Verisign hijacked unused .COM and .NET domains

Discussion in 'Linux Networking' started by Jem Berkes, Sep 16, 2003.

  1. Jem Berkes

    Jem Berkes Guest

    As of today (2003-09-15) Verisign has hijacked/squatted on ALL unused .com
    and .net domain names. These unused domains will now resolve to a Verisign
    IP which runs http and smtp. The host will accept incoming mail.

    Implications:
    1. Instant departure from clearly established, expected DNS behavior
    2. Verisign demonstrates total ownership of .COM and .NET root hierarchy
    3. Unilateral action to insert corporate advertising into heart of Internet
    4. Junk filtering that checks existence of domains is now broken
    5. Nameservers around the world will now cache all sorts of useless junk
    6. Mail to invalid domains (typos, bounces) will go to Verisign
    7. Admins will have a harder time determining site configuration errors
    8. Invalid URLs can now pollute search engines and automated systems

    You might want to complain to ICANN [ http://www.icann.org/ ]
    The largest influence will probably come from ISPs, who I'm sure _will_
    suffer weird, unforseen problems from this action.
     
    Jem Berkes, Sep 16, 2003
    #1
    1. Advertisements

  2. Jem Berkes

    Harky Guest

    <snip>

    I don't understand how such a thing is possible. What tech (or holes in the
    tech) would allow such a thing?

    Best, Dann
     
    Harky, Sep 16, 2003
    #2
    1. Advertisements

  3. Jem Berkes

    Jem Berkes Guest

    As of today (2003-09-15) Verisign has hijacked/squatted on ALL unused
    ICANN has given Verisign the responsibility of running several over the
    Internet's root nameservers. So Verisign does technically control the
    software running on these. They have now added a wildcard to match all
    unused domains.

    There is no technical hole exploited; it's a design flaw in the system in
    that one (untrustworthy) company has been given too much control over the
    Internet.
     
    Jem Berkes, Sep 16, 2003
    #3
  4. Jem Berkes

    James Riden Guest

    Verisign answer queries for .com and .net. They just changed the
    answers they're handing out for non-existant domains from NXDOMAIN to
    64.94.110.11. Try:

    % dig shasgjklhasgdhjksafdjksafhjshdgjsafdksdfklsagdjklh.net

    If you want to talk about workarounds, probably best to try the
    mailing list of your favourite MTA or DNS server.
     
    James Riden, Sep 16, 2003
    #4
  5. Jem Berkes

    ynotssor Guest

    In the /etc/mail/access file for sendmail:

    64.94.110.11 ERROR:5.7.1:550 " E-mail from unresolved domains is REJECTED on account of the stupidity of Verisign and Network
    Solutions. Resolving bogus domain names is really stupid. Makes you wonder which spammer bought off versign. "

    Rebuild the access.db file and restart sendmail.
     
    ynotssor, Sep 16, 2003
    #5
  6. Another interesting read is thus...

    <http://www.iab.org/Documents/icann-vgrs-response.html>

    as also is...

    <http://eng.registro.br/pipermail/gter/2003-January/001241.html>
    --
    (format nil "[email protected]~S" "cbbrowne" "acm.org")
    http://cbbrowne.com/info/x.html
    Do not worry about the bullet that has got your name on it. It will
    hit you and it will kill you, no questions asked. The rounds to worry
    about are the ones marked: TO WHOM IT MAY CONCERN.
     
    Christopher Browne, Sep 16, 2003
    #6
  7. Jem Berkes

    Kris Stark Guest

    I guess we should simply hold Verisign responsible for the extra costs of:
    Excess SPAM and thus the administrative cost
    Excess storage requirements for junk DNS data
    Excess bandwith (esp. metered users) who mistype a domain
    (No longer a locally generated 'sorry, can't find it')

    Further, I suppose we should send a SPAM complaint to abuse at verisign
    for each and every spam message that comes through from a domain that
    they now "host" - per RFC they are supposed to each have an abuse address
    that is valid... :) Then again - bounces.... :(

    Who allowed an organization that cannot adhere to any of the rules have
    as much power as this? Sounds like another Enron to me....

    Kris
     
    Kris Stark, Sep 16, 2003
    #7
  8. You don't have to stop and restart sendmail for changes in access. They
    picked up immediately.
     
