[Gllug] Verisign 'site finder' problem
Ian Northeast
ian at house-from-hell.demon.co.uk
Fri Sep 19 19:42:48 UTC 2003
"Martin A. Brooks" wrote:
>
> At 16:54 19/09/2003 +0100, you wrote: (No I didn't, Tim Clarke did:)
> >However, I cannot figure out how this BIND patch works and therefore
> >whether or
> >not is worth applying.
>
> Debian's BIND9 package now includes this patch - my initial experience is
> that it breaks horribly. BIND actually crashed on me today, I've since
> removed the relevant zone statements from my named.conf file.
Although some early patches worked by either knowing the IP address of
the Verisign search engine/mail rejector, or by comparing the result of
a lookup with a wildcard lookup, the official ISC patch works by
enabling a new zone type "delegation-only". If a zone is declared as
such then any response for a name in it which is neither at zone top
(i.e. the SOA, A, NS or MX records associated with the domain name
itself) nor a delegation to another nameserver (which I assume could in
fact be the same server) is disregarded and NXDOMAIN returned.
So if I look up "zorkwibble.com" which doesn't exist, bind gets an A
response direct from the GTLD server courtesey of the wildcard, and it
is discarded. But if I look up "ibm.com" it finds the delegation, goes
to an IBM server, gets the A record from there and returns it.
In theory (at least AFAICS) this will work and work properly, as .com
and .net aren't supposed to contain anything except their own SOA and NS
records and delegations.
Unfortunately the patch isn't quite right yet (unless a fix has been
released very recently) and has the problem I described with returning
NXDOMAIN for valid domains if an NS query is issued and there is no
cached data associated with the domain. After I discovered this I didn't
test it further and didn't put it live so I did not experience the
crashing problem Martin describes.
The ISC are aware of the problem in the initial patch and are producing
a fix. When it arrives I think, in the light of Martin's experience, I
will stress test it a bit before deploying it.
Regards, Ian
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list