Verisign's land grab

  • Thread starter Thread starter Jonathan de Boyne Pollard
  • Start date Start date
SH> Could MSDNS be modified to convert Verisign's
SH> catchall to NXDOMAIN?

Not by users, no.

This idea is a poor one, anyway, that Verisign can
easily counter. Indeed, it hands Verisign the
capability of performing various denial-of-service
attacks.

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/verisign-internet-coup.
Click to expand...
html#Resistance>
****************** REPLY SEPARATER *********************
I am sorry, but I don't understand why the idea is a poor one. SimpleDNS Plus
has already done it. And if Verisign changes the IP address, they have added
the capability to correct for it in the INI file. The added plus is that
instead of connecting to Verisign, the customer can be redirected to one of
your own sites. To me that is a very good reponse to this high handed move by
Verisign.
 
tinydns and Bind also have patches you can use. To counter if Verisign
changes the IP addresses daily or weekly, you could check the returned IP
with the return of a query for actuall wildcard (i.e. *.dns a) and see if
they match. If so, then return NXDOMAIN. This however would intail another
query for ever domain not cached.

--
William Stacey, DNS MVP

 
WS> To counter if Verisign changes the IP addresses daily or weekly,
WS> you could check the returned IP with the return of a query for
WS> actuall wildcard (i.e. *.dns a) and see if they match.

.... thereby allowing Verisign to _fully automate_ any
denial-of-service attack that it may make using the mechanism for
doing so that you are handing to it, instead of waiting for human
beings to catch up and modify their configuration files.

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/verisign-internet-coup.html>

If one is taking the view that Verisign has gone rogue, handing it
further powers to do more damage (as these mechanisms all do) is not
the way to proceed.
 
JdeBP> <URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/verisign-internet-coup.html#Resistance>

JC> I am sorry, but I don't understand why the idea is a poor one.

What about the explanation given on that web page did you not
understand ? I've listed the several flaws in detail, along
with examples.

JC> SimpleDNS Plus has already done it.

That says nothing, apart from that we can count SimpleDNS Plus
users amongst the growing number of people who have just handed
another weapon to Verisign.

Also: Bear in mind that "Someone Else has already done this." is
one of the very arguments that has been put forward in defence
of what Verisign has done. ("Other TLD registries started doing
this years ago [...].") "Someone else has done it." doesn't
necessarily make "it" the right thing to do.

JC> And if Verisign changes the IP address, they have added
JC> the capability to correct for it in the INI file.

Now read the explanation on the web page about why the very
fact that Verisign _can_ change the IP address is a flaw in
the "solution".

JC> To me that is a very good reponse [...]

No. It's a bad response. It's counterproductive in that people
now think "Oh, the DNS software fixes it.", which it doesn't
actually do at all. (All but one of the software fixes that I've
seen so far don't fix the problem at all, and hand Verisign another
weapon. The remaining one simply just doesn't fix the problem.)

This _isn't_ a technical problem with a software fix. It's an
administrative problem with a talking-to-human-beings fix. A
good response would have been to say that the Domain Name System
works by delegation, and that we (all of us) have (individually,
albeit usually indirectly) delegated authority over "com." and
"net." and their subdomains to Verisign. This is the way that the
DNS is designed to work. If someone breaches our trust by abusing
the authority delegated to them, the correct response on our part
is to not delegate authority to them any more (or, at least, to
threaten to). This involves talking to root server organizations
(ICANN, ORSC, PacificRoot, and so forth) and to Verisign. (If
Verisign doesn't comply, we get the root server organizations to
stop delegating their authority to it. If the root server
organizations don't comply, we stop delegating _our_ authority
to _them_.) It doesn't involve changing the source code of DNS
server softwares.

Consider a hypothetical that might help: Posit that you are the
administrator of "yellowhead.com.". You delegate authority for
"www.yellowhead.com." to Verisign, on the understanding that it
won't abuse this to redirect your HTTP traffic somewhere that
you don't want it to go. Verisign abuses your trust and redirects
your HTTP traffic somewhere else, using the authority that you have
given to it. What do you do ? Do you employ the software-fix
approach of having everyone in the world patch their DNS server
softwares ? Or do you employ the talking-to-human-beings approach of
telling Verisign to get back into line, with the threat that if it
doesn't you'll simply delegate the authority for "www.yellowhead.com."
and its subdomains to someone else ?
 
How can we do that with MS DNS?