    G. Roderick Singleton, Sep 16, 2003
    #8
  9. Jem Berkes

    ynotssor Guest

    Yes, that's correct, thanks for the correction. The *.db structure makes that possible. I was confused from a just-prior answer to a
    different request in another ng concerning the /etc/mail/relay-domains file.
     
    ynotssor, Sep 16, 2003
    #9
  10. Thought so but wanted to make things clear quickly for email tyros.
     
    G. Roderick Singleton, Sep 16, 2003
    #10
  11. That may make you feel good. But it won't otherwise do anything.
     
    Neil W Rickert, Sep 16, 2003
    #11
  12. Jem Berkes

    ynotssor Guest

    Yes, I can see that now upon further thought. The mail won't originate from that address, for sure.
     
    ynotssor, Sep 16, 2003
    #12
  13. Yep.

    You have to do that in Local_check_mail (and Local_check_rcpt as
    well).

    MJ
     
    Michal Jankowski, Sep 16, 2003
    #13
  14. Jem Berkes

    ynotssor Guest

    A post in another ng offered this for insertion into the sendmail.mc file.
    Of course the left and right sides in the rulesets must be separated with tabs:

    LOCAL_CONFIG
    Kbestmx bestmx -z/
    Khostip dns -RA

    LOCAL_RULESETS
    SLocal_check_mail
    R$* $: $>canonify $1
    R<@> [email protected] <@>
    R$*<@$*.> $: $1<@$2> strip the trailing . if present
    R$*<@$+> $: $2 $| $>CheckBrokenVerisign $2
    R$* $| $#$* $#$2
    R$+ $| $* $: $1 $| $>CheckBadMX $( bestmx $1 $) /
    R$* $| $#$* $#$2

    SCheckBrokenVerisign
    R$* $: $(hostip $1 $)
    R64.94.110.11 $#error [email protected] 5.5.4 $: "550 Real domain name required for sender address"
    R127.0.0.1 $#error [email protected] 5.5.4 $: "550 Real domain name required for sender address"

    SCheckBadMX
    R$* / $* $>CheckThisMX $1 / $2

    SCheckThisMX
    R$* / $* $: $(hostip $1 $) $| $2
    R127.0.0.1 $| $* $#error [email protected] 5.5.4 $: "550 sender does not resolve to a replyable domain"
    R$* $| $* [email protected] $2
     
    ynotssor, Sep 16, 2003
    #14
  15. H> I don't understand how such a thing is possible. What tech
    H> (or holes in the tech) would allow such a thing?

    JB> ICANN has given Verisign the responsibility of running several
    JB> over the Internet's root nameservers.

    True, but irrelevant. The servers involved in this particular
    issue are the TLD content DNS servers for "com." and "net.", _not_
    the ICANN root content DNS servers.

    JB> They have now added a wildcard to match all
    JB> unused domains.

    Only those under "com." and "net.".

    The irony is that the "solutions" that some other people have come
    forward with (You had the right idea about contacting ICANN.) have
    handed Verisign the additional power to affect any domain name in
    the entire namespace.

    <URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/verisign-internet-coup.html>

    JB> There is no technical hole exploited; it's a design flaw in
    JB> the system in that one (untrustworthy) company has been given
    JB> too much control over the Internet.

    But (just to be clear) not by "someone else". We, collectively,
    gave the control to Verisign. We, collectively, can take it away.

    It's not actually a design flaw. It's a simple breach of trust.
    We delegated authority over certain things to Verisign, and it
    has suddenly done something that we don't like. Our remedy is to
    revoke its authority (or at least to threaten to, in order to compel
    it to behave differently).
     
    Jonathan de Boyne Pollard, Sep 16, 2003
    #15
  16. JB> 2. Verisign demonstrates total ownership of .COM and .NET
    JB> root[?] hierarchy

    Which, of course, is perfectly legitimate. The root organisations
    delegate authority over "com." and "net." to Verisign, so it does
    have it, and always has. As you say, it has merely _demonstrated_
    that it has it.

    JB> 5. Nameservers around the world will now cache all sorts of
    JB> useless junk

    They would already have been caching "no such name" information about
    the domain names that have suddenly been brought into existence.
    Caching "A" resource record sets (and the empty resource record sets
    for all other types) may take up more space, but information about
    these domain names _was already being_ cached.

