Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

BIND Patches Make Bad Situation Worse

CmdrTaco posted more than 10 years ago | from the screwing-with-the-infrastructure dept.

The Internet 280

An anonymous reader writes "After .COM and .NET started using a wildcard, the internet community busily started creating patches to various pieces of software to circumvent this. It was said that this was a grave problem to the internet. Several official BIND patches were announced over the next few days. However, it turns out they weren't necessarily too well thought through. Usage of the patch unexpectedly broke at least 7 Top Level Domains, ISC announced 3 weeks later, after users started having problems. The .NAME registry has sent a formal letter to ICANN's Security and Stability Advisory Comittee to warn against using the BIND patch, which they will look into in their next meeting. The intention may have been good, but... Stability? Anyone?"

cancel ×

280 comments

Sorry! There are no comments related to the filter you selected.

BIND my cheeks together. (-1)

(TK)Max (668795) | more than 10 years ago | (#7221684)

______
.-" "-.
/ \
| | < FROM THIS DISEASED MOUTH
|, .-. .-. ,| SPREADS THE WORD OF TROLLKORE.
| )(__/ \__)( | AWRY BE THE WORDS AND OPINIONS
|/ /\ \| OF THOSE WHO POST HERE. TAKE
(_ ^^ _) NO HEED OF THEM.>
\__|IIIIII|__/
|-\IIIIII/-|
\ /
`--------`
.::::TROLL-KORE FOREVER!!!
.::::I hate you, I hate your country, and I hate your face.

Isn't it unnecessary now? (1)

catbutt (469582) | more than 10 years ago | (#7221695)

I thought sitefinder was dead

Re:Isn't it unnecessary now? (0)

jimi1283 (699887) | more than 10 years ago | (#7221763)

Yes site-finder is dead, now people can have their vanity .name domains back without fear.

No, Verislime is still working to get the ok (1)

wayne (1579) | more than 10 years ago | (#7221988)

sitefinder is not dead as far as Verislime is concerned. They have only "temporarily" suspended it pending final resolution to the "technical problems" that it caused. Verislime is working hard to try and get them reinstated.

Re:No, Verislime is still working to get the ok (1)

pebs (654334) | more than 10 years ago | (#7222039)

Fuck you very much Verisign.

Re:No, Verislime is still working to get the ok (1)

catbutt (469582) | more than 10 years ago | (#7222150)

I got the impression they are just trying to save face...if there is anyone with a brain in that company they'll just let it quietly fade away and hope everyone will forget about it (without ever admitting it what a dumb thing to do it was).

The Grand Pengis Speaks (-1)

(TK)Dessimat0r (668222) | more than 10 years ago | (#7221696)

-PENIS--PENIS--PENIS--PENIS-
P_______________________8..P
E__Bow down to the_____#~..E
N__Lord's penis_______8.',-N
I_____________________#',-.I
S__Jesus wants your__8',-..S
-__anus, and he_____#~',-..-
P__wants it NOW! ___8_',-..P
E__________________##',-',-E
N__An original_____8',-',";N
I__TrollKore______##',-',";I
S__work of art.___8',-',";.S
-__By Dessimat0r ##',-',";.-
P________________8',-',";,.P
E_______________#'',-',";,.E
N______________8(',-',";,..N
I_____________#(',-',";,.,.I
S__________#8#8_',-',";,.,.S
-_________#',-.8',-',";,.,.-
P________8~',-..#',-',";,..P
E_______#'',-',";8_',-',";.E
N_____8=',-',";.+#+',-',";.N
I____#=',-',";,._8',-',";,.I
S___#=',-',";,..(#',-',";.8S
-__8(',-',CMDR,.(8',-',";s#-
P_8(',-',.TACO.";#',-',-s8_P
E_#z',-','WOZ',";8',-..s#__E
N_8_.,#',"ERE',";~#,..88___N
I_#.##',-,',',,";~8,8#_____I
S_8##',-+~'',-',-~#'8______S
-_#.,..-',-',";.'=8#_______-
P_.8+_',-',";,.'88_________P
E___888',-',";~8___________E
N______8#888#88____________N
I__________________________I
S____.oO TrollKore Oo._____S
-_At the head of the game._-
P__________________________P
E___irc.freedomirc.net_____E
N_______#trollkore_________N
I__________________________I
S__________________________S
-PENIS--PENIS--PENIS--PENIS-

Get the code to the TrollKore ASCII penis here... [slashdot.org]

All you cock-loving fuckers out there, here is a special treat for you bastards, take a look at this knob. NOW SUCK IT, MOTHERFUCKERS!

You are not logged in. You can log in now using the Important Stuff: Please try to keep posts on topic. Try to reply to other people's comments instead of starting new threads. Read other people's messages before posting your own to avoid simply duplicating what has already been said. Use a clear subject that describes what your message is about. Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) If you want replies to your comments sent to you, consider logging in or creating an account. Problems regarding accounts or comment posting should be sent to CowboyNeal the convenient form below, or Important Stuff: Please try to keep posts on topic. Try to reply to other people's comments instead of starting new threads. Read other people's messages before posting your own to avoid simply duplicating what has already been said. Use a clear subject that describes what your message is about. Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) If you want replies to your comments sent to you, consider logging in or creating an account. Problems regarding accounts or comment posting should be sent to CowboyNeal

Do I know anymore? (1)

Neon Spiral Injector (21234) | more than 10 years ago | (#7221697)

Yes. .io and .sz.

Doh! (1)

inteller (599544) | more than 10 years ago | (#7221707)

I see we call these "patches" and not security updates.

Re:Doh! (0)

Anonymous Coward | more than 10 years ago | (#7221873)

I see we call these "patches" and not security updates.

Why would they be called "security updates" instaed of "patches"? From what I see, there wsan't a security issue involved, just the fact that things stopped working for .name TLD.

turn off your mini FUD machine, inteller.

Re:Doh! (1)

t0ny (590331) | more than 10 years ago | (#7221879)

Since .NET is involved, it must be Microsoft's fault.

Re:Doh! (0)

Anonymous Coward | more than 10 years ago | (#7222067)

Yeah, I read that as COM and .NET (both MSFT technologies). Thank you Microsoft for making things confusing.

Software Development Cycle (1)

TedCheshireAcad (311748) | more than 10 years ago | (#7221708)

Write, Compile, Deploy, Test, Pass the Blame.

The glass is half full (0)

Anonymous Coward | more than 10 years ago | (#7222293)

Hey, at least it lightened the load on my DNS cache... :-)

Bind (1)

supe (163410) | more than 10 years ago | (#7221716)

Ahhh! BIND

Obligatory (0)

Anonymous Coward | more than 10 years ago | (#7221731)

Why don't you use MSN Keywords(r) or new.net browser plug-ins, you GNU hippies!

Told ya so (0)

Anonymous Coward | more than 10 years ago | (#7221735)

That's what happens when you rush patches out the door. Thankfully, I'm running XP which needs no BIND patches thanks to Microsoft's policy that puts high quality before profits.

You suck! (0)

Anonymous Coward | more than 10 years ago | (#7221952)

"That's what happens when you rush patches out the door. Thankfully, I'm running XP which needs no BIND patches thanks to Microsoft's policy that puts high quality before profits."

What?! Nu-UH! Microsoft is teh suX! Linux is much better! Microsoft doesn't...

waittaminute. Are you trolling me?

Don't worry... (1)

inteller (599544) | more than 10 years ago | (#7222010)

The slashzealots will figure out a way to blame Microsoft somehow.

Not ISC's fault (1)

Eric Smith (4379) | more than 10 years ago | (#7221739)

It should be noted that the bugs in the BIND patch are really Verisign's fault, not ISC's. Verisign (Network Solutions) is the company that unilaterally decided to break the .com and .net TLD servers by making them return false data, with almost no advance warning. ISC basically came up with an emergency response to support their customers, and it's unsurprising that it wasn't perfect.

It seems appropriate for the Commerce Dept. to revoke the Verisign contract and award it to another entity that will be more concerned about operating the registry, root, and TLD servers in compliance with relevant standards and for stability and the public benefit, rather than an entity that sees their custodianship as a way of subverting the system to increase their profits without regards to the effects on the internet at large.

BIND crap (1)

dmelomed (148666) | more than 10 years ago | (#7221875)

Not surprising, as BIND is as shown again and again a poorly designed and coded product. The fact that authors of this crap can't come up quickly with a working patch is laughable.

Re:BIND crap (0)

Anonymous Coward | more than 10 years ago | (#7221938)

Actually, the patch worked exactly as it was stated it would, blocking all TLD wildcards, except those specifically listed in an 'exclude' list.

Re:BIND crap (1)

Zork the Almighty (599344) | more than 10 years ago | (#7222053)

They patched quickly, and now they're in a bind.
Ba-doom, pssh!

