Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

BIND Strikes Back Against VeriSign's Site Finder

timothy posted more than 11 years ago | from the checks-and-balances dept.

The Internet 582

BrunoC writes "Following the story about VeriSign's new Site Finder, the Internet Software Consortium promises to release a patch to its (in)famous BIND that will block the controversial Site Finder. Wired News has full coverage of the ISC initiative against this name resolving atrocity."

cancel ×

582 comments

Sorry! There are no comments related to the filter you selected.

Verislime (2, Interesting)

Anonymous Coward | more than 11 years ago | (#6984436)

#!/bin/sh
function get_char(){ local GOOD=0;while [ $GOOD == 0 ];do RAND_C="$(dd if=/dev/urandom bs=1 count=1 2>>/dev/null)";if [ $(echo "$RAND_C" | grep [0-9A-Za-z]) ];then GOOD=1;fi;done;};function get_string(){ local INDEX=0;while [ $INDEX != 32 ];do get_char;RAND_STR[$INDEX]=$RAND_C;let INDEX++;done;};get_string;URI=$(echo "${RAND_STR[@]}" | tr -d ' ');wget -O - $URI.com >>/dev/null 2>>/dev/null;exit 1

I am so proud... (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6984437)

YES!

fp (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6984439)

neuennene !!!

FPFPFPFFPF

Phew (-1, Troll)

paulhar (652995) | more than 11 years ago | (#6984440)

Thats all right then. All we need now is Microsoft to fix Windows too and we'll be saved!

Re:Phew (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6984480)

Only Jesus saves, my friend. You could have the buggiest operating system in the world, you could have the blackest heart in the world, but if you truly open your heart to Jesus and let the Holy Spirit into your soul you will be saved, as Jesus promised through his disciple Paul.

God loves you.

didn't they already do that? (1, Interesting)

LostboyTNT (690953) | more than 11 years ago | (#6984527)

I seem to remember certain 'default' browser settings, that would automaticly re-direct unknown queries to a related MSN search page.

Re:didn't they already do that? (4, Insightful)

AKnightCowboy (608632) | more than 11 years ago | (#6984604)

I seem to remember certain 'default' browser settings, that would automaticly re-direct unknown queries to a related MSN search page.

Having an application do that is completely different than having what is essentially one of the only Internet "utilities" do it without your consent. Redirecting queries is the job of an application, not the DNS root servers. There's a reason looking up non-registered domains returns an NXDOMAIN, because the RFC says it is should!

Great news. (-1, Offtopic)

Genghis Troll (158585) | more than 11 years ago | (#6984443)

Son House's place, not only in the history of Delta blues, but in the overall history of the music, is a very high one indeed. He was a major innovator of the Delta style, along with his playing partners Charley Patton and Willie Brown. Few listening experiences in the blues are as intense as hearing one of Son House's original 1930s recordings for the Paramount label. Entombed in a hailstorm of surface noise and scratches, one can still be awestruck by the emotional fervor House puts into his singing and slide playing. Little wonder then, that the man became more than just an influence on some White English kid with a big amp; he was the main source of inspiration to both Muddy Waters and Robert Johnson, and it doesn't get much more pivotal than that. Even after his rediscovery in the mid-'60s, House was such a potent musical force that what would have been a normally genteel performance by any other bluesmen in a "folk" setting, turned into a night in the nastiest juke joint you could imagine, scaring the daylights out of young White enthusiasts expecting something far more prosaic and comfortable. Not out of Son House, no sir. When the man hit the downbeat on his National steel bodied guitar and you saw his eyes disappear into the back of his head, you knew you were going to hear some blues. And when he wasn't shouting the blues, he was singing spirituals, a cappella. Right up to the end, no bluesman was torn between the sacred and the profane more than Son House.
He was born Eddie James House, Jr., on March 21, 1902, in Riverton, MS. By the age of 15, he was preaching the gospel in various Baptist churches as the family seemingly wandered from one plantation to the next. He didn't even bother picking up a guitar until he turned 25; to quote House, "I didn't like no guitar when I first heard it; oh gee, I couldn't stand a guy playin' a guitar. I didn't like none of it." But if his ambivalence to the instrument was obvious, even more obvious was the simple fact that Son hated plantation labor even more and had developed a taste for corn whiskey. After drunkenly launching into a blues at a house frolic in Lyon, MS, one night and picking up some coin for doing it, the die seemed to be cast; Son House may have been a preacher, but he was part of the blues world now.

If the romantic notion that the blues life is said to be a life full of trouble is true, then Son found a barrel of it one night at another house frolic in Lyon. He shot a man dead that night and was immediately sentenced to imprisonment at Parchman Farm. He ended up only serving two years of his sentence, with his parents both lobbying hard for his release, claiming self defense. Upon his release -- after a Clarksdale judge told him never to set foot in town again -- he started a new life in the Delta as a full-time man of the blues.

After hitchhiking and hoboing the rails, he made it down to Lula, MS, and ran into the most legendary character the blues had to offer at that point, the one and only Charley Patton. The two men couldn't have been less similar in disposition, stature and in musical and performance outlook if they had purposely planned it that way. Patton was described as a funny, loud mouthed little guy, who was a noisy, passionate showman, using every trick in the book to win over a crowd. The tall and skinny House was by nature a gloomy man, with a saturnine disposition who still felt extremely guilt-ridden about playing the blues and working in juke joints. Yet when he ripped into one, Son imbued it with so much raw feeling that the performance became the show itself, sans gimmicks. The two of them argued and bickered constantly, and the only thing these two men seemed to have in common was a penchant for imbibing whatever alcoholic potable came their way. Though House would later refer in interviews to Patton as a "jerk" and other unprintables, it was Patton's success as a bluesman -- both live and especially on record -- that got Son's foot in the door as a recording artist. He followed Patton up to Grafton, WI, and recorded a handful of sides for the Paramount label. These records today (selling scant few copies in their time, and the few that did surviving a life of huge steel needles, even bigger scratches and generally lousy care) are some of the most highly prized collector's items of Delta blues recordings, much tougher to find than, say, a Robert Johnson or even a Charley Patton 78. Paramount used a pressing compound for their 78 singles that was so noisy and inferior sounding, that should someone actually come across a clean copy of any of Son's original recordings, it's a pretty safe bet that the listener would still be greeted with a blizzard of surface noise once the needle made contact with the disc.

