verisign - wildcard - bind - delegation-only {Scanned by HJMS }
Furnish, Trever G
TGFurnish at HERFF-JONES.COM
Wed Sep 17 16:19:54 IST 2003
> -----Original Message-----
> From: shrek-m at gmx.de [mailto:shrek-m at GMX.DE]
> Sent: Wednesday, September 17, 2003 7:49 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: verisign - wildcard - bind - delegation-only
> {Scanned by HJMS}
>
>
> hi,
>
> could this patch solve some ... ?
>
> http://www.isc.org/products/BIND/delegation-only.html
>
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=104569
>
I don't think so - again (assuming I understand it - only looked at the
descriptions, not the code), they can counteract it easily, AND it seems
like it would break stuff.
Example: A look-up of www.sillyfakedomainname.com
The name server doing the lookup is going to reach a name server for com,
which will decide to synthesize an address record (based on its current
behavior). It looks like this patch would allow you to ignore that A
record. However, Verisign can easily get around this by instead returning
an NS record for sillyfakedomainname.com pointing to a dedicated name
server, which in turn returns an authoritative address record for the www
entry. The address record for www is not blocked because
sillyfakedomainname.com is not a delegation-only domain.
And the bit that it seems like the patch would break is any non-NS RR for a
domain under .com. For example, wondious.com has an address record and an
MX record and an NS record. The way I'm reading the patch description is
that any non-NS RRs returned for wondious.com would be ignored by a server
that considered com a delegation-only domain, meaning that address
resolution and email would suddenly break for wondious.com.
I hope I'm misunderstanding the patch, because it seems like it could be
troublesome.
More information about the MailScanner
mailing list