Re:BIND crap (1)

Tony-A (29931) | more than 10 years ago | (#7222246)

The fact that you can post at all is due to that "poorly designed and coded product".

Re:BIND crap (0)

Anonymous Coward | more than 10 years ago | (#7222288)

Just because it works doesn't mean it's not crap.

Re:Not Bush's fault (0)

Anonymous Coward | more than 10 years ago | (#7221893)

It should be noted that the destruction and mayhem in Iraq are really Saddam's fault, not Bush's. Saddam (and his Baath party) is the guy that unilaterally decided to break the UN resolutions by stockpiling weapons of mass destruction, with almost no advance warning. The United States of Amerika basically came up with an emergency response to protect their citizens, and it's unsurprising that it wasn't perfect.

It would have been appropriate for the United Nations to revoke the Saddam's title over Iraq and award it to another entity that was more concerned about running the country and its oil fields in compliance with relevant standards and for stability and the drivers' benefit, rather than an entity that sees its custodianship as a way of subverting the system to increase his powers without regards to the effects on the world at large.

Re:Not ISC's fault (1)

Tackhead (54550) | more than 10 years ago | (#7221899)

> It should be noted that the bugs in the BIND patch are really Verisign's fault, not ISC's. Verisign (Network Solutions) is the company that unilaterally decided to break the .com and .net TLD servers by making them return false data, with almost no advance warning. ISC basically came up with an emergency response to support their customers, and it's unsurprising that it wasn't perfect.

Preach on, brother. None of this would have happened had Verislime decided that it wanted to 0wn teh intarweb.

Q: How do you know your sysadmin is talking to someone at Verisign?
A: The music in your headphones is drowned out by the thump-thump-thump of a head being banged on a desk, as well as the words "cocksucker" and "motherfucker", at a range of at least six cubicles.

One doesn't lead to the other, I'm afraid (0)

Anonymous Coward | more than 10 years ago | (#7221946)

I wasn't happy with what Verisign did, and the prompt response from ISC was admirable, but that doesn't forgive the matter that "broken" patches were rushed to the street. It was simply a matter of bad code that was never tested properly.

Re:One doesn't lead to the other, I'm afraid (0)

Anonymous Coward | more than 10 years ago | (#7222083)

As a participator in the so-called BIND madness, I would have to comment that the vast majority of the patches and fixes were clearly stated as being in the test stage. Also, it was only the 'root-delegation-only' config statement that "broke" the other TLD's, like .name. If you just used the 'type delegation-only' in a zone, then there were no problems. So, that is a personal configuration issue, not a problem with the ISC code. Don't criticize an excellent open-source software provider for trying to quickly respond to its user base.

Re:One doesn't lead to the other, I'm afraid (1)

TheCrazyFinn (539383) | more than 10 years ago | (#7222088)

The patch isn't broken in the least. You just need to specify which .TLD's you will aloow non-delegation records for. People forgot to specify these rather obscure ones (The only one on the list I ever visit is .tw)

Re:Not ISC's fault (3, Insightful)

rufey (683902) | more than 10 years ago | (#7222186)

I don't necessarily think that it is a bug in the BIND patches, nor with VeriSign. Its more a configuration issue with BIND.

The problem is that some TLDs do more than just delegation. The article mentioned the .name domain specifically.

The problem with the BIND patch arose when people implemeting the patch decided to not allow wildcarding on all TLDs. If you used the patch to only set .com/.net to delegate-only, there wasn't a problem. If you also set .name to delegate-only, then you would have a problem with stuff in the .name domain.

For those who didn't install the patch and start using the delegate-only options, BIND doesn't automatically start enforcing a delegate-only on all TLDs. The TLDs which you want to be delegate-only have to be specified in the config file. To undo VeriSign's wildcard behavior, one would only want to set the delegate-only option on the .com and .net domains. Other TLDs had been doing wildcards prior to VeriSign's actions, and, indeed, some TLDs relied on wildcarding for some things to work. Unilaterally stopping all TLDs from doing more than delegating would break things.

Must be a Unix thing (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7221744)

I'm using Windows 2K and I haven't noticed any problems. I have been experiencing 500 Internal Server Errors with Slasdhtot lately, but I'm pretty sure that isn't a BIND thing. I checked task manager and BIND isn't running. Also, I can't ping Slashdot either. Something is wrong.