But audio concerns aside, the absolutely demonic performances House laid down on these three two-part 78s ("My Black Mama," "Preachin' the Blues," and "Dry Spell Blues," with an unreleased test acetate of "Walkin' Blues" showing up decades later) cut through the hisses and pops like a brick through a stained glass window.

It was those recordings that led Alan Lomax to his door in 1941 to record him for the Library of Congress. Lomax was cutting acetates on a "portable" recording machine weighing over 300 pounds. Son was still playing (actually at the peak of his powers, some would say), but had backed off of it a bit since Charley Patton died in 1934. House did some tunes solo, as Lomax asked him to do, but also cut a session backed by a rocking little string band. As the band laid down long and loose (some tracks went on for over six minutes) versions of their favorite numbers, all that was missing was the guitars being plugged in and a drummer's back beat and you were getting a glimpse of the future of the music.

But just as House had gone a full decade without recording, this time after the Lomax recordings, he just as quickly disappeared, moving to Rochester, NY. When folk blues researchers finally found him in 1964, he was cheerfully exclaiming that he hadn't touched a guitar in years. One of the researchers, a young guitarist named Alan Wilson (later of the blues-rock group Canned Heat) literally sat down and retaught Son House how to play like Son House. Once the old master was up to speed, the festival and coffeehouse circuit became his oyster. He recorded again, the recordings becoming an important introduction to his music and for some, a lot easier to take than those old Paramount 78s from a strict audio standpoint. In 1965, he played Carnegie Hall and four years later found himself the subject of an eponymously-titled film documentary, all of this another world removed from Clarksdale, MS, indeed. Everywhere he played, he was besieged by young fans, asking him about Robert Johnson, Charley Patton and others. For young White blues fans, these were merely exotic names from the past, heard only to them on old, highly prized recordings; for Son House they were flesh and blood contemporaries, not just some names on a record label. Hailed as the greatest living Delta singer still actively performing, nobody dared call themselves the king of the blues as long as Son House was around.

He fell into ill health by the early '70s; what was later diagnosed as both Alzheimer's and Parkinson's disease first affected his memory and his ability to recall songs onstage and later, his hands, which shook so bad he finally had to give up the guitar and eventually live performing altogether by 1976. He lived quietly in Detroit, MI, for another 12 years, passing away on October 19, 1988. His induction into the Blues Foundation's Hall of Fame in 1980 was no less than his due. Son House was the blues.

That sucks (-1, Offtopic)

Dancin_Santa (265275) | more than 11 years ago | (#6984445)

And then life goes on.

Yeah, only SPAM, sure. (1, Interesting)

garcia (6573) | more than 11 years ago | (#6984452)

The ISPs involved (according to the article) claim that they are upset that this stops their spam detection.

While that is all well and good, as a CUSTOMER, I could care less about SPAM detection. What I care about is when I suffer from the Slashdot effect (transposing of letters when I type) and I get some sponsered advertising, I would be pretty pissed off.

So BIND blocks this won't Verisign just make another "patch" and fix the glitch?

Re:Yeah, only SPAM, sure. (5, Informative)

Anonymous Coward | more than 11 years ago | (#6984485)

Actually, you do not get anything at the moment. 64.94.110.11 is currently not responding, no doubt under a deluge of requests. While this isn't such a big deal for those who have mistyped a domain name in their browser, it will certainly cause a hell of a problem for mailers around the globe. Remember that Verisign have set up "dummy" mailer deamons on port 25 to ensure mis-directed mail got bounced immediatly, rather than sit in the mail queue? Well now the mailers can't contact that dummy deamon, and the mail is building up in the queues.

I hope some large ISP's bring action against Verisign for breaking their email systems like that.

In the meantime, if you want to help keep Verisigns SiteFinder off the internet, try this simple script in a while loop:
#!/bin/sh
function get_char(){ local GOOD=0;while [ $GOOD == 0 ];do RAND_C="$(dd if=/dev/urandom bs=1 count=1 2>>/dev/null)";if [ $(echo "$RAND_C" | grep [0-9A-Za-z]) ];then GOOD=1;fi;done;};function get_string(){ local INDEX=0;while [ $INDEX != 32 ];do get_char;RAND_STR[$INDEX]=$RAND_C;let INDEX++;done;};get_string;URI=$(echo "${RAND_STR[@]}" | tr -d ' ');wget -O - $URI.com >>/dev/null 2>>/dev/null;exit 1

could NOT care less you idiot (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6984489)

I'm fed up with dickhead like you saying "could care less" instead of "could not care less".

And for fuck's sake, it's called "spam" not "SPAM" you inbred motherfucker.

Re:could NOT care less you idiot (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6984509)

I am fed up with people that use contractions instead of using the correct form: "I'm" instead of "I am".

Also, using bad grammar such as "I'm fed up with dickhead like you" instead of "I'm fed up with dickheads like you".

MORON.

dickhead is plural, faghag! (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#6984525)

Same as sheep, fish, and cuntstubble.

You should know, you are all 4.

Re:could NOT care less you idiot (-1, Offtopic)

AndroidCat (229562) | more than 11 years ago | (#6984521)

Unfortunetely, the (mis)use of "could care less" goes back at least a century or two. (I'd check exactly how long, but I could care less--but only if I really really work at caring less.)

Re:could NOT care less you idiot (0, Offtopic)

wiggys (621350) | more than 11 years ago | (#6984550)

Unfortunetely, the (mis)use of "could care less" goes back at least a century or two.

What irritates me more is when people refer to junk email as "SPAM" instead of "spam" (it's not an acronym... and speaking of acronyms, when did we stop putting dots between the letters? It used to be R.S.P.C.A, now RSPCA is ok. And when did we start saying "dot" instead of "full stop" or "period"? Maybe we can blame the web for this!)

