin/view/Main/|TWikIWETHEY] -- an experiment in collective intelligence. Stupidity. Whatever.\r\n
\r\n
Keep software free. Oppose the CBDTPA. Kill S.2048 dead.\r\n[link|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html|http://www.eff.org/alerts/20020322_eff_cbdtpa_alert.html]\r\n
|
