Verisign bogosity {Scanned by HJMS}

Tue Sep 16 15:44:30 IST 2003

But verisign owns the .com zone, and you'll get that wildcard from any
server hosting the zone.  Seems like what we need is mirrors that refuse the
wildcard.  Any thoughts on how to selectively override records in a zone on
the net?

--
Trever

> -----Original Message-----
> From: Remco Barendse [mailto:mailscanner at BARENDSE.TO]
> Sent: Tuesday, September 16, 2003 9:30 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Verisign bogosity {Scanned by HJMS}
>
>
> The firewall rule would block access to the Verisign server,
> therefore the
> domain will never resolve (this is the way it ought to be)
> because your
> dns server cannot reach it (supposing you are running your own name
> servers!).
>
> Remco
>
>
> On Tue, 16 Sep 2003, Rose, Bobby wrote:
>
> > How would a firewall stop this?  A firewall won't keep the MTA from
> > resolving the bogus domain to that IP correct?  It also
> wouldn't keep SA
> > from resolving it as part of the dns checks.
> >
> > -----Original Message-----
> > From: Remco Barendse [mailto:mailscanner at BARENDSE.TO]
> > Sent: Tuesday, September 16, 2003 9:59 AM
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Re: Verisign bogosity
> >
> >
> > I have created a firewall rule that silently drops all
> packets sent to
> > this ip.
> >
> > Mail seems to be flowing normally and all fake .com crap is still
> > rejected.
> >
> > On Tue, 16 Sep 2003, Jeff A. Earickson wrote:
> >
> > > Gang,
> > >    Hold that thought...  I added 64.94.110.11 to my
> blackhole list,
> > > and things slowly ground to a halt over the next hour.
> Hmmm.. I had
> > > to back this out of my DNS.  Wonder why it didn't work? I have
> > > notified Verisign that I won't be renewing my certs with them in
> > > October.
> > >
> > > --- Jeff Earickson
> > >
> > > On Tue, 16 Sep 2003, Jeff A. Earickson wrote:
> > >
> > > > Date: Tue, 16 Sep 2003 08:40:09 -0400
> > > > From: Jeff A. Earickson <jaearick at colby.edu>
> > > > Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> > > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > > Subject: Verisign bogosity
> > > >
> > > > Gang,
> > > >
> > > > If you run a modern version of bind, simply blackhole
> the Verisign
> > > > number.  This is what I have in my bind boot files:
> > > >
> > > >     #---blackhole queries from RFC1918 private addresses
> > > >     #---routes to them are never advertised, so don't waste time
> > > >     #---see p. 284, DNS&Bind version 4
> > > >     #---64.94.110.11 is Verisign's bogus server.
> > > >     blackhole {
> > > >         10/8;
> > > >         172.16/12;
> > > >         192.168/16;
> > > >         64.94.110.11;
> > > >     };
> > > >
> > > > I've changed my bind configs to do this, I suggest this ASAP.
> > > >
> > > > -----------------------------------
> > > > Jeff A. Earickson, Ph.D
> > > > Senior UNIX Sysadmin and Email Guru
> > > > Information Technology Services
> > > > Colby College, 4214 Mayflower Hill,
> > > > Waterville ME, 04901-8842
> > > > phone: 207-872-3659 (fax = 3076)
> > > > -----------------------------------
> > > >
> > >
> >
>