Ace

In
William Stacey said:
tinydns and Bind also have patches you can use. To counter if
Verisign changes the IP addresses daily or weekly, you could check
the returned IP with the return of a query for actuall wildcard (i.e.
*.dns a) and see if they match. If so, then return NXDOMAIN. This
however would intail another query for ever domain not cached.
Click to expand...
 
MS needs to come out with a patch or a pluggable filter sink in the server.
You could also put bind (w/ the patch) in the dmz and forward to that for
inet rez.
 
... thereby allowing Verisign to _fully automate_ any
denial-of-service attack that it may make using the mechanism for
doing so that you are handing to it, instead of waiting for human
beings to catch up and modify their configuration files.
Click to expand...

If that is what they wanted to do, they could do that anyway without this
wildcard stuff, so your point is mute.

Second, you have problems with your other assumptions:

1) You say - "Verisign can change the IP address that it is publishing at
any time. People employing these measures have manoeuvred themselves into
playing a never-ending game of catch-up with Verisign. Verisign need only
change the address, and they have to modify their proxy DNS server softwares
to match. When Verisign says "hop!", they have to jump." Having the patch
from BIND or matching wildcard IPs against returned IPs will stop this.
They can change the IP all they want. So no problem here - next.

2) You say - "Verisign can turn this measure against those who employ it.
This measure is an effective denial-of-service weapon against any IP
address. If, for example, one day Verisign changes the IP address that it
publishes from 64.94.110.11 to 66.218.71.198, anyone employing this measure
will find that they have just cut themselves off from Yahoo's HTTP server."
First, your assuming things again. Your assuming people are matching
against a fixed IP, the BIND P1 patch does not do this, they use the
"delegation-only" attribute. Second, your assuming Verisign will purposely
point an IP to yahoo to deny service - that is a joke. If they had such
intentions, they could do far worse things with the power they have. Third,
your assuming dns admins would just blindly change the IP they where
blocking without checking to see what that IP pointed to. I give people far
more credit then that. Besides, even if they did do it, your only talking
about 1 site. This would not effect other sites and would be caught soon
enough. As this is not how the patch works anyway, both of these points are
mute and just a lot of talk. Use the patch if you need to.
 
Jonathan de Boyne Pollard said:
SH> Could MSDNS be modified to convert Verisign's
SH> catchall to NXDOMAIN?

Not by users, no.

This idea is a poor one, anyway, that Verisign can
easily counter. Indeed, it hands Verisign the
capability of performing various denial-of-service
attacks.

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/verisign-internet-coup.html#Resistance>
Click to expand...

Why don't you just tell VeriSign that you don't agree to the terms of
use at http://sitefinder.verisign.com/terms.jsp? Seems to me that if
you tell them you don't agree to their terms and they still force it
on you that you would not be subject to the terms, not that I'm
encouraging anyone do anything that would go against the terms, but if
no one accepts them and they continually force it upon us then how can
they enforce the terms?

You can fax their Exec Admin offices at 570-708-3077.

Sincerely,
Brian S. Bergin
Terabyte Computers, Inc.
 
JdeBP> <URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/verisign-internet-coup.html#Resistance>

BSB> Why don't you just tell VeriSign that you don't agree to the
BSB> terms of use at http://sitefinder.verisign.com/terms.jsp?

Because that doesn't do anything towards achieving the desired goal,
which is the removal of the wildcards by Verisign. It may affect
the degree of IP connectivity between onesself and Verisign. But
IP connectivity isn't the problem. What is being published in the
public DNS database is the problem.
 
Jonathan de Boyne Pollard said:
Because that doesn't do anything towards achieving the desired goal,
which is the removal of the wildcards by Verisign. It may affect
the degree of IP connectivity between onesself and Verisign. But
IP connectivity isn't the problem. What is being published in the
public DNS database is the problem.
Click to expand...

I'm just saying that we need to hit this from all sides. VeriSign got
sued last week, the first of many I'd guess, but if we all faxed
denials of the ToS they'd have to deal with that too. I'm also
considering all spam coming from domains that were previously dropped
because of no MX or A records to (e-mail address removed), an RFC required
e-mail address. If they claim to be fully RFC compliant they have to
accept abuse reports too.

Sincerely,
Brian S. Bergin
Terabyte Computers, Inc.
 
JdeBP> What about the explanation given on that web page did you
JdeBP> not understand ? I've listed the several flaws in detail,
JdeBP> along with examples.

WS> He did not understand it because it is wrong and does not apply.

False. The flaws in the mechanism that changes answers to "A"
queries according to the IP address in the result, are as described
on the web page. You can find plenty of other people pointing out
these same flaws, and a little thought expended on your part will
lead you to the same conclusions.

