Re: When is Verisign's registry contract up for renewal
On Sat, Sep 20, 2003 at 11:23:04PM -0700, Henry Linneweh wrote: My view would concur with this, these are really old battles starting back in the netsol days and now the verisign has taken the same short sighted path. It is time that neutral party is in charge -Henry R Linneweh I was thinking this earlier this week. This is a public-trust that should be operated by people whose sole job is to keep it up and working, not by a dual-role entity as it is today. Perhaps we can get someone to make a not-for-profit for this sole role. - Jared Paul Vixie [EMAIL PROTECTED] wrote: ICANN can seek specific performance of the agreement by Verisign, or seek to terminate Verisign's contract as the .COM/.NET registry operator and transfer the operation to a successor registry. Quiet honestly I'd like to see all of the GTLD servers given to neutral companies, ones that ARE not registrars. [...] frankly i am mystified as to why icann awards registry contracts to for-profit entities. registrars can be for-profit, but registries should be non-profit or public-trust or whatever that specific nation's laws allow for in terms of requirements for open accounting, uniform dealing, and nonconflict with the public's interest. -- Paul Vixie -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: Verisign vs ICANN
Kee Hinckley wrote: Never mind that there isn't a standard format for the returned information between providers. The whois database is not a replacement for a DNS query. I´m sure Verisign will come up with a XML Schema for whois information soon. Pete
Re: Providers removing blocks on port 135?
In article [EMAIL PROTECTED], Justin Shore [EMAIL PROTECTED] wrote: Now I'm going to get even more off-topic. It occurs to me that major changes to a protocol such as SMTP getting auth should justify utilizing a different tcp/ip port. Think about it like this. If authenticated forms of SMTP used a different TCP/IP port we netadms could justify leaving that port open on these same dynamically assigned netblocks in the theory that they are only able to connect to other authenticated SMTP services. Doesn't that seem logical? That's not exactly a new idea. http://www.faqs.org/rfcs/rfc2476.html (december 1998). Mike.
Re: VeriSign SMTP reject server updated
On Sun, Sep 21, 2003 at 10:08:27AM +, Stephen J. Wilcox wrote: What if you change the behaviour of the GTLD named daemons to return an NXDOMAIN response to any MX queries on non-existent domains, you will then take this whole debate on SMTP out of the equation ... MTAs fall back to the A RR if there are no MX RRs for a given recipient domain. Regards, Daniel
Re: Providers removing blocks on port 135?
On zaterdag, sep 20, 2003, at 21:36 Europe/Amsterdam, Sean Donelan wrote: Should any dialup, dsl, cable, wi-fi, dhcp host be able to use any service at any time? For example run an SMTP mailer, or leave Network Neighborhood open for others to browse or install software on their computers? As someone who has been using IP for a while now, I would very much like to be able to use any service at any time. Or should ISPs have a default deny on all services, and subscribers need to call for permitssion if they want to use some new service? Should new services like Voice over IP, or even the World Wide Web be blocked by default by service providers? Obviously not. Blocking services that are known to be bad or vulnerable wouldn't be entirely unreasonable, though. But who gets to decide which services should be blocked? Some services are very dangerous and not very useful, so blocking is a no brainer. Other services are only slightly risky and very useful. Where do we draw the line? Who draws the line? As a HOST requirement, I think all hosts should be client-only by default. That includes things when acting as like hosts such as routers, switches, print servers, file servers, UPSes. If a HOST uses a network protocol for local host processes (e.g. X-Windows, BIFF, Syslog, DCE, RPC) by default it should not accept network connections. It should require some action, e.g. the user enabling the service, DHCP-client enabling it in a profile, clicking things on the LCD display on the front ofthe printer, etc. Get yourself a Mac. :-) I think it would useful to set aside a block of port numbers for local use. These would be easy to filter at the edges of networks but plug and play would still be possible. SERVICE PROVIDERS do not enforce host requirements. But someone has to. The trouble is that access to the network has never been considered a liability, except for local ports under 1024. (Have a look at java, for example.) I believe that the only way to solve all this nonsense is to have a mechanism that is preferably outside the host, or at least deep enough inside the system to be protected against application holes and user stupidity, which controls application's access to the network. This must not only be based on application type and user rights (user www gets to run a web server that listens on port 80) but also on application version. So when a vulnerability is found the vulnerable version of the application is automatically blocked. I don't see something like this popping up over night, though.
