Re: What *are* they smoking?

[Nathan J. Mehl]

In the immortal words of Wayne E. Bouchard ([EMAIL PROTECTED]):
> So then now instead of mail to misspelled domains, instead of
> bouncing, now goes to /dev/null and you have no idea that your
> critically important piece of information didn't get through?

You _hope_ it goes to /dev/null.

It might be interesting to seed a few pieces of "accidentally" typo'ed
mail to .net domains and see how many of the "From" addresses get
sales email from Verisign in the coming year.

And I'm sure that the Department of Homeland Security would not be
even slightly interested in performing signal analysis on the vast
majority of mis-typed emails in this and most other countries.

Interesting times.

-n

---<[EMAIL PROTECTED]>
 "So perhaps the factor constraining the Internet's growth is "good taste."
   (--Paul Vixie)
---

Many single letter.com/net reserved by IANA now Verisign

[michael]

Hello,

IANA Whois Service
Domain: a.net
Name: IANA_RESERVED

Found a referral to whois.iana.org.

IANA Whois Service
Domain: a.net
Name: IANA_RESERVED

a.net has address 64.94.110.11

This goes for many of the single letter .com's and .net's

Michael...

Re: certified idiots

[Petri Helenius]

I wonder how many robots they get asking for their robots.txt since all 
mistyped
links will lead to the black hole.

Or maybe that was what they wanted?

BTW, traceroute to 64.94.110.11 goes through from here but port 80 is very
flaky.
Pete

 

Re: Patching BIND (Re: What *are* they smoking?)

[E.B. Dreger]

EBD> Date: Tue, 16 Sep 2003 05:32:50 + (GMT)
EBD> From: E.B. Dreger


EBD> I'd actually go for keeping the A RR for '*.net.' and
EBD> '*.com.' in an authoritative NS's cache.  If any other A RR

s,authoritative,resolver,


Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 785 865 5885 Lawrence and [inter]national
Phone: +1 316 794 8922 Wichita
_
  DO NOT send mail to the following addresses :
  [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED]
Sending mail to spambait addresses is a great way to get blocked.

Re: Patching BIND (Re: What *are* they smoking?)

[John Brown]

On Tue, Sep 16, 2003 at 05:32:50AM +, E.B. Dreger wrote:
> 
> Until then, I guess it's time to null route and check for
> circumvention.  Is AS30060 used for anything legitimate?

we've burned a AS for this, ICK

based on the ASNAME, its seems a nice little route-map
/dev/null will be real easy.  As long as they keep prefixs
used in this really dumb idea for this idea.



OrgName:VeriSign Infrastructure & Operations
OrgID:  VIO-2
Address:21345 Ridgetop Circle
City:   Dulles
StateProv:  VA
PostalCode: 20166
Country:US
 
ASNumber:   30060
ASName: WILDCARD-VERISIGN
ASHandle:   AS30060
Comment:
RegDate:2003-07-10
Updated:2003-07-10
 
TechHandle: AH678-ARIN
TechName:   Herrmann, Andrew
TechPhone:  +1-703-948-
TechEmail:  [EMAIL PROTECTED]
 
OrgTechHandle: AH678-ARIN
OrgTechName:   Herrmann, Andrew
OrgTechPhone:  +1-703-948-
OrgTechEmail:  [EMAIL PROTECTED]

Patching BIND (Re: What *are* they smoking?)

[E.B. Dreger]

PWG> Date: Mon, 15 Sep 2003 19:40:33 -0400
PWG> From: Patrick W. Gilmore


PWG> Anyone wanna patch BIND such that replies of that IP addy
PWG> are replaced with NXDOMAIN?  That solves the web site and
PWG> the spam problem, and all others, all at once.

I'd actually go for keeping the A RR for '*.net.' and '*.com.' in
an authoritative NS's cache.  If any other A RR matches the
cached IP address(es), nuke the RRSet and replace with NXDOMAIN.

Until then, I guess it's time to null route and check for
circumvention.  Is AS30060 used for anything legitimate?


Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 785 865 5885 Lawrence and [inter]national
Phone: +1 316 794 8922 Wichita
_
  DO NOT send mail to the following addresses :
  [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED]
Sending mail to spambait addresses is a great way to get blocked.

Re: Change to .com/.net behavior

[Duane Wessels]

On Mon, 15 Sep 2003, Matt Larson wrote:

>
> Today VeriSign is adding a wildcard A record to the .com and .net
> zones.

The Web Proxy Auto-discovery Protocol (WPAD) is another reason to
fear and loathe this change.  If your host has a bogus name and
makes a WPAD request, they can send your browser a proxy config
function and take full control of your browsing.

Not that they would ever stoop so low...  *cough*

Duane W.

Re: What *are* they smoking?

[Valdis . Kletnieks]

On Tue, 16 Sep 2003 14:31:53 +1000, Matthew Sullivan said:

> Worse than that - it's a fixed sequence of responses...
> 
> $ telnet akdjflasdf.com 25
> Trying 64.94.110.11...
> Connected to akdjflasdf.com.
> Escape character is '^]'.
> 220 snubby4-wceast Snubby Mail Rejector Daemon v1.3 ready
> sdfg
> 250 OK

Well.. at least now we know how they *intended* to only affect HTTP traffic.


pgp0.pgp
Description: PGP signature

A quick examination of the VeriSign disaster

[Jason Garman]

Okay, it's late and I've only spent about an hour on this, but I've 
whipped up a quick piece examining this whole mess from VeriSign.  I've 
only *brushed* the surface of the issues that this presents and it's 
already a pretty long piece already.

Questions, comments to me.  Send your concerns to VeriSign :-)

http://www.haque.net/verisign_dns_rant.php

You are free to quote this as you see fit, just please don't copy it 
verbatim without attribution.

enjoy
--
Jason Garman / [EMAIL PROTECTED]

Verisign's New Change and Outdate RBL's

[Patrick Muldoon]

Was playing with a test box here at home. Installed SpamAssassian from a 
newely cvsup'd ports tree on a FreeBSD box, and was surprised to see 
messages getting marked as received in blacklists that no longer exist.  
Most noteably ORBS.  Since this was a fresh Install I hadn't gone 
through and removed the dead RBL's from 20_head_tests.cf yet.  Since 
dorkslayers doesn't exist. any queries for it are returning that 
infamous sitefinder address.

[EMAIL PROTECTED] doon]$ host  34.131.246.64.orbs.dorkslayers.com
34.131.246.64.orbs.dorkslayers.com has address 64.94.110.11
So anybody that hasn't update their SpamAssassian config, now has the 
added benefit of all ip's being tagged as an open relay.

Just an FYI
-Patrick

Re: What *are* they smoking?

[Matthew Sullivan]

Patrick W. Gilmore wrote:

-- On Tuesday, September 16, 2003 00:56 +0200
-- Niels Bakker <[EMAIL PROTECTED]> supposedly wrote:
A wildcard A record in the net TLD.

$ host does.really-not-exist.net
does.really-not-exist.net has address 64.94.110.11
$ host 64.94.110.11
11.110.94.64.IN-ADDR.ARPA domain name pointer 
sitefinder-idn.verisign.com

It even responds on port 25 (says 550 on every RCPT TO).  Gah.


No, it accepts if the from domain exists - but only if it *REALLY* 
exists.

[...]
rcpt to: [EMAIL PROTECTED]
250 OK
mail from: [EMAIL PROTECTED]
550 User domain does not exist.
mail from: [EMAIL PROTECTED]
250 OK
Nice that their spam filters still work. :(

And I love the 221 close message:

data
221 snubby1-wcwest Snubby Mail Rejector Daemon v1.3 closing 
transmission channel
Connection closed by foreign host.

Worse than that - it's a fixed sequence of responses...

$ telnet akdjflasdf.com 25
Trying 64.94.110.11...
Connected to akdjflasdf.com.
Escape character is '^]'.
220 snubby4-wceast Snubby Mail Rejector Daemon v1.3 ready
sdfg
250 OK
sdfgsdfgsdfgsdf
250 OK
sdfgdfgaegqaergqaergvav
550 User domain does not exist.
asdfgasdfgasdf
250 OK
sdfasdfadsfasdf
221 snubby4-wceast Snubby Mail Rejector Daemon v1.3 closing transmission 
channel
Connection closed by foreign host.

/ Mat

Re: Change to .com/.net behavior

[dani-nanog]

A couple things come to mind --

1) Does this increase the RAM needed on a caching resolver? I.e. does it take
more RAM to cache the 15-minute positive reply, than an NXDOMAIN negative
reply?

2) In the "bestpractices.pdf" file, it states the following:
  "A response server should be configured to return an indication
   that the provided services were reached as a result of wildcard
   processing when the server returns a response to connection
   requests sent by end user applications."

Can Verisign explain how the following transaction is consistent with the
above guideline (where is the indication of wildcard processing):

$ telnet mx.no-suchdomain-yadda-yadda.com 25
Trying 64.94.110.11...
Connected to mx.no-suchdomain-yadda-yadda.com.
Escape character is '^]'.
220 snubby4-wceast Snubby Mail Rejector Daemon v1.3 ready
helo example.com
250 OK
mail from: [EMAIL PROTECTED]
250 OK
rcpt to: [EMAIL PROTECTED]
550 User domain does not exist.

Oh well -- here's to looking out for the BIND patch...

- Dani

Re: What *are* they smoking?

[David Lesher]

Speaking on Deep Background, the Press Secretary whispered:
> 
> 
> 
> I abandoned them a long time ago, but the big question is, how
> can we get rid of them as root servers operators?  Sounds like
> time to push for more independent servers, and a truly separate
> company to handle the root server portion of .com/.net.  They
> could still exist as a registrar, but with these kind of business
> practices, how long?  Probably not very, so I'd expect them to
> fight it tooth and nail.

Point out to Herr Ashcroft that they are "supporting pron" by
selling domain names. 

Or have pictures of their lobbyist passing out money to
GOP HillCritters.

Failing that, rotsaruck. They have the money to spread around.

Hmm, here's an idea -- can we play them off against the $cientology
Cult somehow? That would be a good T-Rex vs Raptor fight to watch!



-- 
A host is a host from coast to [EMAIL PROTECTED]
& no one will talk to a host that's close[v].(301) 56-LINUX
Unless the host (that isn't close).pob 1433
is busy, hung or dead20915-1433

Re: Change to .com/.net behavior

[wayne]

In <[EMAIL PROTECTED]> Matt Larson <[EMAIL PROTECTED]> writes:

> Today VeriSign is adding a wildcard A record to the .com and .net
> zones.  The wildcard record in the .net zone was activated from
> 10:45AM EDT to 13:30PM EDT.  The wildcard record in the .com zone is
> being added now.

Well, I hope you have the worlds most secure server running on this IP
address as it is going to be a prime target for crackers.

And, just to give you some idea how carefully VeriSlim considered this
aspect, I saw this link on /.

http://sitefinder.verisign.com/lpc?url='%3E%3Ch1%3Ehi%20mom%3C/h1%3E



-wayne

Re: What *are* they smoking?

[Greg Maxwell]

On Mon, 15 Sep 2003, George William Herbert wrote:

> This is sufficiently technically and business slimy that
> I would null-route that IP, personally.

Or direct it to a local server and collect the profit yourself.