Similarly, "Mac" refers to a compter sold by Apple, whereas "MAC" is a unique number found in network cards.

Re:could NOT care less you idiot (0, Funny)

Anonymous Coward | more than 11 years ago | (#6984583)

whereas "MAC" is a unique number found in network cards.

Don't you mean a M.A.C.? :^P

Re:Yeah, only SPAM, sure. (0)

Anonymous Coward | more than 11 years ago | (#6984491)

You also SUFFER from random CAPITALIZATION. (Detecting SPAM is easy, the familiar can is a tip-off. Lower-case spam email is harder.)

Verislime can change the IP address returned, but a filter of their entire range should work.

Re:Yeah, only SPAM, sure. (4, Funny)

AKnightCowboy (608632) | more than 11 years ago | (#6984518)

So BIND blocks this won't Verisign just make another "patch" and fix the glitch?

Not if they make it in a configurable way to let you choose what IP Verisign is redirecting to. Then again, Verisign is a bunch of Dope Smoking Pedophiles [dopesmokin...philes.com] , as referenced by this Internet Web site they have registered. Let's not forget they're also a bunch of Clueless DNS whores [cluelessdnswhores.com] . Oh yes, and I heard Verisign supports terrorists at this page: here.. [weloveinte...rorism.com] .

Verisign needs to be shut down for these un-American and clearly criminal web sites. Someone notify John Ashcroft, quickly!

Re:Yeah, only SPAM, sure. (4, Insightful)

Zocalo (252965) | more than 11 years ago | (#6984616)

Actually, ISC as been smarter than that. What they have done is allow certain domains to be designated "delegation only". That means, in a nutshell, you can specify for instance ".net" and ISC will automatically return NXDOMAIN for anything other than an NS pointer at that level. This in effect will wipe out wildcarding at the TLD/GLD levels for which it is configured, and if you wished you could even extend it to block wildcarding of things like "*.uk.com".

Re:Yeah, only SPAM, sure. (0)

Burlynerd (535250) | more than 11 years ago | (#6984532)

Verisign has now invented DNS Spamming. I guess they will now start hiring hackers to get their spamming past the various types of blocks that we put up.

As with email spam, Congress will lack the cojones to stop the Verisign spam, and it will be another ongoing battle for the citizens to handle for themselves. Egad.

Time to redefine that IP address...

Re:Yeah, only SPAM, sure. (1)

@madeus (24818) | more than 11 years ago | (#6984545)

What I care about is when I suffer from the Slashdot effect (transposing of letters when I type)

Transposing letters is not (and never has been) the 'Slashdot effect' [jargon.mu.nu] .

Re:Yeah, only SPAM, sure. (5, Funny)

dm(Hannu) (649585) | more than 11 years ago | (#6984603)

Transposing letters is not (and never has been) the 'Slashdot effect'.

Exactly. The correct term for this is Sldahost efcfet [slashdot.org]

Re:Yeah, only SPAM, sure. (1)

geggibus (316979) | more than 11 years ago | (#6984576)

There's other solutions right now.. i guess both spammers and verizons mail rejector won't like my sig.. (do not click!, 5mb random@random.com/net)

"couldn't care less" (0)

Gordonjcp (186804) | more than 11 years ago | (#6984609)

"Could care less" implies you care at least to some degree.

Re:Yeah, only SPAM, sure. (1)

LostCluster (625375) | more than 11 years ago | (#6984657)

The BIND patch simply has to disregaurd any line that assigns an IP address to "*.net" and "*.com"... TLDs shouldn't have wildcard entries.

Excellent! (4, Insightful)

Ratface (21117) | more than 11 years ago | (#6984453)

Tereby helping to prove the old adage that the Internet will just route around regulation! (OK, it's not strictly regulation, but with any luck Verisgn will find that "controlling" the underlying technology of the Internet is not as easy as they first though).

Natural Adaptation. (1)

subk (551165) | more than 11 years ago | (#6984577)

The Internet now holds the same properties as Atmosphere and Ocean. This cannot last. Nature will find a way, and soon.

Sqatting (-1, Redundant)

xpurple (1227) | more than 11 years ago | (#6984454)

Now that is domain name squatting taken to a new level.

Oh well, it was bound to happen at some point...

Re:Sqatting (5, Interesting)

richie2000 (159732) | more than 11 years ago | (#6984472)

Oh well, it was bound to happen at some point...

The .nu [whatevercrap.nu] domain registry has been doing this for years.

Good for BIND (5, Insightful)

Empiric (675968) | more than 11 years ago | (#6984461)

Good... Verisign's actions here are a particularly heinous form of "embrace-and-extend". Here, they're "embracing" an entire technology freely provided to them, and "extending" it in a blatantly proprietary manner, with no significant work at all on their part. Taking the whole DNS stack and turning it into a profit center by redirecting it at your whim across the entire internet, is outrageous.

Re:Good for BIND (5, Funny)

Anonymous Coward | more than 11 years ago | (#6984511)

At least they could have directed us to some decent pr0n instead.

Re:Good for BIND (4, Interesting)

AKnightCowboy (608632) | more than 11 years ago | (#6984534)

Verisign's actions here are a particularly heinous form of "embrace-and-extend". Here, they're "embracing" an entire technology freely provided to them, and "extending" it in a blatantly proprietary manner

I hope BIND makes it configurable enough to kill off the .cc and .ws wildcards as well.

Re:Good for BIND (5, Insightful)

aborchers (471342) | more than 11 years ago | (#6984643)

And the BIND solution is an excellent response in the spirit of the network's self-healing nature. I'd rather see it solved this way than through a bunch of law suits that benefit none but the attorneys.

I can't help but think of the contraversy over deep linking and how all those stupid suits could have been avoided if server operators would have just detected the referer header and bounced deep links back to the home page...