Re: Providers removing blocks on port 135?
Iljitsch van Beijnum wrote: But someone has to. The trouble is that access to the network has never been considered a liability, except for local ports under 1024. (Have a look at java, for example.) I believe that the only way to solve all this nonsense is to have a mechanism that is preferably outside the host, or at least deep enough inside the system to be protected against application holes and user stupidity, which controls application's access to the network. This must not only be based on application type and user rights (user www gets to run a web server that listens on port 80) but also on application version. So when a vulnerability is found the vulnerable version of the application is automatically blocked. Go and count the Pinto´s on US101 or I-880. :-) I don't see something like this popping up over night, though. For this to be really effective, there needs to be an unbroken chain of authentication for code from the author to your PC and additionally the operating system needs to change to get rid of the notion of superuser. As have been said multiple times on this and other lists, most consumer users expect their stuff just work and unfortunately Microsoft translated this requirement to Always Local Administrator which has catastrophic security consequences. The chain above does not have to mean that there is central authority enabling the code to run on your box, it can as well give the right to you or some place in the organization where it makes sense. Pete
Re: VeriSign SMTP reject server updated
neal rauhauser wrote: Rather than bashing someone who is doing something positive we should see if we can paypal him $$$ for a box of tacks so he can mine the chairs of the tack head marketing weasels who decided this would be a good idea ... Could we convince Washington that this is an operation of the axis of evil and they should send appropriate forces to remove the dictator(s) and liberate the .com and .net domain spaces to the people with freely elected governing body looking after them in the future? Pete
Re: Worst design decisions?
The off-topic nanog thread that won't die (where are the topic police?...never around when you need one)...and then just when you think it has died, some member's virus infected Microsoft Windows PC (hey is that redundant?) replies to you with the thread's subject and no body other than a virus attachment, even though you never replied (on-list) to the thread. Whoever you are, do everyone a favor and turn off your PC. Received: from speedbd.speedbd.net (212-165-128-186.reverse.newskies.net [212.165.128.186] (may be forged)) by sloth.lewis.org (8.11.6/8.11.6) with SMTP id h8L7A4P09167 for [EMAIL PROTECTED]; Sun, 21 Sep 2003 03:10:19 -0400 My vote for worst design decision? Easy. Lookout Virus Express. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Verisign's Threat to Infrastructure Stability
FWIW: To: The Department of Homeland Security Sent (via dhs.gov site form) Dated: 21 Sep 2003 14:24:37 - Category: Security Threats Message: Threat to the stability and predictability of the Internet infrastructure: Verisign is solely and exclusively responsible for the maintenance (and therefore stability) of the root GTLD domain name servers for .com and .net top level domains. Verisign has recently wildcarded address records in such a way that attempts to access nonexistant (ie unregistered or mistyped) domain names results in a redirection to a Verisign site at sitefinder.verisign.com. This obviously profit-motive-driven act is not only in violation of certain terms of its contract with ICANN, but has had a destabilizing effect on the network operators community who expect the Internet name service to operate in a designed and predictable way. DHS would be well advised to consider the potential threat that Internet unpredictability has on this country's cyber infrastructure and to seriously consider the relocation of root server responsibility to non-profit-motive-driven organizations. We are all too busy maintaining stable environments to have to consider reactions and countermeasures to Verisign's autonomous and arrogant behavior.
