Verisign bogosity

Tue Sep 16 15:45:34 IST 2003

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Remco and others,

If I understand the verisign hijack/fix/option correctly they added and
wildcard record in the root .com zone. As a result the "authoritive"
servers for any non existant zone/host are the gtld root servers.

By blocking the single specific address you are only blocking the data
flows from and to the particulair host.

some tests:
[sjonker at ph-wks-01 sjonker]$ dig ns non-existant-domain-jskjdlk.com

; <<>> DiG 9.2.1 <<>> ns non-existant-domain-jskjdlk.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9980
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;non-existant-domain-jskjdlk.com. IN    NS

;; AUTHORITY SECTION:
com.                    10800   IN      SOA     a.gtld-servers.net.
nstld.verisign-grs.com. 2003091600 1800 900 604800 86400

;; Query time: 135 msec
;; SERVER: 192.168.175.101#53(192.168.175.101)
;; WHEN: Tue Sep 16 16:43:24 2003
;; MSG SIZE  rcvd: 122

after an blacklist for 64.94.110.11

any non existant entry still resolvs to the above address.

I don't think there is an easy way to block the resolving.

Remco Barendse said the following on 09/16/2003 04:30 PM:
| The firewall rule would block access to the Verisign server, therefore the
| domain will never resolve (this is the way it ought to be) because your
| dns server cannot reach it (supposing you are running your own name
| servers!).
|
| Remco
|
|
| On Tue, 16 Sep 2003, Rose, Bobby wrote:
|
|
|>How would a firewall stop this?  A firewall won't keep the MTA from
|>resolving the bogus domain to that IP correct?  It also wouldn't keep SA
|>from resolving it as part of the dns checks.
|>
|>-----Original Message-----
|>From: Remco Barendse [mailto:mailscanner at BARENDSE.TO]
|>Sent: Tuesday, September 16, 2003 9:59 AM
|>To: MAILSCANNER at JISCMAIL.AC.UK
|>Subject: Re: Verisign bogosity
|>
|>
|>I have created a firewall rule that silently drops all packets sent to
|>this ip.
|>
|>Mail seems to be flowing normally and all fake .com crap is still
|>rejected.
|>
|>On Tue, 16 Sep 2003, Jeff A. Earickson wrote:
|>
|>
|>>Gang,
|>>   Hold that thought...  I added 64.94.110.11 to my blackhole list,
|>>and things slowly ground to a halt over the next hour.  Hmmm.. I had
|>>to back this out of my DNS.  Wonder why it didn't work? I have
|>>notified Verisign that I won't be renewing my certs with them in
|>>October.
|>>
|>>--- Jeff Earickson
|>>
|>>On Tue, 16 Sep 2003, Jeff A. Earickson wrote:
|>>
|>>
|>>>Date: Tue, 16 Sep 2003 08:40:09 -0400
|>>>From: Jeff A. Earickson <jaearick at colby.edu>
|>>>Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
|>>>To: MAILSCANNER at JISCMAIL.AC.UK
|>>>Subject: Verisign bogosity
|>>>
|>>>Gang,
|>>>
|>>>If you run a modern version of bind, simply blackhole the Verisign
|>>>number.  This is what I have in my bind boot files:
|>>>
|>>>    #---blackhole queries from RFC1918 private addresses
|>>>    #---routes to them are never advertised, so don't waste time
|>>>    #---see p. 284, DNS&Bind version 4
|>>>    #---64.94.110.11 is Verisign's bogus server.
|>>>    blackhole {
|>>>        10/8;
|>>>        172.16/12;
|>>>        192.168/16;
|>>>        64.94.110.11;
|>>>    };
|>>>
|>>>I've changed my bind configs to do this, I suggest this ASAP.
|>>>
|>>>-----------------------------------
|>>>Jeff A. Earickson, Ph.D
|>>>Senior UNIX Sysadmin and Email Guru
|>>>Information Technology Services
|>>>Colby College, 4214 Mayflower Hill,
|>>>Waterville ME, 04901-8842
|>>>phone: 207-872-3659 (fax = 3076)
|>>>-----------------------------------
|>>>
|>>

- --
Met Vriendelijke groet/Yours Sincerely
Stijn Jonker <SJCJonker at sjc.nl>
-----BEGIN PGP SIGNATURE-----

iD8DBQE/ZyIOjU9r45tKnOARAkyUAJ9z7JCjWFMX7GcpC0UCn1s0gr9uZACgurC0
/RBsE2gOM4Su5dUQ0bzTwS0=
=jomz
-----END PGP SIGNATURE-----