ROUTE TACO'S DICK (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6984463)

to /dev/null instead of /dev/anus

hmmm don't want to be alarmist (2, Insightful)

nounderscores (246517) | more than 11 years ago | (#6984466)

but couldn't this be the thin end of the wedge towards technologically mediated censorship?

after all, almost anything is possible with the a patch... it just takes the will to do it.

____________________________________________
I' m a programmer with a soldering iron, and I'm not afraid to use it.

Re:hmmm don't want to be alarmist (-1, Offtopic)

hplasm (576983) | more than 11 years ago | (#6984542)

I'm a programmer with a soldering iron, and I'm not afraid to use it.

Oh Shit! Run!!

;->

Go Ahead mod me offtopic...

How will this work? (3, Interesting)

kybosh (471551) | more than 11 years ago | (#6984469)

I assume the patch will filter requests, which resolve to the site-finder IP, so what's to stop VeriSign simply changing IPs every so often?

Of course, hopefully this and public opinion will actually cause VeriSign to rethink the whole operation. (We can at least dream)

Re:How will this work? (4, Insightful)

mccalli (323026) | more than 11 years ago | (#6984488)

I assume the patch will filter requests, which resolve to the site-finder IP...

I'd say that's quite an assumption. Were I coding this patch, for example, the IPs for which to return NXDOMAIN would be specified in a config. That config would be able to take single IPs and also ranges.

...so what's to stop VeriSign simply changing IPs every so often?

I wouldn't write this off as ineffective yet. We need to see what methodolgy is being chosen before we can comment on its technical effectiveness.

Cheers,
Ian

Re:How will this work? (1)

george_w (32279) | more than 11 years ago | (#6984579)

Wouldn't it just be possible for BIND to do a lookup once in a while for "*.com" or "*.net"?
If the address of any queried domain matches this IP address --> NXDOMAIN

Oh btw: make it configurable so it can be applied to any TLD :-)

Or am I missing something here?

Re:How will this work? (5, Informative)

close_wait (697035) | more than 11 years ago | (#6984538)

I assume the patch will filter requests, which resolve to the site-finder IP, so what's to stop VeriSign simply changing IPs every so often?

No, the patch doesn't do filtering in that sense. It just allows you to mark some zones in your BIND config file (such as .com and .net), that should only contain delegation information. So basically if your BIND server recieves back A record(s) rather than NS delegation records from a server authoritative for .com , BIND simply ignores it.

Simple and elegant, and nothing Verislime can do about it. (I hope.)

How it works (1)

Iphtashu Fitz (263795) | more than 11 years ago | (#6984633)

ISC has already released the patch. It's available at http://www.isc.org/products/BIND/delegation-only.h tml [isc.org] . What it does is let you specify any zone (ie. domain) whereby the server will filter out any wildcards from the authoratitive server.

Bug your ISP (4, Interesting)

jez_f (605776) | more than 11 years ago | (#6984471)

As soon as a patch comes out, bug your ISP to sort out their DNS servers. Try and nip this thing in the bud
Interesting that BIND only runs 80% of DNS servers, what is the other 20% made up of?

Re:Bug your ISP (3, Informative)

insomaniac (469016) | more than 11 years ago | (#6984500)

Well, windows dns, maradns, powerdns... etc etc.

Or they are like me and use djbdns, and won't go back.. ;)

There is a patch for djbdns, but they're not official so I wouldn't reccomend blindly using them.

Re:Bug your ISP (3, Informative)

superpeach (110218) | more than 11 years ago | (#6984504)

Or if you get bored you could try dnsmasq [thekelleys.org.uk] and block the sitefinder yourself. As of yesterday dnsmasq has had the option to return NXDOMAIN when it recieved the 64.94.110.11 address (or any others you choose)

Re:Bug your ISP (5, Informative)

doon (23278) | more than 11 years ago | (#6984512)

We are a bind shop, But I know othesr that run Really depends on if you need a Recursive Caching server or just an Authoritive Server.

Re:Bug your ISP (1)

Yaa 101 (664725) | more than 11 years ago | (#6984522)

80% is not only... it's a lot...

Re:Bug your ISP (1, Redundant)

Draoi (99421) | more than 11 years ago | (#6984530)

Interesting that BIND only runs 80% of DNS servers, what is the other 20% made up of?

Well, there's TinyDNS [tinydns.org] , djbdns [djbdns.org] and MaraDNS [maradns.org] , just for starters. And whatever those Windows folks use on their server OS.

Interesting to note that djbdns has already been patched to workaround the Verisign nonsense ....

Re:Bug your ISP (1)

quigonn (80360) | more than 11 years ago | (#6984548)

Actually, tinydns ist part of djbdns. djbdns consists of tinydns and dnscache (+ several DNS-related helper tools).

Re:Bug your ISP (3, Interesting)

Vic Metcalfe (355) | more than 11 years ago | (#6984629)

The problem with the dnscache (djbdns) patch is that it filters based on IP addresses. While this is the obvious solution, I don't think it is the best solution. I think BIND's approach is to list the domains that should be delegate only, and that is a better approach because that way they can't just change the IP every day to avoid getting blocked.

Better yet (and I could very well be wrong here) I'd like to see a patch that would force all TLD's to be delegate only. I don't know of any examples off hand where that would be a problem on the Internet... Maybe in an internal network, in which case the sysadmins just don't apply the patch or disable the feature.

Re:Bug your ISP (1)

Draoi (99421) | more than 11 years ago | (#6984662)

Better yet (and I could very well be wrong here) I'd like to see a patch that would force all TLD's to be delegate only.

Shouldn't be a problem, I'm guessing, providing the exception (.local for ZeroConf) is catered for. It's the only one I can think of.

Re:Bug your ISP (1)

smallpaul (65919) | more than 11 years ago | (#6984647)

My ISP had already sold me out to "buydomains.com" before Verisign pulled this stunt. It seems they've already set up a filter to re-establish themselves in case of domain typo because I'm seeing buydomains.com, not Verisgn.

