[Gllug] Fighting Verisign greed

[Ian Northeast]

Alan Peery wrote:
> 
> David Damerell wrote:
> 
> >If we run BIND, we use;
> ><http://www.isc.org/products/BIND/delegation-only.html>
> >
> >
> Good technical answer, and I'll be applying it.  It doesn't really do a
> good job of counter attack, however.

I built and tested this today but there seems to be a bit of a flaw. If,
with an empty cache, you issue an NS query for a valid .com domain it
returns NXDOMAIN. If you first issue some other query then it's OK. It
doesn't seem to cache the NXDOMAIN as a subsequent A or MX query is OK,
and the negative caching TTL on .com is 1 day. This seems to be
irrespective of whether the domain's nameservers are within itself or
not, i.e. whether the GTLD server has glue records.

This won't cause a huge problem in normal operation, as generally things
don't issue NS queries, usually As or MXs, but it could hinder
troubleshooting. I'm holding off on installing it for now, instead I'm
putting in a temporary reject route to the verisign server on the mail
exchanges until the position is clearer.

I think someone did mention this problem on the bind ML yesterday and
I'm heading back there to see if there's any FU shortly.

I'm using bind 9.2.2-P1 on SuSE Enterprise Server 8 (UL 1.0) at patch CD
2, kernel 2.4.19 although I don't think the Linux version is relevant
(or even the fact that it's Linux).

The aspect of this which worries me most is that when my users misspell
email addresses, which they naturally do a lot, Verisign get hold of
their valid email address, as their mail rejector doesn't return an
error until after RCPT To:. I'm not so worried about people landing on
Verisign's search engine (it doesn't seem to work most of the time
anyway, being DoS'd I suppose:). No-one's complained about it to my
knowledge.

Regards, Ian

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug