Verisign hijacked unused .COM and .NET domains

As of today (2003-09-15) Verisign has hijacked/squatted on ALL unused .com
and .net domain names. These unused domains will now resolve to a Verisign
IP which runs http and smtp. The host will accept incoming mail.

Implications:
1. Instant departure from clearly established, expected DNS behavior
2. Verisign demonstrates total ownership of .COM and .NET root hierarchy
3. Unilateral action to insert corporate advertising into heart of Internet
4. Junk filtering that checks existence of domains is now broken
5. Nameservers around the world will now cache all sorts of useless junk
6. Mail to invalid domains (typos, bounces) will go to Verisign
7. Admins will have a harder time determining site configuration errors
8. Invalid URLs can now pollute search engines and automated systems

You might want to complain to ICANN [ http://www.icann.org/ ]
The largest influence will probably come from ISPs, who I'm sure _will_
suffer weird, unforseen problems from this action.

--
Jem Berkes
http://www.sysdesign.ca/

"Jem Berkes" wrote...
> As of today (2003-09-15) Verisign has hijacked/squatted on ALL unused .com
> and .net domain names. These unused domains will now resolve to a Verisign
> IP which runs http and smtp. The host will accept incoming mail.
<snip>

I don't understand how such a thing is possible. What tech (or holes in the
tech) would allow such a thing?

Best, Dann

>> As of today (2003-09-15) Verisign has hijacked/squatted on ALL unused
>> .com and .net domain names. These unused domains will now resolve to
>> a Verisign IP which runs http and smtp. The host will accept incoming
>> mail.
> <snip>
>
> I don't understand how such a thing is possible. What tech (or holes
> in the tech) would allow such a thing?

ICANN has given Verisign the responsibility of running several over the
Internet's root nameservers. So Verisign does technically control the
software running on these. They have now added a wildcard to match all
unused domains.

There is no technical hole exploited; it's a design flaw in the system in
that one (untrustworthy) company has been given too much control over the
Internet.

--
Jem Berkes
http://www.sysdesign.ca/

"Harky" <(E-Mail Removed)> writes:

> "Jem Berkes" wrote...
>> As of today (2003-09-15) Verisign has hijacked/squatted on ALL unused .com
>> and .net domain names. These unused domains will now resolve to a Verisign
>> IP which runs http and smtp. The host will accept incoming mail.
> <snip>
>
> I don't understand how such a thing is possible. What tech (or holes in the
> tech) would allow such a thing?

Verisign answer queries for .com and .net. They just changed the
answers they're handing out for non-existant domains from NXDOMAIN to
64.94.110.11. Try:

% dig shasgjklhasgdhjksafdjksafhjshdgjsafdksdfklsagdjklh .net

If you want to talk about workarounds, probably best to try the
mailing list of your favourite MTA or DNS server.

--
James Riden / (E-Mail Removed) / Systems Programmer - Security
GPG public key available at: http://www.massey.ac.nz/~jriden/
This post does not necessarily represent the views of my employer.

"James Riden" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)

> Verisign answer queries for .com and .net. They just changed the
> answers they're handing out for non-existant domains from NXDOMAIN to
> 64.94.110.11. Try:
>
> % dig shasgjklhasgdhjksafdjksafhjshdgjsafdksdfklsagdjklh .net
>
> If you want to talk about workarounds, probably best to try the
> mailing list of your favourite MTA or DNS server.

In the /etc/mail/access file for sendmail:

64.94.110.11 ERROR:5.7.1:550 " E-mail from unresolved domains is REJECTED on account of the stupidity of Verisign and Network
Solutions. Resolving bogus domain names is really stupid. Makes you wonder which spammer bought off versign. "

Rebuild the access.db file and restart sendmail.


--
use hotmail com for any email replies



-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =-----

A long time ago, in a galaxy far, far away, James Riden <(E-Mail Removed)> wrote:
> "Harky" <(E-Mail Removed)> writes:
>
>> "Jem Berkes" wrote...
>>> As of today (2003-09-15) Verisign has hijacked/squatted on ALL unused .com
>>> and .net domain names. These unused domains will now resolve to a Verisign
>>> IP which runs http and smtp. The host will accept incoming mail.
>> <snip>
>>
>> I don't understand how such a thing is possible. What tech (or holes in the
>> tech) would allow such a thing?
>
> Verisign answer queries for .com and .net. They just changed the
> answers they're handing out for non-existant domains from NXDOMAIN to
> 64.94.110.11. Try:
>
> % dig shasgjklhasgdhjksafdjksafhjshdgjsafdksdfklsagdjklh .net
>
> If you want to talk about workarounds, probably best to try the
> mailing list of your favourite MTA or DNS server.