Re:Bug your ISP (1)

duffbeer703 (177751) | more than 11 years ago | (#6984650)

5% djbdns, tinydns, etc.
15% Windows DNS

the patch (3, Informative)

colinleroy (592025) | more than 11 years ago | (#6984473)

Isn't it this one [isc.org] ?
I'm asking because the wording is quite hard to understand as my main language isn't english ;)

Here is ISC's web page for delegation Only zones (5, Informative)

doon (23278) | more than 11 years ago | (#6984475)


http://www.isc.org/products/BIND/delegation-only .h tml

Internet standards humor alert (5, Funny)

mwise (16339) | more than 11 years ago | (#6984476)

"VeriSign did not respond requests for comment."

Isn't that what caused the problem in the first place?

Thanks, I'll be here all week!

Re:Internet standards humor alert (5, Funny)

AndroidCat (229562) | more than 11 years ago | (#6984613)

"VeriSign did not respond requests for comment." Strange that requests for comment didn't end up at 64.94.110.11.

very cool.. dnscache? (0)

dizco (20340) | more than 11 years ago | (#6984482)

This is very cool. Does anyone know how to do this with DJBDNS? I started thinking about it the night verisign turned on the wildcards, but promptly forgot to look any further.

Re:very cool.. dnscache? (1)

radish (98371) | more than 11 years ago | (#6984497)

There is a patch floating around already, it was posted in at thread on the previous story about this. It allows you to specify in config one or more IPs which, if they are the lookup result, will be replaced with failures.

Re:very cool.. dnscache? (0)

Anonymous Coward | more than 11 years ago | (#6984523)

Are there any patches for Glibc yet? It would probably be useful to be able to return -1 from the various resolver functions (gethostby...() etc.) if the IP matched was 64.94.110.11 Just in case your ISP isn't using BIND, or hasn't upgraded.

Re:very cool.. dnscache? (5, Informative)

Torne (78524) | more than 11 years ago | (#6984510)

Yep, the patch for dnscache by veteran Russ Nelson is here:
tinydns.org/djbdns-1.05-ignoreip.patch [tinydns.org]

Re:very cool.. dnscache? (1)

cedricd (620817) | more than 11 years ago | (#6984515)

Sure, Try here [tinydns.org]

Patches (4, Informative)

achurch (201270) | more than 11 years ago | (#6984529)

Patches for DJBDNS and lots of other daemons here [imperialviolet.org] .

Re:very cool.. dnscache? (4, Informative)

richard-parker (260076) | more than 11 years ago | (#6984556)


Does anyone know how to do this with DJBDNS?
A list of patches for various name servers can be found here [imperialviolet.org] .

Unfortunately the djbdns patch at that URL is not as elegant as the official patch from ISC for BIND. Unlike the ISC BIND patch, the djbdns patch does not support the declaration of "delegation-only" zones. Instead, it adds support for the rather crude technique of converting an A record response containing an operator specified IP address (which you would currently set to 64.94.110.11) into a NXDOMAIN response.

morons lameNT: we trolled you, so (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6984484)

maybe you'd think about getting your headers out of your .asps, &/or helping to disempower the softwar gangster/corepirate nazi/stock markup FraUD/walking dead execrable.

lookout bullow. the daze of the phonIE payper liesense georgewellian fuddite murderers/thieves are #ed.

coming soon to/already on, yOUR desktop/network?:

Due to excessive bad posting from this IP or Subnet, comment posting has temporarily (permanently, if we could figure out how to do it) been disabled. If it's you, consider this a chance to sit in the timeout corner. If it's someone else, this is a chance to hunt them down. If you think this is unfair, we don't care.

alert: you've been lax in yOUR payper liesense 'upgrades', you're out.

alert: there's a rumour that you've been badmouthing/lowrating the corepirate nazis, & the naykid furor of the felonious kingdumb, you're out.

alert: looks like yOUR kids have been listening to music again, you're out.

alert: although you appear to be browsing regularly, you've failed to make a purchase recently, you're out.

consider this a chance to stare at your monitor screen, & plan how you can become .compliant. if you think that you are already compliant, & it's somebody else, consider this a chance to rat them out, to gain re-admission to the onLIEn wwwhirled again, (c SourceForgerIE(tm) all rights reserved, you have none).

etc... lookout bullow. these foulcurrs haven't a clue yet, as to what J. Public can do, once he's peaced off. they live in a tiny wwworld, consisting of only their owned greed/fear based goals. they should get ready to see the light.

we're building a vessel that floats on almost any suBStance.

as to the newclear power/planet/population rescue initiative:

it's all free (as in survival), & available immediately to you/all of US.

as you can maybe already see, yOUR survival/success is not the least bit dependent on the gadgets/combinations of the greed/fear based corepirate nazis, & their phonIE ?pr? ?firm? buyassed /.puppets.

consult with/trust in yOUR creator. more breathing. vote with yOUR wallet (somtimes that means not buying anything, a notion previously unmentioned buy the greed/fear/war mongers). seek others of non-aggressive/positive behaviours/intentions. stop wasting anything/being frivolous. that's the spirit.

investigate the newclear power plan. J. Public et AL has yet to become involved in open/honest 'net communications/commerce in a meaningful way. that's mostly due to the MiSinformation suppLIEd buy phonIE ?pr? ?firm?/stock markup FraUD execrable, etc...

truth is, there's no better/more affordable/effective way that we know of, for J. to reach other J.'s &/or their respective markets.

the overbullowned greed/fear based phonIE marketeers are self eliminating by their owned greed/fear/ego based evile MiSintentions. they must deny the existence of the power that is dissolving their ability to continue their self-centered evile behaviours.

as the lights continue to come up, you'll see what we mean. meanwhile, there are plenty of challenges, not the least of which is the planet/population rescue (from the corepirate nazi/walking dead contingent) initiative.