Re:Must be a Unix thing (0)

Anonymous Coward | more than 10 years ago | (#7221789)

...wha?

Re:Must be a Unix thing (0)

Anonymous Coward | more than 10 years ago | (#7221833)

I've been getting the 500 errors as well over the past 2 days...

Re:Must be a Unix thing (1)

pclminion (145572) | more than 10 years ago | (#7221982)

You can't ping Slashdot because Slashdot doesn't respond to pings. Notice that the web server seems to be working fine? :-P

Re:Must be a Unix thing (0)

Anonymous Coward | more than 10 years ago | (#7222057)

Those 500 Internal Server messages are annoying. Also the boards have slowed to a crawl at times.

Re:Must be a Unix thing (0)

Anonymous Coward | more than 10 years ago | (#7222090)

500 Internal Server Errors with Slasdhtot lately,

yes, me too. using MDK 9.2

Re:Must be a Unix thing (1, Funny)

Anonymous Coward | more than 10 years ago | (#7222217)

I'm using Windows 2K and I haven't noticed any problems. I have been experiencing 500 Internal Server Errors with Slasdhtot lately, but I'm pretty sure that isn't a BIND thing. I checked task manager and BIND isn't running. Also, I can't ping Slashdot either. Something is wrong.

you hit that on the head... yes something is wrong and you can fix it easily...

first search your /winnt or /windows directory for a teddy bear icon. this is the verisign virus that causes sitefinder to run. you need to delete that.

now every time something act's wierd you need to simply press ALT-F4 and it will correct the problem.

So now VeriSign can say ... (1)

manastungare (596862) | more than 10 years ago | (#7221753)

... we told you about the ill effects of blocking the wildcard!

Will this be the beginning of a rematch between VeriSign and the world?

bad patches (1)

pe1chl (90186) | more than 10 years ago | (#7221755)

Indeed the patches were bad. I tried the first one and it caused strange problems.
My ISP installed another one and it is even worse: it does not return an error but it simply returns no answer for the wildcarded records.

Overblown (5, Informative)

Rafke (22542) | more than 10 years ago | (#7221756)

This report sounds a bit overblown. A conservative named.conf would only contain:

zone "com" { type delegation-only; };
zone "net" { type delegation-only; };
And that would not have the problems described.

Re:Overblown (1)

beezly (197427) | more than 10 years ago | (#7221860)

I agree... this is a configuration error, not a "bug" in BIND.

BIND is doing whatever it has been configured to do.

Re:Overblown (1)

Jokkey (555838) | more than 10 years ago | (#7221976)

Agreed.

And, in all fairness, the letter from the .NAME registry recognizes this. They state that the BIND patch has a "destabilizing effect" because of the root-delegation-only option, but they don't express any complaints about declaring a zone delegation-only if appropriate. (In other words, the article submission is a tad misleading.)

Re:Overblown (1)

rayvd (155635) | more than 10 years ago | (#7222220)

Yes! Someone mod parent up. This is the way I understood BIND was to be configured. Why would you disable delegation for TLD's not controlled by Verisign??

No need to blast the patch...

This is wrong (1)

supe (163410) | more than 10 years ago | (#7221757)

"unexpectedly broke at least 7 Top Level Domains"
They were /.'d

Re:This is wrong (1)

grub (11606) | more than 10 years ago | (#7221815)


At least .cx was still intact.. :)

Re:This is wrong (0)

Anonymous Coward | more than 10 years ago | (#7222134)

They obviously were /.ed because they were not named in the above article, therefore all the /. viewers who would have not read those domains did hit those domains.

Well (0, Flamebait)

lazyl (619939) | more than 10 years ago | (#7221764)

A BIND patch wasn't the right way to address the problem anyway.

The legality of the wildcard scheme is what needs to be addressed. If it's illegal then the bind patch isn't needed, and if it's legal then then BIND people would probably find themselves sued.

Re:Well (1)

EvilTwinSkippy (112490) | more than 10 years ago | (#7221854)

Amen to that.

Patching bind only adds legitimacy to the actions of Virilentsin, er, Verisign. When the wicked do wrong, they are seen as evil. When you do something wrong to counter the wicked, YOU are seen as evil.

Re:Well (1)

Zork the Almighty (599344) | more than 10 years ago | (#7221951)

I don't see how patching bind adds any legitimacy to Verisign's actions. Internet protocols are built on agreement, and agreements can only be enforced by actions such as this. To do nothing is to surrender the network and it's operation to the biggest, brashest jerk around.