Another interesting read is thus...

<http://www.iab.org/Documents/icann-vgrs-response.html>

as also is...

<http://eng.registro.br/pipermail/gter/2003-January/001241.html>
--
(format nil "~S@~S" "cbbrowne" "acm.org")
http://cbbrowne.com/info/x.html
Do not worry about the bullet that has got your name on it. It will
hit you and it will kill you, no questions asked. The rounds to worry
about are the ones marked: TO WHOM IT MAY CONCERN.

On Tue, 16 Sep 2003 00:01:20 -0400, Jem Berkes wrote:

> As of today (2003-09-15) Verisign has hijacked/squatted on ALL unused
> .com and .net domain names. These unused domains will now resolve to a
> Verisign IP which runs http and smtp. The host will accept incoming
> mail.
>
> Implications:
> 1. Instant departure from clearly established, expected DNS behavior 2.
> Verisign demonstrates total ownership of .COM and .NET root hierarchy 3.
> Unilateral action to insert corporate advertising into heart of Internet
> 4. Junk filtering that checks existence of domains is now broken 5.
> Nameservers around the world will now cache all sorts of useless junk 6.
> Mail to invalid domains (typos, bounces) will go to Verisign 7. Admins
> will have a harder time determining site configuration errors 8. Invalid
> URLs can now pollute search engines and automated systems

I guess we should simply hold Verisign responsible for the extra costs of:
Excess SPAM and thus the administrative cost
Excess storage requirements for junk DNS data
Excess bandwith (esp. metered users) who mistype a domain
(No longer a locally generated 'sorry, can't find it')

Further, I suppose we should send a SPAM complaint to abuse at verisign
for each and every spam message that comes through from a domain that
they now "host" - per RFC they are supposed to each have an abuse address
that is valid... Then again - (E-Mail Removed) bounces....

Who allowed an organization that cannot adhere to any of the rules have
as much power as this? Sounds like another Enron to me....

Kris

ynotssor wrote:
> "James Riden" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)
>
>
>>Verisign answer queries for .com and .net. They just changed the
>>answers they're handing out for non-existant domains from NXDOMAIN to
>>64.94.110.11. Try:
>>
>>% dig shasgjklhasgdhjksafdjksafhjshdgjsafdksdfklsagdjklh .net
>>
>>If you want to talk about workarounds, probably best to try the
>>mailing list of your favourite MTA or DNS server.
>
>
> In the /etc/mail/access file for sendmail:
>
> 64.94.110.11 ERROR:5.7.1:550 " E-mail from unresolved domains is REJECTED on account of the stupidity of Verisign and Network
> Solutions. Resolving bogus domain names is really stupid. Makes you wonder which spammer bought off versign. "
>
> Rebuild the access.db file and restart sendmail.
>
>

You don't have to stop and restart sendmail for changes in access. They
picked up immediately.

"G. Roderick Singleton" <(E-Mail Removed)> quoted and wrote in message
news:xFw9b.1433$(E-Mail Removed)

>> In the /etc/mail/access file for sendmail:
>>
>> 64.94.110.11 ERROR:5.7.1:550 " E-mail from unresolved domains
>> is REJECTED on account of the stupidity of Verisign and Network
>> Solutions. Resolving bogus domain names is really stupid. Makes you
>> wonder which spammer bought off versign. "
>>
>> Rebuild the access.db file and restart sendmail.
>
> You don't have to stop and restart sendmail for changes in access.
> They picked up immediately.

Yes, that's correct, thanks for the correction. The *.db structure makes that possible. I was confused from a just-prior answer to a
different request in another ng concerning the /etc/mail/relay-domains file.

--
use hotmail com for any email replies



-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =-----

ynotssor wrote:
> "G. Roderick Singleton" <(E-Mail Removed)> quoted and wrote in message
> news:xFw9b.1433$(E-Mail Removed)
>
>
>>>In the /etc/mail/access file for sendmail:
>>>
>>>64.94.110.11 ERROR:5.7.1:550 " E-mail from unresolved domains
>>>is REJECTED on account of the stupidity of Verisign and Network
>>>Solutions. Resolving bogus domain names is really stupid. Makes you
>>>wonder which spammer bought off versign. "
>>>
>>>Rebuild the access.db file and restart sendmail.
>>
>>You don't have to stop and restart sendmail for changes in access.
>>They picked up immediately.
>
>
> Yes, that's correct, thanks for the correction. The *.db structure makes that possible. I was confused from a just-prior answer to a
> different request in another ng concerning the /etc/mail/relay-domains file.
>

Thought so but wanted to make things clear quickly for email tyros.