Re: ICANN - Formal Complaint re Verisign
Geotrust is not Verislime, but they *are* Choicepoint. If you don't know who Choicepoint is; well, they vacuum up your personal data and resell it to all comers. Google on Choicepoint FTC for a rundown. Sort of John Poindexer's version of Halliburton..a private sector Big Brother. I regard Verislime vs Choicepoint as like Joey (The gang that couldn't shoot straight..) Leonand's outfit vs. the Colombian mobs. Sigh, I'll be sticking with Verislime for buying certs, I guess. -- A host is a host from coast to [EMAIL PROTECTED] no one will talk to a host that's close[v].(301) 56-LINUX Unless the host (that isn't close).pob 1433 is busy, hung or dead20915-1433
Re: Providers removing blocks on port 135?
Yes, this is all too familiar. Luckily it was not so acute for us. The porn company in question was using legit credit cards and we knew where they were located. We too got to the point where I had to contemplate blocking dialups with no ANI as I had already blocked all access from their phone numbers. However, once they started doing that I called up their office yelling and screaming law suits and I guess they figured there were other ISPs that didnt care as much and moved on to them. ---Mike At 10:39 PM 20/09/2003, [EMAIL PROTECTED] wrote: At one time, signing up for throwaway dial-up accounts was a common spammer MO. We got hit a couple times, and they were like a plague of vermin [the spammers]. They'd sign up giving us bogus contact info and a freshly stolen (active) credit card. When the account was activated, they'd dial in using half a dozen or so lines and pump out as much spam (direct-to-MX) as they could. The really annoying bit is, we'd terminate them, they'd call right back, and sign up again, giving different bogus info and card numbers. We'd block them by ANI, and they'd block caller-ID when calling us. I ended up being forced to block access to some of our dial-up numbers both by ANI, and if there was no ANI, and then had to setup exceptions for a few customers in those areas who we never got ANI for. When I tried getting police in their areacode to investigate, they had no interest/were too busy...even though I could give them phone numbers the accounts were used from and stolen credit cards. To put a little operational spin in here...how many of you run dial-up networks where you refuse logins unless you get ANI?...and if you do this, do you also maintain an ANI blacklist? Anyway...they moved on to proxy abuse, then outright theft by creating their own proxies on compromised MS Windows boxes. Both methods have the advantage of totally hiding the spammer from the recipients and bandwidth amplification. I imagine you could utilize multiple spam proxies on broadband connections pumping out your spam while connected via dial-up yourself. If you look at the numbers at http://njabl.org/stats, about 5% of the hosts that have ever been checked are currently open relays (or nobody's bothered to remove them). IIRC, at one point, this was nearly 20%. 13.6% are open proxies...and the disparity is definitely still growing, with about 10x as many open proxies as relays being detected daily. Unfortunately, the new breed of purpose-built spam proxies are generally not remotely detectable, so the proxy percentage would be even higher if it included the newer spam proxies. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
RE: When is Verisign's registry contract up for renewal
This sort of not-for-profit is exactly what I proposed when the VeriSign discussion started. A non-technical response to a non-technical problem. Since my inital email, I've recruited a few other NANOG folks and put up a website: www.alt-servers.org. -Mike (Please excuse any formatting oddities, sent via OWA) -Original Message- From: Jared Mauch To: Henry Linneweh Cc: Paul Vixie; [EMAIL PROTECTED] Sent: 9/21/2003 12:28 AM Subject: Re: When is Verisign's registry contract up for renewal On Sat, Sep 20, 2003 at 11:23:04PM -0700, Henry Linneweh wrote: My view would concur with this, these are really old battles starting back in the netsol days and now the verisign has taken the same short sighted path. It is time that neutral party is in charge -Henry R Linneweh I was thinking this earlier this week. This is a public-trust that should be operated by people whose sole job is to keep it up and working, not by a dual-role entity as it is today. Perhaps we can get someone to make a not-for-profit for this sole role. - Jared Paul Vixie [EMAIL PROTECTED] wrote: ICANN can seek specific performance of the agreement by Verisign, or seek to terminate Verisign's contract as the .COM/.NET registry operator and transfer the operation to a successor registry. Quiet honestly I'd like to see all of the GTLD servers given to neutral companies, ones that ARE not registrars. [...] frankly i am mystified as to why icann awards registry contracts to for-profit entities. registrars can be for-profit, but registries should be non-profit or public-trust or whatever that specific nation's laws allow for in terms of requirements for open accounting, uniform dealing, and nonconflict with the public's interest. -- Paul Vixie -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: VeriSign SMTP reject server updated