Re:Well (1)

netik (141046) | more than 10 years ago | (#7221961)

Look, it was a patch to add an option to named.conf to give an administrator the choice to force root-delegation-only.

If ISC failed to give a proper list of domains that needed to have root-delegation in the sample configuration, then their configuration is to blame and not thier patch.

The people over at .name are not addressing this issue properly. No formal letter was required to be sent to ICANN -- All ISC had to do was inform people that the sample configuration was invalid.

Re:Well (1)

wayne (1579) | more than 10 years ago | (#7221962)

if [wilcarding TLD domainss is] legal then then BIND people would probably find themselves sued.

BUNK!

There is NOTHING that says that it is illegal for me to do post processing on DNS data that I receive from the internet. My server, my rules and if I want to block all of .biz, .cn and .edu with a patch to bind, nothing can (legally) stop me.

Re:Well (1)

InfiniteWisdom (530090) | more than 10 years ago | (#7221977)

then BIND people would probably find themselves sued.

On what grounds? If none of the web advertisers have sued Mozilla over the popup or image blocker features I fail to see how verisign could sue BIND.

Re:Well (0)

Anonymous Coward | more than 10 years ago | (#7222146)

sued for what? the patch doesnt unilterally block anything - it only added a configurable feature to BIND that would give the owner/operator of a specific DNS server the choice to choose to accept or ignore records in top level zones..

Re:Well (1)

AKnightCowboy (608632) | more than 10 years ago | (#7222157)

and if it's legal then then BIND people would probably find themselves sued.

Sued for what? It's a feature you can turn on or off and it's disabled by default in the config. What's the big deal? The only reason it's there is because people wanted it. That'd be like suing Microsoft for outlook viruses.

hmm.. (1)

Savatte (111615) | more than 10 years ago | (#7221771)

BIND patches? Well I'm in a bind as to whether or not I should ask someone what in the heck this means, since I have no idea.

Re:hmm.. (1)

Dodava (697614) | more than 10 years ago | (#7221842)

BIND (Berkeley Internet Name Daemon)

Re:hmm.. (0)

Anonymous Coward | more than 10 years ago | (#7222074)

BIND means : Berkeley Internet Name Daemon [isc.org]

oy vey (1)

kraksmoka (561333) | more than 10 years ago | (#7221793)

it made picking up new domains take half of forever in my experience. i have bellsouth access, still, through sheer interia. they seem to be always the last on the net to refresh dns.

The Problem with Decentralized Control... (1)

pope1 (40057) | more than 10 years ago | (#7221794)

...is easily seen here. Its a perfect example.

We really need to link ICANN more effectively to the
world, maybe each state or province in each country can elect 1 ICANN rep.

Or maybe they should be elected from the owners of each CLASS A worth of network space, or each network, regardless of size, that has a large impact on the internet as a whole (AT&T owns all of 12.0.0.0/255.0.0.0 as far a i know)

Whatever the method, we need a more top-down system for ICANN.

Just my 216 Yen.

Re:The Problem with Decentralized Control... (1)

heXXXen (566121) | more than 10 years ago | (#7221855)

216 yen is 2 dollars, wouldn't that be more like your 2 yen (which equals 2 cents)?

Re:The Problem with Decentralized Control... (1)

pope1 (40057) | more than 10 years ago | (#7221928)

Aha! I got you, you thought I was simply ignorant of foreign exchange rates.. BUT.. in reality.. I was accounting for inflation yearsss into the future.

*ahem*

Yeah, so it was my 2 .

Anna Kornicova (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7221796)

I read today that Anna Cornicova, or however you spell her stupid foregin name, is considering quitting tennis. Good riddance. Let me know when you appear in Playboy, you talentless skank.

The procrastinator wins again... (1)

EvilTwinSkippy (112490) | more than 10 years ago | (#7221799)

Don't I feel all smug for letting the free world try out all that expimentanl @#$!&!!#$A$#@$!!^!!#$%!#Q [No Carrier]

I'll play the part of ICANN... (3, Funny)

pergamon (4359) | more than 10 years ago | (#7221802)

...in an appropriate response to .name's letter:

Dear (dot)name,

Since (dot)name provides such a useful and valuable service to the Internet community, we will immediately take action to address your--

DELETED!

Sounds like a good reason to use djbdns instead (3, Interesting)

ncc74656 (45571) | more than 10 years ago | (#7221803)

http://cr.yp.to/djbdns.html [cr.yp.to]

It's nowhere near as difficult to set up as BIND, it's more secure than BIND, and there's a patch [tinydns.org] available to block Verisign's wildcard lookups. I've been running the patched version at home and at work since shortly after Verisign added the wildcard records and haven't had issues with any DNS queries.

Get the /. anti-DJB trolls ready (0, Offtopic)

dmelomed (148666) | more than 10 years ago | (#7221905)

I can't wait to feed.

Re:Sounds like a good reason to use djbdns instead (1)

ewhac (5844) | more than 10 years ago | (#7221942)

Cool.

Is there a way to install and run it without having to install the rest of his daemon management stuff? I like to disrupt as few things as possible when making changes to my gateway.

Schwab

Re:Sounds like a good reason to use djbdns instead (0)

Anonymous Coward | more than 10 years ago | (#7222081)

Yes, it works like any other unix program...just think of daemontools as a better inetd...

Re:Sounds like a good reason to use djbdns instead (1)

shepd (155729) | more than 10 years ago | (#7222117)

>Is there a way to install and run it without having to install the rest of his daemon management stuff?

Yup. [www.fefe.de]

HTH!

Re:Sounds like a good reason to use djbdns instead (1)

ncc74656 (45571) | more than 10 years ago | (#7222132)

Is there a way to install and run it without having to install the rest of his daemon management stuff? I like to disrupt as few things as possible when making changes to my gateway.

I don't think so...but there's no reason why you couldn't use daemontools and ucspi-tcp only with djbdns and continue using whatever else for your other services. They're also useful to have on hand if you're using qmail (as I am).

(The only other publically-accessible services I usually run are httpd (Apache) and sshd (OpenSSH), and they're standalone processes that monitor the appropriate ports by themselves. inetd isn't even installed on my servers.)

Re:Sounds like a good reason to use djbdns instead (1)

Florian Weimer (88405) | more than 10 years ago | (#7222079)

It's nowhere near as difficult to set up as BIND, it's more secure than BIND, and there's a patch [tinydns.org] available to block Verisign's wildcard lookups.

Your characterization of that patch is incorrect. It blocks A RRs which contain a specifc IPv4 address. This is not what the BIND patch does, it's far more general.

Re:Sounds like a good reason to use djbdns instead (1)

ncc74656 (45571) | more than 10 years ago | (#7222209)

Your characterization of that patch is incorrect. It blocks A RRs which contain a specifc IPv4 address. This is not what the BIND patch does, it's far more general.

How it goes about doing what it does, I think, is a minor point. For purposes of blocking sitefinder.verisign.com's IP address in response to a DNS lookup of some other domain, it gets the job done without affecting other lookups. (You can punch in http://sitefinder.verisign.com/ [verisign.com] and still go there, if that's what you want to do. It's only a lookup of something like http://dfsdshsdfsdfadfasdfs.fdjsdfajhfsdajhsdfajks dfjka.com/ [fdjsdfajhf...sdfjka.com] that will fail, as it should.)

A good reason to use anything else instead (0)

Anonymous Coward | more than 10 years ago | (#7222197)

I have avoided BIND for years. For a while my DNS server was actually one written in Perl...

Re:Sounds like a good reason to use djbdns instead (1)

Brendan Byrd (105387) | more than 10 years ago | (#7222281)

WARNING: SAME MAKER AS QMAIL!!!

Sorry, I prefer my DNS server package to include JUST the DNS server package, instead of trying to replace my OS with his own distro of network crap.

This is exactly the reason why I did not used them (1)

sabri (584428) | more than 10 years ago | (#7221817)

I don't want to sound like "told you so", but this is exactly the reason why I did not used them in the first place. An authoritive answer from a nameserver is authoritive, even if you do not agree with it. IMHO, Verisign should hang for their completely stupid actions which messed up the entire DNS system but on the other hand, I think that DNS operators should think twice before applying code that tampers with authoritive answers from root nameservers.

The path to follow was via ICANN, or if you still wanted to disable the sitefinder, just insert a route for the /32 in your favourite IGP and reroute the traffic to /dev/null or your ISP's site.

I do appreciate the efforts from the ISC in this matter. A lot. It certainly helped convincing ICANN of the seriousness of this problem.

Re:This is exactly the reason why I did not used t (1)

devphaeton (695736) | more than 10 years ago | (#7221884)

I think that DNS operators should think twice before applying code that tampers with authoritive answers from root nameservers.

