Verisign bogosity {Scanned by HJMS}
Furnish, Trever G
TGFurnish at HERFF-JONES.COM
Tue Sep 16 17:59:43 IST 2003
Which will just lead to a battle with verisign as they begin to rotate their
addresses - it won't solve the problem.
There's also a patch out there that uses iptables to deny any packets
containing a wildcard response - which will just cause verisign to start
returning an A record instead of a wildcard response.
Gee, wouldn't it be nice if the move to an organization not controlled by
any specific government (ICANN) had been qualified as a move to an
organization without a profit motive?
> -----Original Message-----
> From: John Rudd [mailto:jrudd at UCSC.EDU]
> Sent: Tuesday, September 16, 2003 11:15 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Verisign bogosity {Scanned by HJMS}
>
>
> someone is also developing a bind patch that answers 'non existant
> domain' if the answer is 64.94.110.11.
>
>
> On Tuesday, Sep 16, 2003, at 05:40 US/Pacific, Jeff A.
> Earickson wrote:
>
> >
> > Gang,
> >
> > If you run a modern version of bind, simply blackhole the
> > Verisign number. This is what I have in my bind boot files:
> >
> > #---blackhole queries from RFC1918 private addresses
> > #---routes to them are never advertised, so don't waste time
> > #---see p. 284, DNS&Bind version 4
> > #---64.94.110.11 is Verisign's bogus server.
> > blackhole {
> > 10/8;
> > 172.16/12;
> > 192.168/16;
> > 64.94.110.11;
> > };
> >
> > I've changed my bind configs to do this, I suggest this ASAP.
> >
> > -----------------------------------
> > Jeff A. Earickson, Ph.D
> > Senior UNIX Sysadmin and Email Guru
> > Information Technology Services
> > Colby College, 4214 Mayflower Hill,
> > Waterville ME, 04901-8842
> > phone: 207-872-3659 (fax = 3076)
> > -----------------------------------
>
More information about the MailScanner
mailing list