WS> The P1 patch does not do this

We weren't talking about that mechanism. Moreover, the web page
describes the flaws in _that_ mechanism, too. (Ironically, it's
the mechanism that Verisign, were it maliciously inclined, would
much prefer people to use, since it provides it with the most
specific countermeasure against its deployment.)

WS> so stop the hype.

This is not hyperbole. This is information.

The web page is a public service, to show people the flaws in these
solutions, that leave them vulnerable to attacks by both Verisign
and third parties, before they adopt them. The public discussion
that brings people's attention to these things is a good thing.

It is people who blindly parrot received wisdom without actually
looking at these patches and analysing what they do and what their
effects are, and who attack those who actually expend the effort of
sitting down and analysing what these patches do, what all of their
consequences, intended or unintended, will be, and drawing them to
people's attention if they are adverse; who are doing everyone a
disservice.

WS> If people need the patch, they need the patch.

That presupposes that they "need" something that leaves them more
vulnerable than they were before.

WS> Every needs to take care of their own environment
WS> and handle issues how they see fit.

.... whilst you, from the evidence of what you write here, would like
to silence those who warn people that they are about to do one of
several very foolish things in their attempts to "handle issues".

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dukhat-on-foolishness.html>
 
JdeBP> Because that doesn't do anything towards achieving the desired
JdeBP> goal, which is the removal of the wildcards by Verisign. It
JdeBP> may affect the degree of IP connectivity between onesself and
JdeBP> Verisign. But IP connectivity isn't the problem. What is
JdeBP> being published in the public DNS database is the problem.

BSB> I'm just saying that we need to hit this from all sides.
BSB> VeriSign got sued last week, [...]

An action is only part of "hitting it from all sides" if its outcome will be
the same as that of other actions. Your suggestion doesn't do anything
towards the goal of having Verisign remove the wildcards. The lawsuits,
however, do. That is even their explicit goal.

BSB> I'm also considering all spam coming from domains that were
BSB> previously dropped because of no MX or A records to
BSB> (e-mail address removed), an RFC required e-mail address.

What are you considering about that spam ?
 
Jonathan de Boyne Pollard
BSB> I'm also considering all spam coming from domains that were
BSB> previously dropped because of no MX or A records to
BSB> (e-mail address removed), an RFC required e-mail address.

What are you considering about that spam ?
Click to expand...

When some (e-mail address removed) sends spam to us and it
reverses to 64.94.110.11 why shouldn't we bounce it to them? It's
their IP. Their responsibility. I see no reason why I should have to
process e-mail from a domain that they have now forced us to receive
that we would have dumped 10 days ago at the From clause because it
had no MX or A record. Now that it has an A record it's accepted and
I'm not sure I should have to accept it. The script is easy. I've
tested it a bit with a friend receiving the bounced mail and CPU load
on the mail server is less processing that script that continuing the
remaining anti-spam filters so it would actually save us CPU time.
Perhaps if they got a few million bounced spams they'd understand what
they've done to many UBE filters, as your own page points out.

My only hold back is an unfortunate morality streak. I'm not sure
that doing this doesn't reduce me to their level. So far I've had
some chime in with 'oh yea, do that' and others with 'na, don't stoop
to their level'. Hard call. Haven't made it yet.

Anyone else care to share an opinion?

Sincerely,
Brian S. Bergin
Terabyte Computers, Inc.
 
When some (e-mail address removed) sends spam to us and it
reverses to 64.94.110.11 why shouldn't we bounce it to them? It's
their IP. Their responsibility. I see no reason why I should have to
Click to expand...

I tend to think you should let the server do what it normally does in
regards to mail. One of their claims is that they think this did not effect
anything, this can "help" show them that it does effect things.
 
Yeh. By my read they have violated their contract in at least two spots.
ICANN needs to grow a spine...
 
William Stacey said:
Yeh. By my read they have violated their contract in at least two spots.
ICANN needs to grow a spine...
Click to expand...

verisign apparently own networksolutions...interesting what they did..
http://computerworld.com/developmenttopics/websitemgmt/story/0,10801,85305,00.html

another really odd way to market domain names from europe side
http://www.vnunet.com/News/1143835

so my point is...it's their aggressive marketing and expansion policy?

--
'Seek and ye shall find'
NT Canuck
http://ntcanuck.com BIND-PE & DNS
http://ntcanuck.com/tq/ Tips & Tweaks
http://ntcanuck.com/net/board/index.php
news://news.grc.com/grc.techtalk.dns.bind_pe_beta
 
Back
Top