Not only do i agree with your statement, but i feel this applies equally as well to mailservers (and other facets of inet infrastructure).

RFCs were created for a reason, and the day we all decide to do it our own way is the day that the internet will die.

Re:This is exactly the reason why I did not used t (1)

Florian Weimer (88405) | more than 10 years ago | (#7221964)

I think that DNS operators should think twice before applying code that tampers with authoritive answers from root nameservers.

The BIND patch doesn't alter the contents of the root zone (small nitpick).

The path to follow was via ICANN, or if you still wanted to disable the sitefinder, just insert a route for the /32 in your favourite IGP and reroute the traffic to /dev/null or your ISP's site.

Tampering with Internet routing could be viewed as damaging as dealing with DNS. Route manipulation is almost universally accepted. I guess if we had the tools to filter and/or rewrite DNS requests (like route-maps for most BGP implementations), the sacrosanct nature of DNS would change as well.

However, null routing doens't restore the original behavior. The BIND configuration option does. It's a kludge, but it's the best option to restore the zone contents (from the point of view of your clients).

Do you not understand the issue at hand? (1)

The Kiloman (640270) | more than 10 years ago | (#7221965)

Hello idiots,
the delegation-only option is supposed to be used on a PER ZONE basis. It's not like applying the patch makes it so that no TLD is able to return non-delegation responses. It simply allows you to define certain zones that that the server only accepts delegation results from.

Now in this great wide internet, I suppose it is possible that some asshats found a way to apply it to every zone that they query against - but last time I checked, you were supposed to do this:

zone "com" {type delegation-only;};
zone "net" { type delegation-only;};

So how it's breaking all these other zones is a farking mystery to me.

Looks to me like the post was meant to say "don't set the delegation-only option on these domains", but someone who doesn't understand what's going on took it to mean "THE PATCH BREAKS ALL DNS! THE SKY IS FALLING, THE SKY IS FALLING!"

Calm down people. The patch is still a perfectly fine idea.

Re:Do you not understand the issue at hand? (1)

Florian Weimer (88405) | more than 10 years ago | (#7222005)

zone "com" {type delegation-only;};
zone "net" { type delegation-only;};

So how it's breaking all these other zones is a farking mystery to me.


There's another option which makes delegation-only the default for top-level zones, and you have to list the exceptions explicitly. This can break all zones you fail to mention and which are not delegation-only.

blame verisign (1)

flacco (324089) | more than 10 years ago | (#7221823)

the blame for this lies squarely at verisign's feet.

Re:blame verisign (0)

Anonymous Coward | more than 10 years ago | (#7222232)

lessee: atheist, vegetarian, linux user. have i missed anything?

you forgot "virgin"

Thats the argument isn't it (1)

hillbilly1980 (137340) | more than 10 years ago | (#7221835)

When verisign went ahead and changed the TLD the argument by icann was that the ensueing enviroment in the internet community would cause chaos as organizations attempted to accomidate a once static internet infastructure.

YOU DAMN DIRTY VERISIGN.

Yep (1)

devphaeton (695736) | more than 10 years ago | (#7221840)

I had a feeling this would happen.

And now that SiteFinder is gone, it may take forever for 100% of these patches to be fixed/remedied/removed/ etc.

In the meantime, i'm sure that someone, somewhere (or most likely hundreds or thousands of someones) are considering what mischevious deeds they might be able to do with these patches, a situation like SiteFinder or similar.

Ever notice that whenever someone does something a little bold and arrogant, they get shut down almost right away. But within 6 months of that, the gate opens and a pile of people pop up doing things significantly worse or ugly with little effective resistance?

Oh well. Maybe i should just obey the voices in the back of my head and go kill myself.

This wouldn't be a problem... (1)

SpamJunkie (557825) | more than 10 years ago | (#7221887)

This wouldn't be a problem with closed course software.

I'm just sayin. With closed source software domain name hijacking and pop-up windows are an unavoidable part of your day.

There are two features (3, Insightful)

Florian Weimer (88405) | more than 10 years ago | (#7221892)

The first feature (which is the one that was implemented initially) supports marking selected zones as delegation-only. This is safe, as long as VeriSign doesn't rush ahead and offers a special DNS service (with alleged super-high reliability) which involves A records directly in the COM and NET zones.

The second feature is much more dangerous because you have to explicitly mark the TLD zones which contain records which aren't delegations--all other zones are assumed to be delegation-only. Some zones have lots of in-zone A and/or MX records (DE, for example), so you have to do some research before you can enable this feature.