Re: Change to .com/.net behavior

[Dr. Jeffrey Race]

On Mon, 15 Sep 2003 19:24:29 -0400, Matt Larson wrote:
>10:45AM EDT to 13:30PM EDT.  The wildcard record in the .com zone is
>being added now.  We have prepared a white paper describing VeriSign's
>wildcard implementation, which is available here:
>
>http://www.verisign.com/resources/gd/sitefinder/implementation.pdf 

The file is mutilated by the ColorSpace Error which will cause
difficulties for persons on some platforms in reading it.  You
may wish to recreate it without this error.  See 
.

Thanks for making this file available.

Jeffrey Race

Re: What *are* they smoking?

[mike harrison]

> Yep, and it'll be coming soon to .com.  All your typo domain are belong
> to Verisign.

Ever get tempted to have a 'wet ops' NANOG team?

RE: What *are* they smoking?

[John Ferriby]

There was an article, easily overlooked, in the NY Times this
morning.  Link below. (free, registration required.)

http://www.nytimes.com/2003/09/15/technology/15MISS.html

This action does call into question Verisign's ability
to operate with public, nee international, infrastructure
interests.   In my opinion Verisign has demonstrated that
they are no longer capable of maintaining its custody of
of these TLDs.

Re: Change to .com/.net behavior

[David B Harris]

Sorry for the double-post folks, I got a bounce and didn't look closely
at it.

If somebody could check the subscriber list for an address that might
result in [EMAIL PROTECTED] filtering really innocent emails (I know
this has happened to others too), and contacting the owner, that would
be great.

Thanks.


pgp0.pgp
Description: PGP signature

Re: Change to .com/.net behavior

[David B Harris]

On Mon, 15 Sep 2003 17:29:43 -0700
Roy <[EMAIL PROTECTED]> wrote:
> 
> It looks like it broke.  Your web server (64.94.110.11) is inoperative. 
>   How about backing out the change

Chances are your ISP has null-routed that IP address. Two of the larger
ISPs in my area (Ontario, Canada) have, as well as the upstreams for a
number of incidental networks I have access to.

Re: Change to .com/.net behavior

[Gregory (Grisha) Trubetskoy]

On Mon, 15 Sep 2003, George William Herbert wrote:

> Did it occur to Verisign that perhaps this needed some external policy
> and technical review before you just went ahead and did this?

I wouldn't be surprised if the real motivation is to get the attention of
(at least the US) government and to set a precedent for regulating DNS,
which will probably be to Verisign's advantage.

Grisha

Re: What *are* they smoking?

[Marc Slemko]

On Mon, 15 Sep 2003, Alex Lambert wrote:

> "The information provided through the VeriSign Services is not
> necessarily complete and may be supplied by VeriSign's commericial
> licensors, advertisers or others."
>
> There's something immoral about *shoving it down our throats*, then,
> VeriSign.

Nice terms of service at http://sitefinder.verisign.com/terms.jsp :

The VeriSign Services are provided only for your personal and
non-commercial use. You are not authorized to modify, copy, display,
transmit, license, create derivative works from, transfer, distribute
or sell any information, software, products or services obtained
from the services VeriSign provides through this web site. You may
not "meta-search" the VeriSign Services. If you want to make
commercial use of the VeriSign Services, you must enter into an
agreement with us to do so in advance.

so... umh... I can't display any information from their website.

And can only use it for non-commercial use.

So... if I make a DNS query for some "commercial" purpose (whatever that
means), and get a response and then connect to that IP on port 80
and send a request, and get a redirect to this sitefinder.verisign.com
site, and follow it...  I'm violating their terms of use.

Does the contract under which NSI is operating .com and .net require that
people be able to use the results of their queries for non-personal and
commercial use?  It is a little fuzzy how directly you can relate the DNS
response to the terms of use on the website you get redirected to on the
legal level, but it seems that since Verisign is operating it with the
intent that people entering unknown domains into a webbrowser get
redirected there, then they are by implication stating that people doing
things for non-personal or commercial purposes must never enter such
names.

Sure, it is a ridiculous terms of use that wouldn't be likely to hold up
very well, but would the fact that they are making that claim have any
implication on if they are meeting the stated or implied terms of their
contract with ICANN?

Re: Change to .com/.net behavior

[Mark Radabaugh]

>
> In other news, Verisign has a press release on their website announcing
> something called "Next Registration Rights Service," where you can place
> an order to have somebody else's domain transferred to you if they ever
> don't pay their bill.  The press release goes on to say that this is a
> great way for holders of existing domain names to buy insurance to protect
> themselves from the loss of their domain names if their bill doesn't get
> paid, but apparrently only if nobody beats them to it.
>
> -Steve

If you make the mistake of letting a domain reach the 'redemption' period
Verisign holds it hostage and dead for a couple of weeks unless you pay them
a $150 extortion fee to get it back.  Apparently ICANN approved the
redemption period and allows the registrar to set whatever fee they like.

I can not prove but I suspect that Verislime is now leaving expired domain
in the GTLD servers until they reach the redemption period in the hope that
people will not notice the domain not resolving until it reaches the
extortion period.

Why are we still putting up with this garbage from Verisign and ICANN?

Mark Radabaugh
Amplex
(419) 720-3635

Re: [Re: Change to .com/.net behavior]

[Joshua Sahala]

i'm not sure if it could be cached, but i still see verisign pretending
to 0wn the net...

as is usually suggested on this list, do your talking with your money,
pull your zones from verisign, and never do business with them again,
file complaints with all relevant state and federal authorities, and let
the l33t Kiddi35 and spammers have some fun ;)  of course, the dept of
greed^Wcommerce will likely give verisign an 'attaboy' for coming up 
with this stunt

while i am sure all of us (excepting the netsol/verisign lurkers) would
like to null route everything attached to them, it will do nothing but
make us look like the 'bad guys'.  this is not the time for knee-jerk
reactions...but damn it would be nice to descend upon verisign's 
corporate hq with clue-by-fours in hand ;)

/joshua


; <<>> DiG 9.2.1 <<>> jklkwekcie.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25772
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;jklkwekcie.com.IN  A

;; ANSWER SECTION:
jklkwekcie.com. 900 IN  A   64.94.110.11

; <<>> DiG 9.2.1 <<>> jklkwekcie.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11930
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;jklkwekcie.net.IN  A

;; ANSWER SECTION:
jklkwekcie.com. 900 IN  A   64.94.110.11

[cut]


"Walk with me through the Universe,
 And along the way see how all of us are Connected.
 Feast the eyes of your Soul,
 On the Love that abounds.
 In all places at once, seemingly endless,
 Like your own existence."
 - Stephen Hawking -

Re: Change to .com/.net behavior

[Steve Gibbard]

On Mon, 15 Sep 2003, Jared Mauch wrote:

>
>   I also typed a bit too quickly.
>
>   I'm guessing due to the uprising they've pulled this.
>
>   I was just going to call the dept of commerce tomorrow and
> file a complaint myself.  perhaps I still will.

It appears GTLD servers A-D are running a serial number of 2003091501 and
contain the wildcard record in .com.  The other GTLD servers are running
2003091500 and don't have the wildcard record.  So, unless there's a
2003091502 floating around out there somewhere that I haven't seen, it
doesn't look to me like they pulled it.

For .net, I'm now seeing 2003091501 everywhere, with the wildcard record.
It doesn't look like they pulled that either.

In other news, Verisign has a press release on their website announcing
something called "Next Registration Rights Service," where you can place
an order to have somebody else's domain transferred to you if they ever
don't pay their bill.  The press release goes on to say that this is a
great way for holders of existing domain names to buy insurance to protect
themselves from the loss of their domain names if their bill doesn't get
paid, but apparrently only if nobody beats them to it.

-Steve


Steve Gibbard   [EMAIL PROTECTED]
+1 510 528-1035 http://www.gibbard.org/~scg

Re: What *are* they smoking?

[Wayne E. Bouchard]

So then now instead of mail to misspelled domains, instead of
bouncing, now goes to /dev/null and you have no idea that your
critically important piece of information didn't get through?

Neat.

On Mon, Sep 15, 2003 at 08:17:43PM -0500, netmask wrote:
> 
> > - Original Message -
> > From: "Patrick W. Gilmore" <[EMAIL PROTECTED]>
> > Date: Monday, September 15, 2003 7:34 pm
> > Subject: Re: What *are* they smoking?
> >
> > >
> > > No, it accepts if the from domain exists - but only if it *REALLY*
> > > exists.
> >
> > Anyone want to guess what happens to all those from addresses it captures?
> 
> No doubt.. It's unfortunate that they are running a daemon on port 25 on that
> box..  and that it actually lets you helo and mail from.. and not until you
> get to rcpt to  does it reject.. unless you use a domain its now got cached
> in which case it accepts the to: and closes at data. (So, if you rcpt twice,
> it'll accept it.. cuz like everyone else, its own dns server resolves
> everything)
> 
> [EMAIL PROTECTED] netmask]$ telnet www.oisdufoisdufoisuf.com 25
> Trying 64.94.110.11...
> Connected to www.oisdufoisdufoisuf.com.
> 
> 220 snubby3-wceast Snubby Mail Rejector Daemon v1.3 ready
> 
> helo ishouldntresolvebutthankstoyouido.com
> 250 OK
> 
> mail from: <[EMAIL PROTECTED]>
> 250 OK
> 
> rcpt to: <[EMAIL PROTECTED]>
> 550 User domain does not exist.
> 
> rcpt to: <[EMAIL PROTECTED]>
> 250 OK
> 
> data
> 221 snubby3-wceast Snubby Mail Rejector Daemon v1.3 closing transmission
> channel
> 

---
Wayne Bouchard
[EMAIL PROTECTED]
Network Dude
http://www.typo.org/~web/


pgp0.pgp
Description: PGP signature

Re: What *are* they smoking?

[Steven M. Bellovin]

It's bad enough now; it could be even worse.  They could respond on 
port 443, too, with a legitimate-seeming certificate -- they're 
*Verisign*, the leading certficate authority.

In the security world, we call this a man- (or monkey-)in-the-middle
attack, for which the standard defense is crypto.  But that doesn't 
work well when your trusted third party is part of the threat model...


--Steve Bellovin, http://www.research.att.com/~smb

Re: What *are* they smoking?

[Aaron Dewell]

I abandoned them a long time ago, but the big question is, how
can we get rid of them as root servers operators?  Sounds like
time to push for more independent servers, and a truly separate
company to handle the root server portion of .com/.net.  They
could still exist as a registrar, but with these kind of business
practices, how long?  Probably not very, so I'd expect them to
fight it tooth and nail.

Or abandon .com/.net entirely, but that would take a long time
and a massive public-education campaign.  See what happens to
them when everyone refuses to use either .com or .net.  I still
use them, by way of OpenSRS, but that could be solved with some
new registrations with a non-hostile TLD operator.

Aaron

On Mon, 15 Sep 2003, Alex Lambert wrote:
 > http://www.verisign.com/corporate/about/contact/index.html
 >
 > Give 'em hell.
 >
 >
 >
 > apl

Re: What *are* they smoking?

[David B Harris]

On Mon, 15 Sep 2003 17:45:26 -0700
Fred Baker <[EMAIL PROTECTED]> wrote:
> At 04:18 PM 9/15/2003, Jeroen Massar wrote:
> >Even worse of this is that you can't verify domain names under .net
> >any more for 'existence' as every .net domain suddenly has a A record
> >and then can be used for spamming...
> 
> so, every spammer in the world spams versign. The down side of this is ... 
> what? I don't remember... 

The problem is the (common) method of invalidating spam mails by
checking that the originating domain exists. If said domain is .net (and
soon .com), that check will no longer be useful.


pgp0.pgp
Description: PGP signature

Re: Change to .com/.net behavior

[David B Harris]

On Mon, 15 Sep 2003 17:29:43 -0700
Roy <[EMAIL PROTECTED]> wrote:
> 
> It looks like it broke.  Your web server (64.94.110.11) is inoperative. 
>   How about backing out the change

Chances are your ISP has null-routed that IP address. Two of the larger
ISPs in my area (Ontario, Canada) have, as well as the upstreams for a
number of incidental networks I have access to.


pgp0.pgp
Description: PGP signature

RE: What *are* they smoking?

[Tomas Lund]

On Tue, 16 Sep 2003, Johnny Eriksson wrote:

> idea for next virus: after reproducing itself, construct a random domain
> name ending in .net and ddos it at a low rate for a day or so.  if the
> faked up domain is someones real one, you get a small number of packets
> to that domain.  if a large number of domains resolve to the same ip,
> well, too bad for that ip...
>
> that might even be a virus a lot of people want to run.

while [ - ] ; do lynx -dump http://$RANDOM.THIS-QUERY-SHOULD-RETURN-NXDOMAIN.NET > 
/dev/null ; done

//tlund

Re: What *are* they smoking?

[Alex Lambert]

"The information provided through the VeriSign Services is not 
necessarily complete and may be supplied by VeriSign's commericial 
licensors, advertisers or others."

There's something immoral about *shoving it down our throats*, then, 
VeriSign.



apl

Adam 'Starblazer' Romberg wrote:
Can they realistically enforce a TOS on a site like that, and how can they
provide a remedy for it?
I, for one, do not agree to their terms of service.

Thanks

-a-


Adam 'Starblazer' Romberg Appleton: 920-738-9032
System Administrator
ExtremePC LLC-=-  http://www.extremepcgaming.net

Re: What *are* they smoking?

[Tomas Lund]

On Mon, 15 Sep 2003, Chris Adams wrote:

> It appears that the most reliable way to detect a wildcard response for
> 'somedomain.tld' is to query for '*.tld'; if the results match, then
> 'somedomain.tld' doesn't really exist.

Just make up a number of fake domains and resolve them. If they return the
same answer, thats the answer to change back into NXDOMAIN.

//tlund

Re: What *are* they smoking?

[Kevin Loch]

- Original Message -
From: "Patrick W. Gilmore" <[EMAIL PROTECTED]>
Date: Monday, September 15, 2003 7:34 pm
Subject: Re: What *are* they smoking?

> 
> No, it accepts if the from domain exists - but only if it *REALLY* 
> exists.

Anyone want to guess what happens to all those from addresses it captures?

Re[2]: What *are* they smoking?

[Alex Lambert]

I called VeriSign the registrar and got a supervisor, Forsyth. I spoke 
to him briefly about this filthy practice.

He said that VeriSign GRS deals *only* with registrars; customer support 
at NetSOL (great abbreviation) can't even get in contact with them. It 
doesn't seem like they have much communications or unification between 
the GRS (which handles the TLDs), the registrar (which does actual 
registrations), and their security arm.

He relayed me to the corporate office, and gave me this contact information:

487 East Middlefield Road
Mountain View, CA 94043
1 (650)-961-7500

Good luck! :)



apl

Alex Lambert wrote:
http://www.verisign.com/corporate/about/contact/index.html

Give 'em hell.



apl

Niels Bakker wrote:

A wildcard A record in the net TLD.

$ host does.really-not-exist.net
does.really-not-exist.net has address 64.94.110.11
$ host 64.94.110.11
11.110.94.64.IN-ADDR.ARPA domain name pointer sitefinder-idn.verisign.com
It even responds on port 25 (says 550 on every RCPT TO).  Gah.

-- Niels.

Re: Change to .com/.net behavior

[Joe Maimon]

I want my root servers back

Matt Larson wrote:

Today VeriSign is adding a wildcard A record to the .com and .net
zones.  The wildcard record in the .net zone was activated from
10:45AM EDT to 13:30PM EDT.  The wildcard record in the .com zone is
being added now.  We have prepared a white paper describing VeriSign's
wildcard implementation, which is available here:
http://www.verisign.com/resources/gd/sitefinder/implementation.pdf 

By way of background, over the course of last year, VeriSign has been
engaged in various aspects of web navigation work and study.  These
activities were prompted by analysis of the IAB's recommendations
regarding IDN navigation and discussions within the Council of
European National Top-Level Domain Registries (CENTR) prompted by DNS
wildcard testing in the .biz and .us top-level domains.  Understanding
that some registries have already implemented wildcards and that
others may in the future, we believe that it would be helpful to have
a set of guidelines for registries and would like to make them
publicly available for that purpose.  Accordingly, we drafted a white
paper describing guidelines for the use of DNS wildcards in top-level
domain zones.  This document, which may be of interest to the NANOG
community, is available here:
http://www.verisign.com/resources/gd/sitefinder/bestpractices.pdf

Matt
--
Matt Larson <[EMAIL PROTECTED]>
VeriSign Naming and Directory Services
 

RE: What *are* they smoking?

[Fred Baker]

At 04:18 PM 9/15/2003, Jeroen Massar wrote:
Even worse of this is that you can't verify domain names under .net
any more for 'existence' as every .net domain suddenly has a A record
and then can be used for spamming...
so, every spammer in the world spams versign. The down side of this is ... 
what? I don't remember... 

Re: What *are* they smoking?

[Chris Adams]

FYI: A quick look shows 14 TLDs that appear to have wildcard records:

ac
cc
com
cx
mp
museum
net
nu
ph
pw
sh
tk
tm
ws

The following TLDs answer for '*.tld' but do not appear to have wildcard
records:

bz
cn
tw

It appears that the most reliable way to detect a wildcard response for
'somedomain.tld' is to query for '*.tld'; if the results match, then
'somedomain.tld' doesn't really exist.

-- 
Chris Adams <[EMAIL PROTECTED]>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

Re: Change to .com/.net behavior

[Jared Mauch]

On Mon, Sep 15, 2003 at 07:39:20PM -0500, Adam 'Starblazer' Romberg wrote:
> Yeah, speaking too quickly.
> 
> *hides*

I also typed a bit too quickly.

I'm guessing due to the uprising they've pulled this.

I was just going to call the dept of commerce tomorrow and
file a complaint myself.  perhaps I still will.

- jared

% dig any rarrarrarrarblah.com. @f.gtld-servers.net.

; <<>> DiG 8.4 <<>> any rarrarrarrarblah.com. @f.gtld-servers.net. 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 43204
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;;  rarrarrarrarblah.com, type = ANY, class = IN

;; AUTHORITY SECTION:
com.2D IN SOA   a.gtld-servers.net. nstld.verisign-grs.com. (
2003091500  ; serial
30M ; refresh
15M ; retry
1W  ; expiry
1D ); minimum


;; Total query time: 213 msec
;; FROM: puck.nether.net to SERVER: 192.35.51.30
;; WHEN: Mon Sep 15 20:39:47 2003
;; MSG SIZE  sent: 38  rcvd: 111


> 
> Thanks
> 
> -a-
> 
> 
> 
> Adam 'Starblazer' Romberg Appleton: 920-738-9032
> System Administrator
> ExtremePC LLC-=-  http://www.extremepcgaming.net
> 
> On Mon, 15 Sep 2003, Jared Mauch wrote:
> 
> > On Mon, Sep 15, 2003 at 07:28:51PM -0500, Adam 'Starblazer' Romberg wrote:
> > >
> > > Looks like they pulled it now.
> > >
> > > [EMAIL PROTECTED]:/var/log$ host rarrarrarrarblah.com
> > > rarrarrarrarblah.com does not exist (Authoritative answer)
> >
> > ; <<>> DiG 8.4 <<>> any rarrarrarrarblah.com.
> > ;; res options: init recurs defnam dnsrch
> > ;; got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58435
> > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 13
> > ;; QUERY SECTION:
> > ;;  rarrarrarrarblah.com, type = ANY, class = IN
> >
> > ;; ANSWER SECTION:
> > rarrarrarrarblah.com.   15M IN A64.94.110.11
> >
> >
> > --
> > Jared Mauch  | pgp key available via finger from [EMAIL PROTECTED]
> > clue++;  | http://puck.nether.net/~jared/  My statements are only mine.
> >

-- 
Jared Mauch  | pgp key available via finger from [EMAIL PROTECTED]
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.

Re: Change to .com/.net behavior

[Michael Tokarev]

Adam 'Starblazer' Romberg wrote:
Looks like they pulled it now.

[EMAIL PROTECTED]:/var/log$ host rarrarrarrarblah.com
rarrarrarrarblah.com does not exist (Authoritative answer)
Nah, just zone propagation issues.  Some gtld servers still
have old zone data.
/mjt

Re: Change to .com/.net behavior

[Jay Hennigan]

On Mon, 15 Sep 2003, Adam 'Starblazer' Romberg wrote:

>
> Looks like they pulled it now.
>
> [EMAIL PROTECTED]:/var/log$ host rarrarrarrarblah.com
> rarrarrarrarblah.com does not exist (Authoritative answer)

They haven't implemented it on .com, only .net .

-- 
Jay Hennigan - CCIE #7880 - Network Administration - [EMAIL PROTECTED]
WestNet:  Connecting you to the planet.  805 884-6323  WB6RDV
NetLojix Communications, Inc.  -  http://www.netlojix.com/

Re: Change to .com/.net behavior

[Adam 'Starblazer' Romberg]

Yeah, speaking too quickly.

*hides*

Thanks

-a-



Adam 'Starblazer' Romberg Appleton: 920-738-9032
System Administrator
ExtremePC LLC-=-  http://www.extremepcgaming.net

On Mon, 15 Sep 2003, Jared Mauch wrote:

> On Mon, Sep 15, 2003 at 07:28:51PM -0500, Adam 'Starblazer' Romberg wrote:
> >
> > Looks like they pulled it now.
> >
> > [EMAIL PROTECTED]:/var/log$ host rarrarrarrarblah.com
> > rarrarrarrarblah.com does not exist (Authoritative answer)
>
> ; <<>> DiG 8.4 <<>> any rarrarrarrarblah.com.
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58435
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 13
> ;; QUERY SECTION:
> ;;  rarrarrarrarblah.com, type = ANY, class = IN
>
> ;; ANSWER SECTION:
> rarrarrarrarblah.com.   15M IN A64.94.110.11
>
>
> --
> Jared Mauch  | pgp key available via finger from [EMAIL PROTECTED]
> clue++;  | http://puck.nether.net/~jared/  My statements are only mine.
>

Re: Change to .com/.net behavior

[Jared Mauch]

On Mon, Sep 15, 2003 at 07:28:51PM -0500, Adam 'Starblazer' Romberg wrote:
> 
> Looks like they pulled it now.
> 
> [EMAIL PROTECTED]:/var/log$ host rarrarrarrarblah.com
> rarrarrarrarblah.com does not exist (Authoritative answer)

; <<>> DiG 8.4 <<>> any rarrarrarrarblah.com. 
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58435
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 13
;; QUERY SECTION:
;;  rarrarrarrarblah.com, type = ANY, class = IN

;; ANSWER SECTION:
rarrarrarrarblah.com.   15M IN A64.94.110.11


-- 
Jared Mauch  | pgp key available via finger from [EMAIL PROTECTED]
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.

Re: What *are* they smoking?

[Alex Lambert]

http://www.verisign.com/corporate/about/contact/index.html

Give 'em hell.



apl

Niels Bakker wrote:
A wildcard A record in the net TLD.

$ host does.really-not-exist.net
does.really-not-exist.net has address 64.94.110.11
$ host 64.94.110.11
11.110.94.64.IN-ADDR.ARPA domain name pointer sitefinder-idn.verisign.com
It even responds on port 25 (says 550 on every RCPT TO).  Gah.

	-- Niels.

Re: Change to .com/.net behavior

[Simon Lyall]

On Tue, 16 Sep 2003, Michael Tokarev wrote:
> Haesu wrote:
> > Before I figure out this BIND thing, for now..
> >
> > box02jp5-cr01.twdx.net# set routing-options static route 64.94.110.11/32 di$
>
> Please do no do that.  You, or your users, will end up having
> TONS of undeliverable bounces for forged/bogus domains sitting
> in mail spools...

On the other hand, what happens to those people who have one of their MX
records pointing to  host at an invalid domain. eg

IN  MX  5 mail.example.com.
IN  MX  10 mail.iforgottodelete.net

Now the previously non-existent host will resolve and bounce your email
instead of being skipped.

-- 
Simon J. Lyall.  |   Very  Busy   |   Mail: [EMAIL PROTECTED]
"To stay awake all night adds a day to your life" - Stilgar | eMT.

Re: Change to .com/.net behavior

[Adam 'Starblazer' Romberg]

Looks like they pulled it now.

[EMAIL PROTECTED]:/var/log$ host rarrarrarrarblah.com
rarrarrarrarblah.com does not exist (Authoritative answer)


thanks,
-a-



Adam 'Starblazer' Romberg Appleton: 920-738-9032
System Administrator
ExtremePC LLC-=-  http://www.extremepcgaming.net

On Tue, 16 Sep 2003, Michael Tokarev wrote:

>
> Haesu wrote:
> []
> > Before I figure out this BIND thing, for now..
> >
> > box02jp5-cr01.twdx.net# set routing-options static route 64.94.110.11/32 discard;
>
> Please do no do that.  You, or your users, will end up having
> TONS of undeliverable bounces for forged/bogus domains sitting
> in mail spools...
>
> /mjt
>
>

Re: Change to .com/.net behavior

[Roy]

It looks like it broke.  Your web server (64.94.110.11) is inoperative. 
 How about backing out the change

Matt Larson wrote:
Today VeriSign is adding a wildcard A record to the .com and .net
zones.  The wildcard record in the .net zone was activated from
10:45AM EDT to 13:30PM EDT.  The wildcard record in the .com zone is
being added now.  We have prepared a white paper describing VeriSign's
wildcard implementation, which is available here:
http://www.verisign.com/resources/gd/sitefinder/implementation.pdf 

.

RE: What *are* they smoking?

[Johnny Eriksson]

"Jeroen Massar" <[EMAIL PROTECTED]> wrote:

> Any kiddie group already planning to "take down" the advert server ?
> It's just 1 IP to take out a *lot* of domains, anything you can mistype ;)
> "Look mommy we took down .net, now you see it now you..."

idea for next virus: after reproducing itself, construct a random domain
name ending in .net and ddos it at a low rate for a day or so.  if the
faked up domain is someones real one, you get a small number of packets
to that domain.  if a large number of domains resolve to the same ip,
well, too bad for that ip...

that might even be a virus a lot of people want to run.

--Johnny

RE: What *are* they smoking?

[Adam 'Starblazer' Romberg]

Can they realistically enforce a TOS on a site like that, and how can they
provide a remedy for it?

I, for one, do not agree to their terms of service.

Thanks

-a-


Adam 'Starblazer' Romberg Appleton: 920-738-9032
System Administrator
ExtremePC LLC-=-  http://www.extremepcgaming.net

Re: Change to .com/.net behavior

[Michael Tokarev]

Haesu wrote:
[]
Before I figure out this BIND thing, for now..

box02jp5-cr01.twdx.net# set routing-options static route 64.94.110.11/32 discard;
Please do no do that.  You, or your users, will end up having
TONS of undeliverable bounces for forged/bogus domains sitting
in mail spools...
/mjt

Re: Change to .com/.net behavior

[Haesu]

You mean you have been studying a way for more people to buy domain through you.

I also am modifying BIND to convert your wildcard #$%^^% to NXDOMAIN.

Between the domains that I have with you and all the problems we've had with it
each time you 'change' your web interface, I've already made my decision to
avoid VeriSign/NetworkSolutions for rest of my life.

Before I figure out this BIND thing, for now..

box02jp5-cr01.twdx.net# set routing-options static route 64.94.110.11/32 discard;

-hc

-- 
Sincerely,
  Haesu C.
  TowardEX Technologies, Inc.
  WWW: http://www.towardex.com
  E-mail: [EMAIL PROTECTED]
  Cell: (978) 394-2867

On Mon, Sep 15, 2003 at 07:24:29PM -0400, Matt Larson wrote:
> 
> Today VeriSign is adding a wildcard A record to the .com and .net
> zones.  The wildcard record in the .net zone was activated from
> 10:45AM EDT to 13:30PM EDT.  The wildcard record in the .com zone is
> being added now.  We have prepared a white paper describing VeriSign's
> wildcard implementation, which is available here:
> 
> http://www.verisign.com/resources/gd/sitefinder/implementation.pdf 
> 
> By way of background, over the course of last year, VeriSign has been
> engaged in various aspects of web navigation work and study.  These
> activities were prompted by analysis of the IAB's recommendations
> regarding IDN navigation and discussions within the Council of
> European National Top-Level Domain Registries (CENTR) prompted by DNS
> wildcard testing in the .biz and .us top-level domains.  Understanding
> that some registries have already implemented wildcards and that
> others may in the future, we believe that it would be helpful to have
> a set of guidelines for registries and would like to make them
> publicly available for that purpose.  Accordingly, we drafted a white
> paper describing guidelines for the use of DNS wildcards in top-level
> domain zones.  This document, which may be of interest to the NANOG
> community, is available here:
> 
> http://www.verisign.com/resources/gd/sitefinder/bestpractices.pdf
> 
> Matt
> --
> Matt Larson <[EMAIL PROTECTED]>
> VeriSign Naming and Directory Services

RE: What *are* they smoking?

[Jeroen Massar]

-BEGIN PGP SIGNED MESSAGE-

Matthew S. Hallacy wrote:

> On Tue, Sep 16, 2003 at 01:18:26AM +0200, Jeroen Massar wrote:
> > 
> > Even worse of this is that you can't verify domain names under .net
> > any more for 'existence' as every .net domain suddenly has 
> a A record
> > and then can be used for spamming...
> > 
> > From: Spammer 
> <[EMAIL PROTECTED]>
> > To: You <[EMAIL PROTECTED]>
> > 
> > Thank you Verisign! Now we need to check for existence of an MX
> > and then just break a couple of RFC's in the process :(
> 
> Checking for NS or SOA record(s) is sufficient, neither are 
> being returned,
> only A records.
> 
> Of course, you could just block anything that resolves to netsol.

example.com.NS ns1.example.com
A 10.100.13.42
blaat   A 10.100.13.42

It's completely legal, per RFC, to mail [EMAIL PROTECTED]
as it is a host, but blaat.example.com doesn't need an NS record.

Having an extra lookup checking with a NS if the first
level domain exists is an option though.

But the best option is just to let dns servers return NXDOMAIN
and let people use google or let them *type* correctly.

Or is Verisign suddenly also all knowledgable about which
url's are going to be valid? "oops the user is going to make a typo,
lets point everything on our box and let that log and figure out
what the dumb user really meaning"... go figure..

Btw it doesn't do IPv6 which is bad and doesn't scale into the future :)
And no HTTP SSL support either. No POP3/IMAP support telling people
they typed in the wrong hostname for their mailserver etc...

Any kiddie group already planning to "take down" the advert server ?
It's just 1 IP to take out a *lot* of domains, anything you can mistype ;)
"Look mommy we took down .net, now you see it now you..."

I also wonder what privacy implications this has, stupid example:
http://www.thawhaithouse.net/login/?user=president&password=cannedremember

There goes your privacy act (if you still thought there was any :)

Greets,
 Jeroen

-BEGIN PGP SIGNATURE-
Version: Unfix PGP for Outlook Alpha 13 Int.
Comment: Jeroen Massar / [EMAIL PROTECTED] / http://unfix.org/~jeroen/

iQA/AwUBP2ZVuCmqKFIzPnwjEQKQggCcDGgy0kXNIA89kvL9EiFPosVNy+QAn3G9
hepKhdO0XS6nTtgrYGg/jAna
=9VhA
-END PGP SIGNATURE-

Re: Change to .com/.net behavior

[Christopher X. Candreva]

On Mon, 15 Sep 2003, Vadim Antonov wrote:

> I'm going to hack my BIND so it'll discard wildcard RRs in TLDs, as a
> matter of reducing the flood of advertising junk reaching my desktop.

Please share your hack !

==
Chris Candreva  -- [EMAIL PROTECTED] -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/

Re: What *are* they smoking?

[Marc Slemko]

On Tue, 16 Sep 2003, Daniel Roesen wrote:

> VeriSign: WHO DO YOU THINK YOU ARE?
>
> And don't try to tell us that you want to "help" users who mistype
> addresses. You want to make money with typos, that's all. Any "Site
> Finder" stuff is absurd by itself.

and their list of justifications for why what they are doing in
their whitepaper is just... completely laughable.

And so much for the claims their representatives made to the press
the other week that it would only impact "web browsing" (as if such
a thing were even possible.

They clearly are not thinking very well at all of anything beyond
HTTP requests made by humans sitting in front of a web browser.

Oh, I'm sure their technical people are very aware of all the stuff it
will break.  But the company doesn't care, why should they?

They know very well who they are and what they are breaking.

Re: Change to .com/.net behavior

[George William Herbert]

Did it occur to Verisign that perhaps this needed 
some external policy and technical review before
you just went ahead and did this?

Have you formally or informally asked ICANN, the US DOC,
etc. for policy approval?  If so, where and when?

Did you consider that nonexistent domains returning
an error was a feature in use by a wide number of security
authentication mechanisms in email and other applications?

Did you consider that major network operators might
want to know about things like this beforehand?
Have you notified any major network operators prior
to this email to NANOG?

Were the root servers apprised of this prior to it
being implimented? [Paul et al, any comments on this one?]

It is nice that Verisign at least documented what you
are doing and why, however, the documentation is not
ipso facto reasonable procedure and community approval.
WiFrom what I can see here and today, you don't have
community approval and don't appear to have followed
anything vaguely like reasonable procedure in getting here.

.com and .net are not your private playthings,
and to be frank Verisign's position in control
of the zones is dependent on it not being the
sort of company to pull stunts of this nature
without appropriate warning and discussion.


-george william herbert
[EMAIL PROTECTED]

Re: Change to .com/.net behavior

[Vadim Antonov]

I'm going to hack my BIND so it'll discard wildcard RRs in TLDs, as a
matter of reducing the flood of advertising junk reaching my desktop.

I think BIND & resolver developers would do everyone a service by adding
an option having the same effect.

Thank you, VeriSign, I will never do business with you again. You are as
bad as any spammer lowlife simply because you leave everyone with no
choice to opt out of your advertising blitz.

--vadim

On Mon, 15 Sep 2003, Matt Larson wrote:

> 
> Today VeriSign is adding a wildcard A record to the .com and .net
> zones.  The wildcard record in the .net zone was activated from
> 10:45AM EDT to 13:30PM EDT.  The wildcard record in the .com zone is
> being added now.  We have prepared a white paper describing VeriSign's
> wildcard implementation, which is available here:
> 
> http://www.verisign.com/resources/gd/sitefinder/implementation.pdf 
> 
> By way of background, over the course of last year, VeriSign has been
> engaged in various aspects of web navigation work and study.  These
> activities were prompted by analysis of the IAB's recommendations
> regarding IDN navigation and discussions within the Council of
> European National Top-Level Domain Registries (CENTR) prompted by DNS
> wildcard testing in the .biz and .us top-level domains.  Understanding
> that some registries have already implemented wildcards and that
> others may in the future, we believe that it would be helpful to have
> a set of guidelines for registries and would like to make them
> publicly available for that purpose.  Accordingly, we drafted a white
> paper describing guidelines for the use of DNS wildcards in top-level
> domain zones.  This document, which may be of interest to the NANOG
> community, is available here:
> 
> http://www.verisign.com/resources/gd/sitefinder/bestpractices.pdf
> 
> Matt
> --
> Matt Larson <[EMAIL PROTECTED]>
> VeriSign Naming and Directory Services
> 

RE: What *are* they smoking?

[Jeff S Wheeler]

On Mon, 2003-09-15 at 19:35, ken emery wrote:
> According to the article in the link posted from cbronline.com this has
> been done by NeuStar who runs the .biz and .us domain registries.  The
> company which runs this service for NeuStar claims to be able to
> differentiate between http and other requests.  I'm still waiting to
> see how they do this as you can't tell from a DNS request alone.

I'm waiting for Illuminet^HVeriSign to add this "feature" to their
global title translation database and redirect all non-existant 800
numbers to recorded advertisements.

--
Jeff S Wheeler

Re: What *are* they smoking?

[Christopher X. Candreva]

On Mon, 15 Sep 2003, Patrick W. Gilmore wrote:

> Anyone wanna patch BIND such that replies of that IP addy are replaced with
> NXDOMAIN?  That solves the web site and the spam problem, and all others,
> all at once.

I took a look at the Bind 8.3.4 code this afternoon, but couldn't readily
find where to do it. I'll take another look later.

(Last time I tried it Bind 9 sucked up twice as much server CPU as 8.x)

==
Chris Candreva  -- [EMAIL PROTECTED] -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/

Re: What *are* they smoking?

[william]

On Mon, 15 Sep 2003, Mark Vallar wrote:
> > This is sufficiently technically and business slimy that

I agree completely. Verisign marketing practices are getting worse by the 
day with introduction of redeption period, fees for non-working international
domains, prevention of domain transferes, emails to all their customers 
(including isp affiliates) advertising their webhosting services, etc.

> > I would null-route that IP, personally.
>
> The bigger issue is DNS troubleshooting.what a nightmare when a query of
> the *.gtld-servers.net servers does not return an error.  What happens when
> they change the IP because of null-route'ing of the current IP to a
> completely different /8 subnet.

You can potentionally check on what ip(s) are currently set by querying for
*.com and *.net (yes "*" is valid name for dns query that should provide 
info on what is set for as * in zone file). One way to deal with it
automnaticly is to have dns server at the time when it started, check the 
tld zone files that it cashes for '*' and if option is specified, then 
dns server can return nxdomain for those top-level domains where '*' is 
present. ISC and other software dns vendors should consider writing thise 
option for next release and ISP should then implement it. 

Another way to fight this new scheme is to complain to ICANN and to US
Department of Commerce regarding Verisign semi-illegal marketing 
practices. You might mention that if this continies root tlds may soon 
return 'A' record for non-existant top level domains (www.verisign.die 
for example :), after all half the root dns servers are controlled by 
verisign as well...

> Who engineered this 
You can thank the ruthless capitalistic approach of the current Verisign 
board of directors and their attempts to extract money in every possible
way related to .com/.net domains at the registry (verisign-grs) level because 
they are loosing so many domain at the registry level to their competitors.

-- 
William Leibzon
Elan Networks
[EMAIL PROTECTED]

Re: What *are* they smoking?

[Chris Adams]

Once upon a time, Christopher X. Candreva <[EMAIL PROTECTED]> said:
> This also blows away the whole idea of rejeting mail from non-existant
> domains -- never mind all the bounces to these non-existant domains when the
> spammers get ahold of them. Boy, I hope they have a good mail server
> responding with the 550 on that IP !
> 
> At the least we need a way for MTA's to reject mail from domains that
> resolve to this nonsense. Having bind put NXDOMAIN back would be a plus.

I see a few of ways to distinguish the responses at the moment (without
hard-coding the IP address or reverse DNS for that IP):

- the TTL on the bogusdomain.net responses in 15M instead of 2D

- on bogusdomain.net responses, the ADDITIONAL and AUTHORITY records all
  point to gtld-servers.net servers, while normal requests get records
  pointing somewhere else

- there are no NS records for bogusdomain.net

None of these help MTAs today.

For sendmail, you could do something with the dns map to look for NS
records for something.net when you get @blah.something.net.  However, it
means one more DNS lookup for everything ending in .com or .net.

-- 
Chris Adams <[EMAIL PROTECTED]>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

Re: What *are* they smoking?

[Daniel Roesen]

On Mon, Sep 15, 2003 at 07:17:59PM -0400, Matthew Crocker wrote:
> > This is sufficiently technically and business slimy that
> > I would null-route that IP, personally.
> 
> Nah, just route it to a Linux box with transparent proxy and show your 
> own 'Websites-R-Us' page to your customers.

Or a "VeriSign's business practices" page.

Unbelievable where Internet got over the last 10 years. Looks like the
last cluons at VeriSign were eaten up by their sales/marketing
departments (finally). Now they are "hijacking" two complete gTLD
namespaces...

VeriSign: WHO DO YOU THINK YOU ARE?

And don't try to tell us that you want to "help" users who mistype
addresses. You want to make money with typos, that's all. Any "Site
Finder" stuff is absurd by itself.


Shaking head,
Daniel

Re: What *are* they smoking?

[Matthew S. Hallacy]

On Tue, Sep 16, 2003 at 01:18:26AM +0200, Jeroen Massar wrote:
> 
> Even worse of this is that you can't verify domain names under .net
> any more for 'existence' as every .net domain suddenly has a A record
> and then can be used for spamming...
> 
> From: Spammer <[EMAIL PROTECTED]>
> To: You <[EMAIL PROTECTED]>
> 
> Thank you Verisign! Now we need to check for existence of an MX
> and then just break a couple of RFC's in the process :(

Checking for NS or SOA record(s) is sufficient, neither are being returned,
only A records.

Of course, you could just block anything that resolves to netsol.

-- 
Matthew S. HallacyFUBAR, LART, BOFH Certified
http://www.poptix.net   GPG public key 0x01938203


pgp0.pgp
Description: PGP signature

Re: What *are* they smoking?

[Patrick W. Gilmore]

-- On Monday, September 15, 2003 19:30 -0400
-- Mark Vallar <[EMAIL PROTECTED]> supposedly wrote:
The bigger issue is DNS troubleshooting.what a nightmare when a query
of the *.gtld-servers.net servers does not return an error.  What happens
when they change the IP because of null-route'ing of the current IP to a
completely different /8 subnet.
Anyone wanna patch BIND such that replies of that IP addy are replaced with 
NXDOMAIN?  That solves the web site and the spam problem, and all others, 
all at once.

--
TTFN,
patrick

Re: What *are* they smoking?

[Christopher X. Candreva]

On Mon, 15 Sep 2003, Chris Adams wrote:

> Someone has already brought up the idea on the BIND list of modifying
> BIND to recognize this response and converting it back to NXDOMAIN.

That would be me -- I posted to comp.protocols.dns.bind, not realizeing it
was a mailing list gateway.

This also blows away the whole idea of rejeting mail from non-existant
domains -- never mind all the bounces to these non-existant domains when the
spammers get ahold of them. Boy, I hope they have a good mail server
responding with the 550 on that IP !

At the least we need a way for MTA's to reject mail from domains that
resolve to this nonsense. Having bind put NXDOMAIN back would be a plus.

-Chris

==
Chris Candreva  -- [EMAIL PROTECTED] -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/

RE: What *are* they smoking?

[ken emery]

On Tue, 16 Sep 2003, Jeroen Massar wrote:


> -BEGIN PGP SIGNED MESSAGE-
>
> Tim Wilde wrote:
>
> > On Tue, 16 Sep 2003, Niels Bakker wrote:
> >
> > >
> > > A wildcard A record in the net TLD.
> > >
> > > $ host does.really-not-exist.net
> > > does.really-not-exist.net has address 64.94.110.11
> > >
> > > $ host 64.94.110.11
> > > 11.110.94.64.IN-ADDR.ARPA domain name pointer sitefinder-idn.verisign.com
> > >
> > > It even responds on port 25 (says 550 on every RCPT TO).  Gah.
>
> Even worse of this is that you can't verify domain names under .net
> any more for 'existence' as every .net domain suddenly has a A record
> and then can be used for spamming...
>
> From: Spammer <[EMAIL PROTECTED]>
> To: You <[EMAIL PROTECTED]>
>
> Thank you Verisign! Now we need to check for existence of an MX
> and then just break a couple of RFC's in the process :(

What about if the IP address returned by the DNS query is the same one as
does.really-not-exist.net then the spam is returned to the owner of
the IP address?  In this case Versign.  I think this is already done
by some automated spam reporting tools.  If AOL does it Verisign will
probably get crushed by the load (if one is having a spam war with AOL's
mail servers AOL will always win).

> > It's Verisign's return shot at the web browser "couldn't find this page"
> > searches.  Doesn't seem to have much by way of advertising yet, but I'm
> > sure that'll change.  I heard about this coming from somewhere last week,
> > though I don't recall where.  Probably Wired or the WSJ.
> > Verisign wants the revenue that all those typos are generating.  It's just
> > the next shot in the eyeball war.
>
> Who said the internet wasn't commercial again ?
> Thank you goverment of the United States of America for
> allowing such money hungry organisations to abuse one
> of the original tld's.
>
> Wasn't .net meant for *networks* ? aka ISP backbone infrastructure
> and not for commercials?

That has been going on for several years now (unfortunately).

> (And I thought that domain reselling was a yucky business)

Yep, but it can be profitable.  I'm just waiting for someone to put out
a typo in a large press release and then sue Verisign for stealing all
the traffic.

According to the article in the link posted from cbronline.com this has
been done by NeuStar who runs the .biz and .us domain registries.  The
company which runs this service for NeuStar claims to be able to
differentiate between http and other requests.  I'm still waiting to
see how they do this as you can't tell from a DNS request alone.

bye,
ken emery

Re: What *are* they smoking?

[Patrick W. Gilmore]

-- On Tuesday, September 16, 2003 00:56 +0200
-- Niels Bakker <[EMAIL PROTECTED]> supposedly wrote:
A wildcard A record in the net TLD.

$ host does.really-not-exist.net
does.really-not-exist.net has address 64.94.110.11
$ host 64.94.110.11
11.110.94.64.IN-ADDR.ARPA domain name pointer sitefinder-idn.verisign.com
It even responds on port 25 (says 550 on every RCPT TO).  Gah.
No, it accepts if the from domain exists - but only if it *REALLY* exists.

[...]
rcpt to: [EMAIL PROTECTED]
250 OK
mail from: [EMAIL PROTECTED]
550 User domain does not exist.
mail from: [EMAIL PROTECTED]
250 OK
Nice that their spam filters still work. :(

And I love the 221 close message:

data
221 snubby1-wcwest Snubby Mail Rejector Daemon v1.3 closing transmission 
channel
Connection closed by foreign host.

--
TTFN,
patrick

Re: What *are* they smoking?

[Mark Vallar]

> >> A wildcard A record in the net TLD.
> >
> >It's Verisign's return shot at the web browser "couldn't find this page"
> >searches.  Doesn't seem to have much by way of advertising yet, but I'm
> >sure that'll change.  I heard about this coming from somewhere last week,
> >though I don't recall where.  Probably Wired or the WSJ.  Verisign wants
> >the revenue that all those typos are generating.  It's just the next shot
> >in the eyeball war.
>
> This is sufficiently technically and business slimy that
> I would null-route that IP, personally.
>

The bigger issue is DNS troubleshooting.what a nightmare when a query of
the *.gtld-servers.net servers does not return an error.  What happens when
they change the IP because of null-route'ing of the current IP to a
completely different /8 subnet.


Who engineered this!  Or better yet, who allowed this blatant commercial
use of the TLD servers.



Mark Vallar

RE: What *are* they smoking?

[Deepak Jain]

> It's Verisign's return shot at the web browser "couldn't find this page"
> searches.  Doesn't seem to have much by way of advertising yet, but I'm
> sure that'll change.  I heard about this coming from somewhere last week,
> though I don't recall where.  Probably Wired or the WSJ.  Verisign wants
> the revenue that all those typos are generating.  It's just the next shot
> in the eyeball war.
>

I am guessing that given the relatively light penalty Register.com got for
its "Coming Soon" web pages, Verisign was encouraged to try the same thing
and will probably be glad to take the same penalty.

Deepak Jain
AiNET

Change to .com/.net behavior

[Matt Larson]

Today VeriSign is adding a wildcard A record to the .com and .net
zones.  The wildcard record in the .net zone was activated from
10:45AM EDT to 13:30PM EDT.  The wildcard record in the .com zone is
being added now.  We have prepared a white paper describing VeriSign's
wildcard implementation, which is available here:

http://www.verisign.com/resources/gd/sitefinder/implementation.pdf 

By way of background, over the course of last year, VeriSign has been
engaged in various aspects of web navigation work and study.  These
activities were prompted by analysis of the IAB's recommendations
regarding IDN navigation and discussions within the Council of
European National Top-Level Domain Registries (CENTR) prompted by DNS
wildcard testing in the .biz and .us top-level domains.  Understanding
that some registries have already implemented wildcards and that
others may in the future, we believe that it would be helpful to have
a set of guidelines for registries and would like to make them
publicly available for that purpose.  Accordingly, we drafted a white
paper describing guidelines for the use of DNS wildcards in top-level
domain zones.  This document, which may be of interest to the NANOG
community, is available here:

http://www.verisign.com/resources/gd/sitefinder/bestpractices.pdf

Matt
--
Matt Larson <[EMAIL PROTECTED]>
VeriSign Naming and Directory Services

Re: What *are* they smoking?

[Chris Adams]

Once upon a time, Richard A Steenbergen <[EMAIL PROTECTED]> said:
> On Tue, Sep 16, 2003 at 12:56:57AM +0200, Niels Bakker wrote:
> > $ host does.really-not-exist.net
> > does.really-not-exist.net has address 64.94.110.11
> 
> I would say time to null route this horribly inappropriate scam, but it 
> looks like a few cable modem providers have already done so, and I am no 
> longer seeing it in the .com zone (but I still see it under .net).

Someone has already brought up the idea on the BIND list of modifying
BIND to recognize this response and converting it back to NXDOMAIN.
Blackholing the IP means that your customers will get an error that the
site is unreachable, not that it does not exist.

BTW: I got a "content filter" message bounce in response to my other
post on this topic - anyone else get that?  I didn't see anything in my
message that looked filter-worthy to me.
-- 
Chris Adams <[EMAIL PROTECTED]>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

RE: What *are* they smoking?

[Jeroen Massar]

-BEGIN PGP SIGNED MESSAGE-

Tim Wilde wrote:

> On Tue, 16 Sep 2003, Niels Bakker wrote:
> 
> >
> > A wildcard A record in the net TLD.
> >
> > $ host does.really-not-exist.net
> > does.really-not-exist.net has address 64.94.110.11
> >
> > $ host 64.94.110.11
> > 11.110.94.64.IN-ADDR.ARPA domain name pointer sitefinder-idn.verisign.com
> >
> > It even responds on port 25 (says 550 on every RCPT TO).  Gah.

Even worse of this is that you can't verify domain names under .net
any more for 'existence' as every .net domain suddenly has a A record
and then can be used for spamming...

From: Spammer <[EMAIL PROTECTED]>
To: You <[EMAIL PROTECTED]>

Thank you Verisign! Now we need to check for existence of an MX
and then just break a couple of RFC's in the process :(

> It's Verisign's return shot at the web browser "couldn't find this page"
> searches.  Doesn't seem to have much by way of advertising yet, but I'm
> sure that'll change.  I heard about this coming from somewhere last week,
> though I don't recall where.  Probably Wired or the WSJ.  
> Verisign wants the revenue that all those typos are generating.  It's just 
> the next shot in the eyeball war.

Who said the internet wasn't commercial again ?
Thank you goverment of the United States of America for
allowing such money hungry organisations to abuse one
of the original tld's.

Wasn't .net meant for *networks* ? aka ISP backbone infrastructure
and not for commercials?

(And I thought that domain reselling was a yucky business)

Greets,
 Jeroen

-BEGIN PGP SIGNATURE-
Version: Unfix PGP for Outlook Alpha 13 Int.
Comment: Jeroen Massar / [EMAIL PROTECTED] / http://unfix.org/~jeroen/

iQA/AwUBP2ZIvCmqKFIzPnwjEQLQkgCgtFDU1TKOrt/tz0I+GGm+Vu/P+xUAoI+s
6Czvls9qXOslOkOnJXLhU8ZC
=sC7+
-END PGP SIGNATURE-

Re: What *are* they smoking?

[Matthew Crocker]

On Monday, September 15, 2003, at 07:11 PM, George William Herbert 
wrote:



A wildcard A record in the net TLD.
It's Verisign's return shot at the web browser "couldn't find this 
page"
searches.  Doesn't seem to have much by way of advertising yet, but 
I'm
sure that'll change.  I heard about this coming from somewhere last 
week,
though I don't recall where.  Probably Wired or the WSJ.  Verisign 
wants
the revenue that all those typos are generating.  It's just the next 
shot
in the eyeball war.
This is sufficiently technically and business slimy that
I would null-route that IP, personally.
Nah, just route it to a Linux box with transparent proxy and show your 
own 'Websites-R-Us' page to your customers.

Re: What *are* they smoking?

[Michael K. Smith]

On 9/15/03 3:56 PM, "Niels Bakker" <[EMAIL PROTECTED]> wrote:

> 
> A wildcard A record in the net TLD.
> 
> $ host does.really-not-exist.net
> does.really-not-exist.net has address 64.94.110.11
> 
> $ host 64.94.110.11
> 11.110.94.64.IN-ADDR.ARPA domain name pointer sitefinder-idn.verisign.com
> 
> It even responds on port 25 (says 550 on every RCPT TO).  Gah.
> 
> 
> -- Niels.
> 

http://www.cbronline.com/latestnews/d04afc52ae9da2ee80256d9c0018be8b

Mike
-- 
Michael K. Smith  NoaNet
206.219.7116 (work)   206.579.8360 (cell)
[EMAIL PROTECTED]http://www.noanet.net

Re: What *are* they smoking?

[Richard A Steenbergen]

On Tue, Sep 16, 2003 at 12:56:57AM +0200, Niels Bakker wrote:
> 
> A wildcard A record in the net TLD.
> 
> $ host does.really-not-exist.net
> does.really-not-exist.net has address 64.94.110.11
> 
> $ host 64.94.110.11
> 11.110.94.64.IN-ADDR.ARPA domain name pointer sitefinder-idn.verisign.com
> 
> It even responds on port 25 (says 550 on every RCPT TO).  Gah.

I would say time to null route this horribly inappropriate scam, but it 
looks like a few cable modem providers have already done so, and I am no 
longer seeing it in the .com zone (but I still see it under .net).

-- 
Richard A Steenbergen <[EMAIL PROTECTED]>   http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

Re: What *are* they smoking?

[Chris Adams]

Once upon a time, Niels Bakker <[EMAIL PROTECTED]> said:
> A wildcard A record in the net TLD.
> 
> $ host does.really-not-exist.net
> does.really-not-exist.net has address 64.94.110.11
> 
> $ host 64.94.110.11
> 11.110.94.64.IN-ADDR.ARPA domain name pointer sitefinder-idn.verisign.com
> 
> It even responds on port 25 (says 550 on every RCPT TO).  Gah.

Yep, and it'll be coming soon to .com.  All your typo domain are belong
to Verisign.
-- 
Chris Adams <[EMAIL PROTECTED]>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

Re: What *are* they smoking?

[George William Herbert]

>> A wildcard A record in the net TLD.
>
>It's Verisign's return shot at the web browser "couldn't find this page"
>searches.  Doesn't seem to have much by way of advertising yet, but I'm
>sure that'll change.  I heard about this coming from somewhere last week,
>though I don't recall where.  Probably Wired or the WSJ.  Verisign wants
>the revenue that all those typos are generating.  It's just the next shot
>in the eyeball war.

This is sufficiently technically and business slimy that
I would null-route that IP, personally.


-george william herbert
[EMAIL PROTECTED]

Re: What *are* they smoking?

[Tim Wilde]

On Tue, 16 Sep 2003, Niels Bakker wrote:

>
> A wildcard A record in the net TLD.
>
> $ host does.really-not-exist.net
> does.really-not-exist.net has address 64.94.110.11
>
> $ host 64.94.110.11
> 11.110.94.64.IN-ADDR.ARPA domain name pointer sitefinder-idn.verisign.com
>
> It even responds on port 25 (says 550 on every RCPT TO).  Gah.

It's Verisign's return shot at the web browser "couldn't find this page"
searches.  Doesn't seem to have much by way of advertising yet, but I'm
sure that'll change.  I heard about this coming from somewhere last week,
though I don't recall where.  Probably Wired or the WSJ.  Verisign wants
the revenue that all those typos are generating.  It's just the next shot
in the eyeball war.

Tim Wilde

-- 
Tim Wilde
[EMAIL PROTECTED]
Systems Administrator
Dynamic DNS Network Services
http://www.dyndns.org/

What *are* they smoking?

[Niels Bakker]

A wildcard A record in the net TLD.

$ host does.really-not-exist.net
does.really-not-exist.net has address 64.94.110.11

$ host 64.94.110.11
11.110.94.64.IN-ADDR.ARPA domain name pointer sitefinder-idn.verisign.com

It even responds on port 25 (says 550 on every RCPT TO).  Gah.


-- Niels.

Earthlink Connectivity?

[Brian Boles]

Anyone experiencing problems connecting to Earthlink through WilTel ?

Tracing the route to 207.217.121.218

  1 elpstx1wce2-pos3-1.wcg.net (64.200.226.225) [AS 7911] 12 msec 12
msec 16 msec
  2 dllstx1wcx2-oc48.wcg.net (64.200.210.209) [AS 7911] 96 msec 224 msec
40 msec
  3 dllstx9lce1-oc48.wcg.net (64.200.110.82) [AS 7911] !H  *  !H

Internetwork smarTest

[Dean Bogdanovic]

Hi
I am looking if somebody has some experience with Internetwork smarTest. 
Any feedback (preferably off list) would be greatly appreciated.

Dean

Re: list thoughts on "unsupported" hardware?

[Ray]

Ah, quite right.  It's the RSP2 that EOLd, but of course the RSP4/8/16 can
be used in the 7500, so the chassis continues to be supported.  Good
news in this customer's case, though actually, they do have an RSP2, so
are still somewhat affected.  RSP2 went away as of 16 Feb 2003, as per
http://www.cisco.com/warp/public/cc/pd/rt/7500/prodlit/1866_pp.htm.


Ray


On Mon, Sep 15, 2003 at 02:33:28PM -0500, Austad, Jay wrote:
> I couldn't find anything that said the 7500 is end-of-life/support/etc...
> 
> -jay
> 
> > -Original Message-
> > From: Ray Wong [mailto:[EMAIL PROTECTED]
> > Sent: Monday, September 15, 2003 2:07 PM
> > To: [EMAIL PROTECTED]
> > Subject: list thoughts on "unsupported" hardware?
> > 
> > 
> > 
> > 
> > 
> > I realize this isn't arguing about Windows patch mechanisms, 
> > but recently
> > realized I've never answered this issue to my own 
> > satisfaction... How long
> > do we keep upgrading and using network hardware once it's 
> > fallen off the
> > support lists?  The Cisco 7500 finally went off back in Feb 
> > of this year,
> > as I recall.  3rd party upgrades, and used parts, are still 
> > readily available.
> > 
> > (Actually, does anyone have suggestions on vendors for said 
> > upgrades and
> > parts?  I've noticed a lot more discounting than in the past, 
> > but usually
> > from vendors I have no experience with).
> > 
> > A client I've recently taken on happens to be relying on a 
> > 7500 for their
> > border.  In reality, their current use could fit on a 
> > 2621/2650, though they
> > have been much larger in the past (there's a small pile of 
> > DS3 cards sitting
> > on the shelf).  They're still relying on a single provider 
> > for connectivity,
> > etc.
> > 
> > So, does anyone have any thoughts on how long we should be letting our
> > poorer customers/employers live with products that are 
> > officially off the
> > support lists?  Clearly there will be (i.e. IOS) image 
> > support for quite some
> > time.  Is keeping (tested) spares around sufficient to 
> > justify actually
> > spending some money to fit the newer/larger images?  
> > Newer/still current
> > hardware seems much more a no-brainer, but advocating 
> > spending a thousand
> > bucks to avoid spending 5x that on a more current fire-sale 
> > item is a little
> > less clear, to me.
> > 
> > 
> > -- 
> > 
> > Ray Wong
> > [EMAIL PROTECTED]
> > 
> > 

-- 

Ray Wong
[EMAIL PROTECTED]

RE: Cisco IOS Failure due to Virus

[Mark Segal]

Got love nanog..

A nice man from cisco called me, it looked like a lot of packets on my
router were being process switched (sh ip cache - displayed A LOT of
entries).  Anyway, it turns our some of my atm sub-ints inherited a "no ip
route-cache cef" from a parent int and well you can see what happens when
the packet volume increase.

Richard I would check that..

So now to life the rate-limit and see what happens..

Regards,
Mark


--
Mark Segal 
Director, Network Planning
FCI Broadband 
Tel: 905-284-4070 
Fax: 416-987-4701 
http://www.fcibroadband.com

Futureway Communications Inc. is now FCI Broadband


-Original Message-
From: Mark Segal [mailto:[EMAIL PROTECTED] 
Sent: September 15, 2003 1:50 PM
To: 'Richard J.Sears'; 'Robert Blayzor'
Cc: 'Nanog'; Mihai Iancu
Subject: RE: Cisco IOS Failure due to Virus




We are seeing the same problem on all of the 6400-nrp aggregation boxes we
have in the network.  Here is the IOS bug ID - CSCec12495.. Actually by rate
limiting icmp on our network the problems have stopped/slowed down a lot.

Sorry for the delay.. Was out of the country for a while..
Mark


--
Mark Segal 
Director, Network Planning
FCI Broadband 
Tel: 905-284-4070 
Fax: 416-987-4701 
http://www.fcibroadband.com

Futureway Communications Inc. is now FCI Broadband


-Original Message-
From: Richard J.Sears [mailto:[EMAIL PROTECTED] 
Sent: September 11, 2003 12:26 AM
To: Robert Blayzor
Cc: Nanog
Subject: Re: Cisco IOS Failure due to Virus



Hi Robert,

Thanks for the info. We are running dCEF...routers show about 4% CPU load
and the following memory:


BR02#sh mem  
   Head   Total(b)Used(b)Free(b)  Lowest(b) Largest(b)
Processor  613AE340   247798976   106515996   141282980   140653360
134546752
 Fast  6138E340 131080  37240  93840  93840  93788


Also, we are not blocking 92 byte ICMP due to the traceroute problems on
customers networks...

Thanks

On Wed, 10 Sep 2003 23:17:01 -0400
Robert Blayzor <[EMAIL PROTECTED]> wrote:

> 
> On 9/10/03 10:58 PM, "Richard J.Sears" <[EMAIL PROTECTED]> wrote:
> 
> > %SYS-2-MALLOCFAIL: Memory allocation of 704 bytes failed from
> > 0x60329F00, alignment 0
> > Pool: Processor  Free: 92744  Cause: Memory fragmentation Alternate 
> > Pool: None  Free: 0  Cause: No Alternate pool -Process= "Pool 
> > Manager", ipl= 0, pid= 6 -Traceback= 6038049C 60382200 60329F08 
> > 6038DEDC
> > 
> > %TCP-6-NOBUFF: TTY0, no buffer available
> > -Process= "BGP Router", ipl= 0, pid= 132
> > 
> > %% Low on memory; try again later
> 
> Did you enable CEF?
> Are you dropping 92 byte ICMP packets where needed?
> 
> --
> Robert Blayzor, BOFH
> INOC, LLC
> [EMAIL PROTECTED]
> PGP: http://www.inoc.net/~dev/
> Key fingerprint = A445 7D1E 3D4F A4EF 6875  21BB 1BAA 10FE 5748 CFE9
> 
> "I don't need parents. All I need is a recording that says, 'Go play
> outside!" - Calvin and Hobbes
> 


**
Richard J. Sears
Vice President 
American Digital Network  

[EMAIL PROTECTED]
http://www.adnc.com

858.576.4272 - Phone
858.427.2401 - Fax


I fly because it releases my mind 
from the tyranny of petty things . . 


"Work like you don't need the money, love like you've
never been hurt and dance like you do when nobody's
watching."

RE: list thoughts on "unsupported" hardware?

[Austad, Jay]

I couldn't find anything that said the 7500 is end-of-life/support/etc...
This is all I found on their site regarding the 7500:
End-of-Sale/End-of-Life: FEIP2-DSW-2TX & FEIP2-DSW-2FX 
09/Jul/2003 

End of Sale/End of Life: SA-ENCRYPT Services Adapter 
31/Mar/2003 

End of Sales - VIP2-50, No. 1868 
20/Aug/2002 

End of Sales: Route Switch Processor 2, No. 1866 
20/Aug/2002 

End of Sales: SRPIP-OC12, No. 1867 
20/Aug/2002 

I know it doesn't answer your question, but it appears that the 7500 is
still on the list.

-jay

> -Original Message-
> From: Ray Wong [mailto:[EMAIL PROTECTED]
> Sent: Monday, September 15, 2003 2:07 PM
> To: [EMAIL PROTECTED]
> Subject: list thoughts on "unsupported" hardware?
> 
> 
> 
> 
> 
> I realize this isn't arguing about Windows patch mechanisms, 
> but recently
> realized I've never answered this issue to my own 
> satisfaction... How long
> do we keep upgrading and using network hardware once it's 
> fallen off the
> support lists?  The Cisco 7500 finally went off back in Feb 
> of this year,
> as I recall.  3rd party upgrades, and used parts, are still 
> readily available.
> 
> (Actually, does anyone have suggestions on vendors for said 
> upgrades and
> parts?  I've noticed a lot more discounting than in the past, 
> but usually
> from vendors I have no experience with).
> 
> A client I've recently taken on happens to be relying on a 
> 7500 for their
> border.  In reality, their current use could fit on a 
> 2621/2650, though they
> have been much larger in the past (there's a small pile of 
> DS3 cards sitting
> on the shelf).  They're still relying on a single provider 
> for connectivity,
> etc.
> 
> So, does anyone have any thoughts on how long we should be letting our
> poorer customers/employers live with products that are 
> officially off the
> support lists?  Clearly there will be (i.e. IOS) image 
> support for quite some
> time.  Is keeping (tested) spares around sufficient to 
> justify actually
> spending some money to fit the newer/larger images?  
> Newer/still current
> hardware seems much more a no-brainer, but advocating 
> spending a thousand
> bucks to avoid spending 5x that on a more current fire-sale 
> item is a little
> less clear, to me.
> 
> 
> -- 
> 
> Ray Wong
> [EMAIL PROTECTED]
> 
> 

list thoughts on "unsupported" hardware?

[Ray Wong]

I realize this isn't arguing about Windows patch mechanisms, but recently
realized I've never answered this issue to my own satisfaction... How long
do we keep upgrading and using network hardware once it's fallen off the
support lists?  The Cisco 7500 finally went off back in Feb of this year,
as I recall.  3rd party upgrades, and used parts, are still readily available.

(Actually, does anyone have suggestions on vendors for said upgrades and
parts?  I've noticed a lot more discounting than in the past, but usually
from vendors I have no experience with).

A client I've recently taken on happens to be relying on a 7500 for their
border.  In reality, their current use could fit on a 2621/2650, though they
have been much larger in the past (there's a small pile of DS3 cards sitting
on the shelf).  They're still relying on a single provider for connectivity,
etc.

So, does anyone have any thoughts on how long we should be letting our
poorer customers/employers live with products that are officially off the
support lists?  Clearly there will be (i.e. IOS) image support for quite some
time.  Is keeping (tested) spares around sufficient to justify actually
spending some money to fit the newer/larger images?  Newer/still current
hardware seems much more a no-brainer, but advocating spending a thousand
bucks to avoid spending 5x that on a more current fire-sale item is a little
less clear, to me.


-- 

Ray Wong
[EMAIL PROTECTED]

RE: 92 Byte ICMP Blocking Problem

[Mark Segal]

When I checked last week 1 in 4 packets was an ICMP message, so we rate
limited ICMP ECHO and ICMP ECHO-REPLY messages.. And it only bugged PING'ers
and windows traceroute users..  All those low memory alarms are now no
longer plaguing our NMS.

Mark


--
Mark Segal 
Director, Network Planning
FCI Broadband 
Tel: 905-284-4070 
Fax: 416-987-4701 
http://www.fcibroadband.com

Futureway Communications Inc. is now FCI Broadband


-Original Message-
From: John Souvestre [mailto:[EMAIL PROTECTED] 
Sent: September 13, 2003 11:53 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: 92 Byte ICMP Blocking Problem



Hi.

I've been running with the service policy version and haven't seen any
problem either.  I did notice that it seems to block DOS traceroutes,
however.

John

John Souvestre - Southern Star - (504) 888-3348 - www.sstar.com


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Saturday, September 13, 2003 10:18 PM
To: William Devine, II
Cc: Nanog
Subject: Re: 92 Byte ICMP Blocking Problem
Importance: High


That's really weird.  I've been running with 

route-map nachiworm permit 10
 match ip address nachilist
 match length 92 92
 set interface Null0

ip access-list extended nachilist
 permit icmp any any echo
 permit icmp any any echo-reply

ip policy route-map nachiworm

on transit interfaces and the virtual-templates of all our access servers 
that can do it properly (just blocking echo/echo-reply on the older ones 
that can't do the policy) and haven't heard about any customer complaints 
other than "I can't ping" in the places where we've blocked all 
echo/echo-reply.  The routers doing this (7200/7500)'s are all running 
12.2(1-3)S.  Access servers are running mostly 12.1M or 12.2XB code. 

RE: Cisco IOS Failure due to Virus

[Mark Segal]

We are seeing the same problem on all of the 6400-nrp aggregation boxes we
have in the network.  Here is the IOS bug ID - CSCec12495.. Actually by rate
limiting icmp on our network the problems have stopped/slowed down a lot.

Sorry for the delay.. Was out of the country for a while..
Mark


--
Mark Segal 
Director, Network Planning
FCI Broadband 
Tel: 905-284-4070 
Fax: 416-987-4701 
http://www.fcibroadband.com

Futureway Communications Inc. is now FCI Broadband


-Original Message-
From: Richard J.Sears [mailto:[EMAIL PROTECTED] 
Sent: September 11, 2003 12:26 AM
To: Robert Blayzor
Cc: Nanog
Subject: Re: Cisco IOS Failure due to Virus



Hi Robert,

Thanks for the info. We are running dCEF...routers show about 4% CPU load
and the following memory:


BR02#sh mem  
   Head   Total(b)Used(b)Free(b)  Lowest(b) Largest(b)
Processor  613AE340   247798976   106515996   141282980   140653360
134546752
 Fast  6138E340 131080  37240  93840  93840  93788


Also, we are not blocking 92 byte ICMP due to the traceroute problems on
customers networks...

Thanks

On Wed, 10 Sep 2003 23:17:01 -0400
Robert Blayzor <[EMAIL PROTECTED]> wrote:

> 
> On 9/10/03 10:58 PM, "Richard J.Sears" <[EMAIL PROTECTED]> wrote:
> 
> > %SYS-2-MALLOCFAIL: Memory allocation of 704 bytes failed from 
> > 0x60329F00, alignment 0
> > Pool: Processor  Free: 92744  Cause: Memory fragmentation Alternate 
> > Pool: None  Free: 0  Cause: No Alternate pool -Process= "Pool 
> > Manager", ipl= 0, pid= 6 -Traceback= 6038049C 60382200 60329F08 
> > 6038DEDC
> > 
> > %TCP-6-NOBUFF: TTY0, no buffer available
> > -Process= "BGP Router", ipl= 0, pid= 132
> > 
> > %% Low on memory; try again later
> 
> Did you enable CEF?
> Are you dropping 92 byte ICMP packets where needed?
> 
> --
> Robert Blayzor, BOFH
> INOC, LLC
> [EMAIL PROTECTED]
> PGP: http://www.inoc.net/~dev/
> Key fingerprint = A445 7D1E 3D4F A4EF 6875  21BB 1BAA 10FE 5748 CFE9
> 
> "I don't need parents. All I need is a recording that says, 'Go play 
> outside!" - Calvin and Hobbes
> 


**
Richard J. Sears
Vice President 
American Digital Network  

[EMAIL PROTECTED]
http://www.adnc.com

858.576.4272 - Phone
858.427.2401 - Fax


I fly because it releases my mind 
from the tyranny of petty things . . 


"Work like you don't need the money, love like you've
never been hurt and dance like you do when nobody's
watching."

pathchar servers

[Chistos Xenofontas Dimitropoulos]

Hallo nanogers,
would anyone know of any pathchar servers
(similarly to traceroute servers)?
Fontas
PS: clink or pchar would be fine too

Detroit Area

[frank]

Hallo nanogers,

someone out there in the Detroit Area ? Need some information about T1
connection and Watchguard reseller/partner.
Please contact me off list
  

-- 
Best regards,
Frank Kuempelmailto:[EMAIL PROTECTED]


If it's there and you can see it   -  it's REAL
If it's there and you can't see it -  it's TRANSPARENT
If it's not there and you can see it   -  it's VIRTUAL
If it's not there and you can't see it -  it's GONE

Need help with Ex-Pat project

[Douglas S. Peeples]

I am helping on several areas for the design, testing, and deployment of a
Metro Ethernet network (based on MPLS) in the Pacific rim.  If you or if you
know anyone interested in working over seas for a year or so drop me an
email with contact information.


Cheers,

Doug Peeples

Re: Microsoft announces new ways to bypass security controls

[David Lesher]

Speaking on Deep Background, the Press Secretary whispered:
> 
> 
> 
> We see that even when we offer POP with SSL and SMTP AUTH with SSL, few 
> customers wind up using it. That there are continuing problems with the 
> commercial certificate infrastructure doesn't help matters.
> 
> Examples of the problems:
> 
> 1. Eudora contains root certificates only for Verisign and Thawte, and uses 
> its own root certificate store, whereas Microsoft client tools (for all 
> their other weaknesses) include a much broader array of root certificates. 
> If you want to buy certs from someone other than Verisign (since they own 
> Thawte) you have to talk users through integrating other root certs (or 
> your cert) into their copies of Eudora. Or just use a private CA and talk 
> your customers through importing the root cert from your private CA.

While the approval process for other certs in Eudora is obscure,
it at least works. I ran into a brick wall trying to get Infernal
Exploder for the Mac to accept same; the Windows version was not
a problem.

> 2. SSL incompatabilities: Eudora changed their method of negotiation with 
> Eudora 5.2 and later. The result is an inability to negotiate TLS with 
> Sendmail/Openssl. A configuration parameter in Eudora gets it to go back to 
> the "old way" in their code, which works fine. But now we're talking about 
> another case of talking an end user through a configuration. Might be OK 
> for a corporate setting, but it gets pretty problematic for the ISP.


Note Eudora 6.0 has a public configuration setting for the flavor
of SSL.[1] Yes, it should be automagic but "the nice thing about
standards in this industry..." applies lots of places...




> We've clearly got the mechanisms to allow encryption on the most important 
> of the protocols. However the infrastructure and compatability issues make 
> them more difficult to employ than should be the case.
> 
> That these problems show up at networking conferences (IETF, NANOG, etc.), 
> though, really points to a larger problem. If network research, engineering 
> and operations folks can't manage to get encryption deployed for 
> themselves, how likely is it that end customers will use them?


WhatHeSaid. 

We really need to do a better job of begging/cajoling/requiring encryption. I
know one ISP that requires POP/SMTP be on SSL unless you're on their dialup,
and I've heard Worldnet does too. [true?] The rest?



[1] At least in the Mac version I can lay hands on..

-- 
A host is a host from coast to [EMAIL PROTECTED]
& no one will talk to a host that's close[v].(301) 56-LINUX
Unless the host (that isn't close).pob 1433
is busy, hung or dead20915-1433

Re: Microsoft announces new ways to bypass security controls

[Daniel Senie]

At 03:22 AM 9/15/2003, Mans Nilsson wrote:

Subject: Microsoft announces new ways to bypass security controls Date: 
Sun, Sep 14, 2003 at 10:03:32PM -0400 Quoting Sean Donelan ([EMAIL PROTECTED]):
> Of course, Microsoft isn't the only one with mail protocol security
> weaknesses.
>
> POP3 is probably responsible for more cleartext passwords being
> transmitted over the Internet than any other network protocol.

That statement is nicely supported by my dnsiff logs from various
networking conferences -- the top three have always been:
POP
webmail without SSL
other http apps without SSL.
We see that even when we offer POP with SSL and SMTP AUTH with SSL, few 
customers wind up using it. That there are continuing problems with the 
commercial certificate infrastructure doesn't help matters.

Examples of the problems:

1. Eudora contains root certificates only for Verisign and Thawte, and uses 
its own root certificate store, whereas Microsoft client tools (for all 
their other weaknesses) include a much broader array of root certificates. 
If you want to buy certs from someone other than Verisign (since they own 
Thawte) you have to talk users through integrating other root certs (or 
your cert) into their copies of Eudora. Or just use a private CA and talk 
your customers through importing the root cert from your private CA.

2. SSL incompatabilities: Eudora changed their method of negotiation with 
Eudora 5.2 and later. The result is an inability to negotiate TLS with 
Sendmail/Openssl. A configuration parameter in Eudora gets it to go back to 
the "old way" in their code, which works fine. But now we're talking about 
another case of talking an end user through a configuration. Might be OK 
for a corporate setting, but it gets pretty problematic for the ISP.

We've clearly got the mechanisms to allow encryption on the most important 
of the protocols. However the infrastructure and compatability issues make 
them more difficult to employ than should be the case.

That these problems show up at networking conferences (IETF, NANOG, etc.), 
though, really points to a larger problem. If network research, engineering 
and operations folks can't manage to get encryption deployed for 
themselves, how likely is it that end customers will use them?

Weekly lamer report

[Rob Thomas]

Hi, NANOGers.

While noshing on your morning bagel don't forget to check for lame
DNS delegations.  There are 21771 entries in the lamer report for
the week ending 14 SEP 2003.  These entries are often indicators
of greater problems with name server configurations.

   

This report does not include last week's filename typo.  :)

Thanks!
Rob, for Team Cymru.
-- 
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);

Re: Microsoft announces new ways to bypass security controls

[Mans Nilsson]

Subject: Microsoft announces new ways to bypass security controls Date: Sun, Sep 14, 
2003 at 10:03:32PM -0400 Quoting Sean Donelan ([EMAIL PROTECTED]):
> Of course, Microsoft isn't the only one with mail protocol security
> weaknesses.
> 
> POP3 is probably responsible for more cleartext passwords being
> transmitted over the Internet than any other network protocol.

That statement is nicely supported by my dnsiff logs from various 
networking conferences -- the top three have always been:

POP
webmail without SSL
other http apps without SSL. 

Below this we see IMAP, IM, telnet (rare) and a storm of snmp from
windows machines trying to manage HP printers.

-- 
Måns Nilsson Systems Specialist
+46 70 681 7204 KTHNOC
MN1334-RIPE

Send your questions to ``ASK ZIPPY'', Box 40474, San Francisco, CA
94140, USA


pgp0.pgp
Description: PGP signature