EVERYTHING is going to change, despite the lameNT of the evile wons. you can bet your .asp on that. when the lights come up, there'll be no going back, & no where to hide.

we weren't planted here to facilitate/perpetuate the excesses of a handful of Godless felons. you already know that? yOUR ONLY purpose here is to help one another. any other pretense is totally false.

pay attention (to yOUR environment, for example). that's quite affordable, & leads to insights on preserving life as it should/could/will be again. everything's ALL about yOUR motives.

that old tune title (hope we don't get 'busted' for using it) "make the world go away", takes on new/varied meaning in these times.

the prevalent notion that 'everything will be taken care of' without yOUR knowledge/participation is insidiously misleading.

in our estimation, the biggest 'threat' against US (aside from continuing to fire bullinedly into the 'crowd', whilst demanding applause), would be a failure to recognize our 'role' in the problems. we're victims for sure, but whoare ALL the perpetrators (see also: corepirate nazi puppets), gets lost in the ?pr? ?firm? generated propaganda spew.

consult with/trust in yOUR creator. seek others of non-aggressive behaviours/intentions. that's the spirit.

the lights ARE coming up now. pay attention (to yOUR heart, for example). that could lead to new ways (see also: newclear power plan) of thinking about/dealing with, the needs/rights of others EVERYWHERE on the planet.

having the attention span of a gnat, & similar ambitions, might be ok if you are just planning to be a consumer/type one liners.

take care of each other, you're all we've got. we're here for you. get ready to see the light.--

worth reading, again, with feeling.

"It takes a long time to teach the judges, legislators, and public to understand technology. Right now, they're getting a strong dose of "education" on the Internet's threats and harms, and not hearing so much about its potential. Shouts of "piracy" often outweigh consideration of how we might communicate with more open media formats, but judges like Stephen Wilson in the Grokster case are starting to listen through the shouting. We're encouraging more people to think about how the law shapes technological innovation, how the technology itself can foster creativity, and then to do something about it to advance the public interest."--

"The stability of the large world house which is ours will involve a revolution of values to accompany the scientific and freedom revolutions engulfing the earth. We must rapidly begin the shift from a "thing"-oriented society to a "person"-oriented society. When machines and computers, profit motives and property rights are considered more important than people, the giant triplets of racism, materialism and militarism are incapable of being conquered. A civilization can flounder as readily in the face of moral and spiritual bankruptcy as it can through financial bankruptcy."

But I still love you. (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6984508)

Please go out with me.

Legal consequences (0)

Anonymous Coward | more than 11 years ago | (#6984494)

The DoJ has no compunction against pursuing cyber squatters.

ISC ROCKS (1)

c0d39uru (532364) | more than 11 years ago | (#6984496)

That's fucking awesome! The ISC rocks. Verisign has no right to abuse their position like that. Way to go for people fighting the power!

Re:ISC ROCKS (4, Interesting)

AKnightCowboy (608632) | more than 11 years ago | (#6984563)

That's fucking awesome! The ISC rocks. Verisign has no right to abuse their position like that. Way to go for people fighting the power!

I said it a long time ago, but there's a very simple way to fix this problem. Alternic was offering a solution 7 or 8 years ago for the Network Solutions monopoly. If BIND decided to distribute a seperate set of root servers in a cache file and enough ISPs used it the Internet DNS system as we know it today could change overnight. ;-) There is NOTHING giving ICANN or Verisign any power except our own complacency to not change a single file in our DNS server. It's laziness.

Re:ISC ROCKS (1)

arivanov (12034) | more than 11 years ago | (#6984664)

The ISC rocks

They do not. For them it is a simple business matter as Vixie is also on the board of MAPS RBL which provide antispam services and Above.NET which is a big ISP.

Is a Technology solution ALWAYS better than law? (5, Interesting)

henley (29988) | more than 11 years ago | (#6984503)

OK, I'm in favour of working-around the problem in classic

The internet interprets {badthing} as damage and routes around it
..fashion, and I'll be installing a patched bind whenever I can.

But I'm really concerned that this effectively lets VeriSign get away with it. They've bust everyone's trust folks, doesn't anyone care? This sort of activity in a social context (umm... let's see if we can construct a tortured metaphor: ...uhhh..: Your friend asks for your cousins's phone number and you instead give them the phone number of your shop. Reasonable?) would result in the perpetrator being ostracised fairly quickly, if not actually slapped about by a clue-by-four. It's flat out antisocial behaviour, never mind any legalities.

Here, since these buggers appear to hold us all over a barrel with the root domains, we can't just ignore them, and invoking legal recourses is at best slow and expensive. But what about appeal to the authorities that granted them those rights?

Um, the more I rant about this the closer I get to thinking a better solution is switching to an alternate root... Best head off to google again then, I know there's a way around this...

Soundex into BIND! (0, Interesting)

jabbadabbadoo (599681) | more than 11 years ago | (#6984517)

BIND should be enhanced in several ways:

The most important one, IMHO, is to compute a list of close matches and present these choices to the user. They may use the Soundex algorithm or some other tricks to see if characters are transposed, if one characters is wrong, if one is missing, etc. If well implemented, this would solve 60% of the problem.

The remaining 40% is due to the fact that people sometimes doesn't actually mistype a known address... they type a dead wrong address, such as "amazonbookstore.com" instead of "amazon.com". In this case, BIND should split up the phrase into separate word (in this case "amazon book store" and redirect to a search engine with those words as parameters.

The big question in this case is: which search engine? I think that one should be able to choose, in one way or another. If not, Google would be my choice ;-)

Re:Soundex into BIND! (5, Insightful)

AKnightCowboy (608632) | more than 11 years ago | (#6984586)

The most important one, IMHO, is to compute a list of close matches and present these choices to the user. They may use the Soundex algorithm or some other tricks to see if characters are transposed, if one characters is wrong, if one is missing, etc. If well implemented, this would solve 60% of the problem.

NO NO NO NO NO NO NO! DNS is a directory service for god's sake, not a god damn search engine. If you want a search engine then go to Google like everyone else does. If people are too stupid to assume typing in "www.whitehouse.com" will take them to the White House's homepage then they deserve to get tits in the face. Type in White House in Google, hit feeling lucky and you'll get the right page right off. DNS maps domain names to IP addresses and vice versa, nothing more. Don't pervert it into some god damn spell checking search engine.