If the second feature is incorrectly configured, there will be some local disruption of service. While it might contribute slightly to the instability of the Internet, it's just a localized configuration error (mind that BIND doesn't even have a default for the configuration option), and it's not comparable to what VeriSign did on a global scale.

That tears it! (1)

Progman3K (515744) | more than 10 years ago | (#7221915)

I'm going back to Windows!

I used the patch... (1)

devphaeton (695736) | more than 10 years ago | (#7221935)

BIND Patches Make Bad Situation Worse

I hear those Nicotine Patches can do the same thing to people trying to quit smoking.

Hmmm (0)

Anonymous Coward | more than 10 years ago | (#7221944)

However, it turns out they weren't necessarily too well thought through

Nor was this sentence.

Wildcarded TLD (1)

Obfuscant (592200) | more than 10 years ago | (#7221981)

I'd almost say that if a TLD can be handled with a single wildcard, then the domain is not large enough to exist and should be a second level under something else. Even if it is just starting out, it should be run as if it were a significant participant in the net, which means delegation of specific second level entries under that tld.

problems with BIND?!?!?! (0)

Anonymous Coward | more than 10 years ago | (#7222012)

GTFO! I dont trust that crap like I dont trust sendmail.. its djb software fer me all the way baby.

-Dirtbag

Invader ZIM (1)

Valdrax (32670) | more than 10 years ago | (#7222024)

ZIM: I helped with the DNS problem.
Tallest: You made the DNS problem worse!
ZIM: Worse..? or better?

Uh... (0, Flamebait)

dasmegabyte (267018) | more than 10 years ago | (#7222040)

DJBDNS, [cr.yp.to] anyone?

The Bind authors are known idiots. Much like users of their software. It's buggier, more resource intensive and slower, but at least it costs more!

But... (1)

SuiteSisterMary (123932) | more than 10 years ago | (#7222048)

But I thought, regression testing, hell testing at all, was a bad thing. Isn't it *good* that in the open source world, a patch gets slapped together and applied the world over, within an hour?

ISC at fault? Not likely. (2, Insightful)

samj (115984) | more than 10 years ago | (#7222070)

I find it strange that I be coming to the aid of the authors of BIND as a loyal djbdns user, but in this case I strongly believe it is Verisign who are to be hung, drawn and quartered over this one. The ISC were merely attempting to meet the needs of their customers. I haven't looked at why this caused breakage yet, but I wonder how much of it is related to poor configuration of the other domains? I wonder also how difficult it would be to modify the patch to sanitise only .com and .net domains? Not quite as clean, but better than, say, filtering IP numbers!

What's this world coming to, anyway? (1)

davew2040 (300953) | more than 10 years ago | (#7222072)

I'm on Bellsouth.Net dial-up, and it's been a couple of weeks now since I've been able to correctly get to google.com. I ultimately had to ask a friend of mine to give me the correct IP address, and have had to bookmark that. I noticed that in the first few days the browser was unable to locate any page on that address, but the space has since been "colonized", I guess by some opportunist.

I presume this hassle is because of the various problems caused by these idiotic modifications to the foundations of the Internet, and I wish hellfire and brimstone upon the PHB's responsible for them.

There is no stability problem (1)

jurgen (14843) | more than 10 years ago | (#7222073)

The non-delegation records in those zones are crap records to various registrars's websites, just like the ones Verisign was publishing. Why would anyone care? Filter them all, I say.

What problem? (1, Interesting)

Anonymous Coward | more than 10 years ago | (#7222110)

.name suits complain that their wildcard doesn't work anymore with those who installed patched Bind?
How is it a problem for anyone except them?

When Verisign turned the wildcard for .com/.net and ISC came up with Bind patches, many admins decided to also block wildcards in about a dozen small TLDs some of which supported wildcards from day one - they were simply below the radar until Sep 15. Now those TLDs are unhappy because customers have tools to block their idiotic tricks - who cares? - how are they any better than Verislime except they can't quite screw up as many people?

I am perfectly happy running the patched bind and have no intention of rolling it back - even if sitefinder is out for good, it's a matter or principle, - no wildcards on TLDs!

Vlad

Sounds to me... (1)

petermdodge (710869) | more than 10 years ago | (#7222118)

... like the companies want to keep people away from future "patches" that may override such annoying services in the future.

Ditto.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>