Verisign bogosity {Scanned by HJMS}

[Furnish, Trever G]

Which will just lead to a battle with verisign as they begin to rotate their
addresses - it won't solve the problem.

There's also a patch out there that uses iptables to deny any packets
containing a wildcard response - which will just cause verisign to start
returning an A record instead of a wildcard response.

Gee, wouldn't it be nice if the move to an organization not controlled by
any specific government (ICANN) had been qualified as a move to an
organization without a profit motive?

> -----Original Message-----
> From: John Rudd [mailto:jrudd at UCSC.EDU]
> Sent: Tuesday, September 16, 2003 11:15 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Verisign bogosity {Scanned by HJMS}
>
>
> someone is also developing a bind patch that answers 'non existant
> domain' if the answer is 64.94.110.11.
>
>
> On Tuesday, Sep 16, 2003, at 05:40 US/Pacific, Jeff A.
> Earickson wrote:
>
> >
> > Gang,
> >
> > If you run a modern version of bind, simply blackhole the
> > Verisign number.  This is what I have in my bind boot files:
> >
> >     #---blackhole queries from RFC1918 private addresses
> >     #---routes to them are never advertised, so don't waste time
> >     #---see p. 284, DNS&Bind version 4
> >     #---64.94.110.11 is Verisign's bogus server.
> >     blackhole {
> >         10/8;
> >         172.16/12;
> >         192.168/16;
> >         64.94.110.11;
> >     };
> >
> > I've changed my bind configs to do this, I suggest this ASAP.
> >
> > -----------------------------------
> > Jeff A. Earickson, Ph.D
> > Senior UNIX Sysadmin and Email Guru
> > Information Technology Services
> > Colby College, 4214 Mayflower Hill,
> > Waterville ME, 04901-8842
> > phone: 207-872-3659 (fax = 3076)
> > -----------------------------------
>