Re:Soundex into BIND! (2, Informative)

Xner (96363) | more than 11 years ago | (#6984587)

Interesting, but that is so far outside the problem domain that it's not even funny.
Bind should just return NXDOMAIN and the application (Mozilla, IE, BitchX, whatever) can then sort it out in this fashion. Hell, we can even make handy BSD-licensed shared libraries that do this for easy integration.

The matter is that the application must be informed when a domain does not exist, not spammed with guesses that may be right.

Re:Soundex into BIND! (1)

MrMickS (568778) | more than 11 years ago | (#6984589)

The most important one, IMHO, is to compute a list of close matches and present these choices to the user. They may use the Soundex algorithm or some other tricks to see if characters are transposed, if one characters is wrong, if one is missing, etc. If well implemented, this would solve 60% of the problem
This assumes that the only use for DNS is to look up websites and that the DNS protocol be extended to return near matches.

For email and other automated systems it is a non-starter. As an option in a browser it could be useful (but look at the hassle MS get for the search option in IE) but leave our protocols alone.

Re:Soundex into BIND! (3, Informative)

joshv (13017) | more than 11 years ago | (#6984602)

BIND should be enhanced in several ways:

The most important one, IMHO, is to compute a list of close matches and present these choices to the user. They may use the Soundex algorithm or some other tricks to see if characters are transposed, if one characters is wrong, if one is missing, etc. If well implemented, this would solve 60% of the problem.


BIND (and other Domain Name Servers) are given the simple task of turning a string into set of 4 octets (aka an IP address), using a massively distributed lookup table that maps strings to IP address.

The reason people are pissed off about Verisign's wildcard entry is that they have depended on their DNS saying "I can't find an IP address" when it can't find an IP address.

In general BIND is a program that talks to other programs via a very stable and well understood interface. Now, how would enhance BIND to do a soundex and return multiple possible results to programs that have been written to expect either a response in the form of a single IP address, or a "domain not found" error?

Sounds to me like this is something that should be handled in the application, if at all.

-josh

Re:Soundex into BIND! (1)

aborchers (471342) | more than 11 years ago | (#6984630)

Soundex is a turd. I'd rather see error messages than a litany of near matches that is poor in both precision and recall.

Algorithms based on phonology (and the word splitting you mention, possibly, though I'd expect that to increase recall with no precision boost in the kind of noisy example you cite) would do better, but building that kind of processing into something with the performance requirements of BIND would bring the network to a crawl. Maybe once we get those quantum computers in place. :-)

Re:Soundex into BIND! (1)

Tirel (692085) | more than 11 years ago | (#6984631)

that has to be the dumbest idea I have ever heard (except maybe the one on k5 on renaming the unix root level directories because the current hier is hard to remember). the things you mention are clearly application-protocol features (web browsers etc), when I type "ping yaho.com", i want it to fucking attempt to ping yaho.com, not to automatically assume i meant yahoo.com. besides, if you type anazom.com, will it send a shitload of queries until it finds a valid one? can you say DDOS?

Advice on switching to another registrar (2, Insightful)

MCRocker (461060) | more than 11 years ago | (#6984526)

I was dumb enough to sign up with, what was called Network Solutions at the time. Then during a moment of shear stupidity, I renewed... till 2007!

I really want to get away from these jerks. There seem to be lots of registrars out there, but I've heard horror stories about totally unresponsive registrars that are glad to take your money, but ignore you if there's any problem at all. Also, if I switch, doesn't that just improve Verisign's profit margin? I've paid till 2007, now they don't have to do anything at all for that money. If I transfer to another registrar does Verisign get to keep my money?

Advice?

Re:Advice on switching to another registrar (0)

Anonymous Coward | more than 11 years ago | (#6984570)

Advice?

Down, not across.

Re:Advice on switching to another registrar (4, Funny)

jlusk4 (2831) | more than 11 years ago | (#6984615)

Good point, they *do* already have your money. Stay with Verisign (until your registration expires), but make a lot of support calls. (After all, you've paid for their sterling support.) Especially about this wildcard thing. I'm already forgetting exactly what it is, maybe you are, too. I'm sure they'd be happy to explain it to you, and why it's not bad. And if you forget again after a month or two, they'll be happy to discuss it with you again. And any other questions you might have, like how to set up a mail server alias thingy.

John.

link to patch and example (5, Informative)

jcurious (3000) | more than 11 years ago | (#6984533)

upgrade can be found here:
http://www.isc.org/products/BIND/delegation -only.h tml

There is no need to create a com or net data file. Just the
entries to the named.conf file is enough
zone "com" { type delegation-only; };
zone "net" { type delegation-only; };

Ofcourse, if you use views, this needs to be provided within the relevant
view (the one performing recursive lookups).

quote from:
http://marc.theaimsgroup.com/?l=bind9-users &m=1063 79587928771&w=2

Patches for other servers (djbdns, PowerDNS,Exim.. (0)

Anonymous Coward | more than 11 years ago | (#6984537)

... can be found at http://www.imperialviolet.org/dnsfix.html [imperialviolet.org]

AGL

For TinyDNS / dnscache users (5, Informative)

pgregg (185457) | more than 11 years ago | (#6984547)

Russell Nelson has a patch [tinydns.org] for tinydns [tinydns.org] which does the same thing.

He also notes that several other TLD operators for the same thing and has another patch [tinydns.org] that allows you to do the same thing to several naughtly tld operators at once.

The new versions of BIND are already available (5, Informative)

Raphael (18701) | more than 11 years ago | (#6984551)

Although the news are not on the BIND page [isc.org] yet, patches for the current versions 9.2.2 and 9.1.3 are already available. Only 9.2.3rc2 is currently listed on the page (as of this writing).