On Sun, 21 Sep 2003, Daniel Roesen wrote: On Sun, Sep 21, 2003 at 10:08:27AM +, Stephen J. Wilcox wrote: What if you change the behaviour of the GTLD named daemons to return an NXDOMAIN response to any MX queries on non-existent domains, you will then take this whole debate on SMTP out of the equation ... MTAs fall back to the A RR if there are no MX RRs for a given recipient domain. That was my understanding but on checking with Paul he said that NXDOMAIN means dont do further checks so dont look for A... Steve
Re: VeriSign SMTP reject server updated
SJW Date: Sun, 21 Sep 2003 15:17:34 + (GMT) SJW From: Stephen J. Wilcox SJW That was my understanding but on checking with Paul he said SJW that NXDOMAIN means dont do further checks so dont look for SJW A... Return NOERROR for one type of RR, but NXDOMAIN for another? Is that valid?! Hit me with a clue-by-four if appropriate, but I thought NOERROR/NXDOMAIN was returned per-host, regardless of RRTYPE requested. Giving NXDOMAIN for MX yet returning NOERROR for A RRs doesn't sound kosher. Time for me to dig through a few RFCs. Eddy -- Brotsman Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: VeriSign SMTP reject server updated
on 9/21/2003 11:19 AM E.B. Dreger wrote: Return NOERROR for one type of RR, but NXDOMAIN for another? Is that valid?! Hit me with a clue-by-four if appropriate, but I thought NOERROR/NXDOMAIN was returned per-host, regardless of RRTYPE requested. Giving NXDOMAIN for MX yet returning NOERROR for A RRs doesn't sound kosher. It's not valid and it won't work very well if it works at all. Your local cache will use whatever it learned on the last query. This is the seed for another problem set with the various workarounds as well, although I'm still thinking these through. Different servers that provide different kinds of glue could theoretically trip your cache. At this point, I think we're on the verge of having multiple (different) namespaces, which is extremely dangerous. At the same time, the arguments against multiple roots are pretty much going out the window. To be clear, however, I don't think the workarounds are the problem. I think VeriSign has broken DNS by conflating error codes. -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
More .com/.net issues
I'm seeing bulk access to .com and .net blocked at the moment. Other zones are available from Verisigns ftp server as usual, but .net and .com are empty (and the signature files are listing them as empty too). Anyone heard anything from Verisign about this? Cheers, Steve -- -- Steve Atkins -- [EMAIL PROTECTED]
Re: If Verisign *really* wants to help ...
Of course, folks realize that Verisign is now one of the largest SS7 network operators in the world. Almost all CLECs in the USA use Verisign's SS7 network. Verisign has become the single point of failure for almost all of the USA's public networks (voice, data, Internet, etc). That gets even more frightening when you look at the background of Verisign's management team. I'm not usually one to buy into conspiracy theorys, and, I'm not suggesting any evidence supports one here. However, these guys are from the government, and, it's obvious they're not here to help. If you look at the Verisign/NetSol management team, you'll see that it has a large contingent of ex-CIA/NSA/etc. I don't know this is bad, but, I know it can't be good. (Think Carnivore) Owen
Re: VeriSign SMTP reject server updated
On Sun, 21 Sep 2003, Eric A. Hall wrote: on 9/21/2003 11:19 AM E.B. Dreger wrote: Return NOERROR for one type of RR, but NXDOMAIN for another? Is that valid?! Hit me with a clue-by-four if appropriate, but I thought NOERROR/NXDOMAIN was returned per-host, regardless of RRTYPE requested. Giving NXDOMAIN for MX yet returning NOERROR for A RRs doesn't sound kosher. It's not valid and it won't work very well if it works at all. Your local cache will use whatever it learned on the last query. I didnt say it was valid :) just that if Verisign can't be stopped with their A record we might be able to mitigate on some of the things they broke (of course for a gtld to respond this way implies verisign actually implement this broken idea) This is the seed for another problem set with the various workarounds as well, although I'm still thinking these through. Different servers that provide different kinds of glue could theoretically trip your cache. Maybe, needs more thought for sure.. At this point, I think we're on the verge of having multiple (different) namespaces, which is extremely dangerous. At the same time, the arguments against multiple roots are pretty much going out the window. Not at all, the problem is with .com and .net ... you arent seriously going to use an alternative root using someone elses .com/.net zones surely.. To be clear, however, I don't think the workarounds are the problem. I think VeriSign has broken DNS by conflating error codes. Yup, it perhaps needs a couple more weeks for the dust to settle but early indications are that they do not intend to give this up without a fight and thus far no one has engaged them properly Steve
Re: Providers removing blocks on port 135?
