verisign - wildcard - bind - delegation-only {Scanned by HJMS }

Ryan Weaver ryanw at FALSEHOPE.COM
Wed Sep 17 18:39:58 IST 2003


        Actually, yes.. This patch was specifically developed to counteract
actions like what VeriSign is doing...

        Setting the zone "com" to delegation only means that if the root
servers that control delegation for com respond with any thing other than NS
and RR records, those errant records will be ignored...

        And therefore, no matter what IP VeriSign gives to the wildcard on
the gtld servers, the patch ignores it and proceeds working as you'd expect
before VeriSign pulled this...



-----Original Message-----
> From: MailScanner mailing list 
> [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Furnish, Trever G
> Sent: Wednesday, September 17, 2003 10:20 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: verisign - wildcard - bind - delegation-only 
> {Scanned by HJMS }
> 
> 
> > -----Original Message-----
> > From: shrek-m at gmx.de [mailto:shrek-m at GMX.DE]
> > Sent: Wednesday, September 17, 2003 7:49 AM
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: verisign - wildcard - bind - delegation-only
> > {Scanned by HJMS}
> >
> >
> > hi,
> >
> > could this patch solve some ... ?
> >
> > http://www.isc.org/products/BIND/delegation-only.html
> >
> > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=104569
> >
> 
> I don't think so - again (assuming I understand it - only 
> looked at the
> descriptions, not the code), they can counteract it easily, 
> AND it seems
> like it would break stuff.
> 
> Example: A look-up of www.sillyfakedomainname.com
> 
> The name server doing the lookup is going to reach a name 
> server for com,
> which will decide to synthesize an address record (based on 
> its current
> behavior).  It looks like this patch would allow you to ignore that A
> record.  However, Verisign can easily get around this by 
> instead returning
> an NS record for sillyfakedomainname.com pointing to a dedicated name
> server, which in turn returns an authoritative address record 
> for the www
> entry.  The address record for www is not blocked because
> sillyfakedomainname.com is not a delegation-only domain.
> 
> And the bit that it seems like the patch would break is any 
> non-NS RR for a
> domain under .com.  For example, wondious.com has an address 
> record and an
> MX record and an NS record.  The way I'm reading the patch 
> description is
> that any non-NS RRs returned for wondious.com would be 
> ignored by a server
> that considered com a delegation-only domain, meaning that address
> resolution and email would suddenly break for wondious.com.
> 
> I hope I'm misunderstanding the patch, because it seems like 
> it could be
> troublesome.
> 




More information about the MailScanner mailing list