    JB> 8. Invalid URLs can now pollute search engines and
    JB> automated systems

    There is, reportedly, a "robots.txt" file on Verisign's content
    HTTP server at 64.94.110.11 that stops it from being crawled by
    spiders.

    JB> You might want to complain to ICANN [ http://www.icann.org/ ]

    The root server organizations that delegated "com." and "net." to
    Verisign are, indeed, the ones to complain to.

    <URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/verisign-internet-coup.html>
     
    Jonathan de Boyne Pollard, Sep 16, 2003
    #16
  17. We delegated authority over certain things to Verisign

    THAT'S the problem... "we" never did. The DNS has been under
    US government control and funding since day 1.

    The attempts throughout history to wean away from that
    teat didn't work. "We must preserve IANA for stability of
    the net" resonated with people worldwide and should not
    have, as it really meant "we must let the US government
    continue to have control so big business retains its influence".

    The net made it's bed and must now sleep in it.
     
    Richard J. Sexton, Sep 17, 2003
    #17
  18. Jem Berkes

    Mark Crispin Guest

    You have a very distorted view of history.

    The whole reason why Verisign was able to pull this stunt was because of
    well-intentioned but misguided efforts to "wean the Internet away from
    that teat."

    The NIC functions were handled very well by Jake Feinler and her group at
    SRI. It was taken away from them in order to "wean the Internet from that
    teat" and the result was Network Solutions.

    Verisign would be very happy to see IANA, ICANN, etc. go away; these
    represent the last barriers in Verisign's way. When you attack the last
    remnants of the old order, you directly benefit Verisign. The old order
    did not choose Verisign; nobody (and I do mean nobody) has ever willingly
    done business with Verisign/Network Solutions.

    Anarchy doesn't work. The inevitable results of anarchy are warlords,
    walled cities, and plundered villages. The old order had its problems,
    but the warlords are worse.

    And no, I do not trust wannabee-warlords (a.k.a. the advocates of
    "alternative TLDs") who attack the old order in the name of fighting the
    big warlord. As a resident of one of the villages that the warlords seek
    to plunder, I'm building my walls as fast as I can, but I would much
    rather be growing crops.

    -- Mark --

    http://staff.washington.edu/mrc
    Science does not emerge from voting, party politics, or public debate.
    Si vis pacem, para bellum.
     
    Mark Crispin, Sep 17, 2003
    #18
  19. YMMV. I was there and didn't see you around.
    that teat."

    Doesn't parse.
    Factually incorrect. It was bid out by Don Mitchell of the NSF
    who appropriately had aegis over the DNS by virtue of being
    given it by DARPA who funded it from day 1.

    Keep in mind in the day the internet community largely consisted
    of US institutes of higher education - which is who the NSF
    is funded to serve.

    The only other bidder was uunet and there was some dicontent about
    handing over all authority over doamins and IP's to one commercial
    prider of internet services. Under the uunet plan, uunet would
    delegate all IP's, under the NSI plan IANA would delegate them.
    I have. Lots of people have. Don't exagerate.

    Factually incorrect. Useent has long been touted as the world largest
    and most functional anarchy. For a good reason, too, it really is.
    The central point to the alternative tld movement is that we believe the
    individual should be in charge of their DNS resolution, not the US
    government. Ie, the DNS should be run under a similar model to
    usenet, not with a central authority (and God forbid it be
    somebody as corrupt and incompetant as the US Department of .COMmerce)

    Charges of "you people will break the internet" wear pretty thin when in
    7 years nobody has ever been able to do more than bleat this warning
    without being able to show any actual damage.

    Conversely the ICANN has allowed .ws to do this years ago and now allows
    NSI to do it.

    My, aren't you on the winning team.
     
    Richard J. Sexton, Sep 18, 2003
    #19
  20. Jem Berkes

    Peter Peters Guest

    As far as ICANN is concerned they have nothing to say abount ccTLD's.
    Some registries of ccTLD's have adopted "the ICANN way" but no ccTLD
    registry has to obey ICANN's rules.
     
    Peter Peters, Sep 18, 2003
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.