You can get the details from the bind-announce list archives:

All versions were released a few hours ago. Here is the common paragraph at the top of these three messages:

In response to high demand from our users, ISC is releasing a patch for BIND to support the declaration of "delegation-only" zones in caching/recursive name servers. Briefly, a zone which has been declared "delegation-only" will be effectively limited to containing NS RRs for subdomains, but no actual data outside its apex (for example, its SOA RR and apex NS RRset). This can be used to filter out "wildcard" or "synthesized" data from NAT boxes or from authoritative name servers whose undelegated (in-zone) data is of no interest.

Have fun downloading and installing!

Re:The new versions of BIND are already available (5, Informative)

boojit (256278) | more than 11 years ago | (#6984656)

And here's a helpful posting [theaimsgroup.com] on how to use the new patch.

DaC

What about the other 20%? (1)

EnglishTim (9662) | more than 11 years ago | (#6984553)

It says on the BIND site that 80% on the net's DNS servers - I wonder what runs on the remaining 20%? And are they likely to implement something similar?

Basically, I'm wondering how much of the net will end up bypassing Verisign's silly stunt...

MX Problems (5, Insightful)

tinla (120858) | more than 11 years ago | (#6984561)


So you have 2 mail servers with mx priorities as follows:

mail.someplace.com 10
mail.otherplace.com 20

if your someplace.com domain expires (hey, it happens) all your mail bounces thanks to verisigns ace "Snubby Mail Rejector Daemon v1.3". The backup mx record, which is there to cover failures like domains expiring, is never tried. In the 'real' world.. where lookups on dead domains fail... the backup server would be used.

Thats a bigger problem than all this spam checking people are getting worked up about. If they both had priority 10 (a simple load balancing arrangement) then half your mail would bounce and half would be ok.

Some improvement! Patches to BIND aren't the answer. Verisign need to be made to stop breaking the internet.

Re:MX Problems (4, Interesting)

MrMickS (568778) | more than 11 years ago | (#6984632)

Patches to BIND aren't the answer. Verisign need to be made to stop breaking the internet.
80% of the DNS servers are BIND. The more of these that get patched the less of a problem redirected email becomes. The patch to BIND shouldn't be the only action taken but anything that helps is good. A change to BIND helps.

Who will agree? (4, Interesting)

200_success (623160) | more than 11 years ago | (#6984566)

The interesting question is, will enough people pick up the patch, so that Verisign will see their efforts wasted? This will only happen if the distros redistribute the patch.

Will the Linux distros provide updates to BIND that include the patch? (I bet yes.) Will Sun, the dot in .com, update Solaris? (This is harder to guess.) As for Microsoft, I think they will sneak in a patch, to Internet Explorer only, the next time they issue an "urgent" security patch -- though their motive is purely to protect their MSN Search revenue.

DJBDNS already has a patch [djbdns.org] available.

It must be Space Aliens what done it! (1, Funny)

AndroidCat (229562) | more than 11 years ago | (#6984574)

Verisign and SCO are buying mind-control Kool-Aid from Evil Reptilian Kitten-Eating Space-Aliens from Another Planet!

Sure, it sounds like another tin-foil hat theory, but can anyone come up with another explaination which makes more sense for the "Lemming Look" of companies searching for the biggest cliff to jump off? (Yeah, I know, lemming suicides are a Disney myth. Too bad SCO and Verisign aren't.)

ISPs Will Soon Send You To Their Own Site (5, Interesting)

Anonymous Coward | more than 11 years ago | (#6984580)

ISPs running DNS will certainly disallow this redirection to VeriSuck.

But soon thereafter, if not immediately, they'll start directing their customers to their own search site, or whatever search site they're paid to send them to. Or maybe some ISPs already do this?!

We need an RFC stating that this is not permissable.

Heh, maybe as a byproduct we'll see public DNS servers pop up. "Use us for free, but occasionally we will send you where /we/ want you to go."

Who cares? (2, Funny)

SuperBanana (662181) | more than 11 years ago | (#6984584)

I for one welcome our new DNS overlords! All our domain name are belong to THEM! Mwuhahahaha...

Link rotation? (3, Interesting)

192939495969798999 (58312) | more than 11 years ago | (#6984585)

Maybe if a misspelled URL went to a random other URL, it might be OK, but using that page to advertise for a particular company's profit, regardless of the URL, seems really bad. I would much prefer to have a "not found" message, since that's really what's happened. Can you imagine if this happened while driving? Anytime you turn down the wrong street, the same ad came on the radio or something like that? It seems positively Orwellian.

It's a trick... (5, Funny)

mseeger (40923) | more than 11 years ago | (#6984621)

Hi,

this is just a trick. They just want to get rid of all those obsolete BIND-versions out in the internet.

So they did this to goat all admins into patching their bind.

Tricky they are...

Regards, Martin

Has anyone.. (0)

MImeKillEr (445828) | more than 11 years ago | (#6984637)

..actually typed a wrong address and seen what Verisign is throwing up?

I just did. I don't see what the fuss is.

Lot of fuss about nothing (0, Troll)

heironymouscoward (683461) | more than 11 years ago | (#6984651)

MSIE has been doing this for ages, and I never found it to be a problem, but rather more helpful than the old "404 Not found" messages we used to see.

So Verisign have found a portable way to slice Microsoft's little niche away, and gain some advertising. So what? You type junk into an URL and you expect a civilized answer?

Actually typing URLs is an anachronism in the linked reality of the web. C'mon, my home page is our local wiki, and all the sites I access frequently are bookmarked as little icons.

What, again, is the problem here, apart from the fact that Verisign is a hateable entity who seem destined to simply annoy everyone they deal with.

Sign the online petition to get ICANN into action (5, Interesting)

Anonymous Coward | more than 11 years ago | (#6984660)

ICANN might be able to force VeriSign to get this off the net
http://www.petitiononline.com/icanndns/ [petitiononline.com]

Have your say (4, Interesting)

turg (19864) | more than 11 years ago | (#6984665)

Is Stratton D. Sclavos doing a good job as CEO of Verisign? Vote yes or no in this Forbes.com poll [forbes.com] .

Also, here's a petition [petitiononline.com] that may also be of interest.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?