My guess is that you haven't heard of the current issue with various servers running SMTP AUTH. These MTAs are secure by normal mechanisms, but are being made to relay spam anyway. You're right. It's been a while since I was last on the front lines of this issue. It's hard enough to get mailservers secured when they are maintained by real sysadmins on static IPs with proper and informative PTR records. When the IP addresses sourcing the spam are moving targets, with generic PTR records, and the machines are being operated by end users with no knowledge that their computer is even capable of sending direct to MX mail, the situation is impossible to solve without ISP intervention via Port filtering, etc. So, what you're saying is that a large number of easily compromised hosts are the Root Cause. While blocking port 25 traffic from these systems is a convenient patch, it's not a solution to the root cause. The solution is to make the hosts less vulnerable. One step towards doing that will be to put real product liability on the vendor of the software and the corporations running fleets of compromised systems. Right now, Windows owns the world and the hackers own Windows. The only corporate wake-up call that seems to get understood is one that comes from the legal department. If the person running the system in question chooses to do so, yes, they should be able to do so. If the person running the system in question wants to run server class services, such as ftp, smtp, etc, then they need to get a compatible connection to the internet. There are residential service providers that allow static IP addressing, will provide rDNS, and allow all the servers you care to run. They generally cost more than dial-ups or typical dynamic residential broadband connections. As a rule, you tend to get what you pay for. There are lots of different scenarios available. The bottom line is still that, while an effective workaround, blocking internet ports is not a solution to the root cause of the problem. When we decide that workarounds are solutions, we only invite an arms race of escalating denial of services. My concern is that we seem to have reached a place where we take for granted the immutable vulnerability of systems and, therefore, don't seek to solve the problem, but, instead decide to move from one workaround to the next. I agree the workarounds are necessary for now, but, that doesn't mean we should accept them as permanent solutions. We should work to solve the root cause of the problem as well. Owen -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Margie Arbon Mail Abuse Prevention System, LLC [EMAIL PROTECTED] http://mail-abuse.org
Are Wildcards another Y2K?
One thing that Y2K taught us was that programmers do some really stupid things with hard coded this should never occur naturally values. The year '99' was used to trigger all kinds of interesting things like erasing backup tapes, destroying inventory and worse. It is not implausible that someone has hard coded an asdfjlkl.com type domain somewhere important. The effects of such errors are not always immediately visible as they were with the spam filters. The problem is that the COM zone is part of the largest legacy software system the world has ever seen. Configuration changes to it affect virtually every application that uses DNS. How many lines of code is that? Hundreds of millions? Billions? Any configuration change to the legacy zones should be made only after careful consideration, with a strong prejudice to do nothing. Because V$ is downplaying the seriousness of this problem, many (most) won't audit their systems to see how it might be affected by this. I hope V$ is prepared to take responsibility for whatever breaks. I hope DOD/FBI/DHS aren't expecting a stable COM zone. I guess we'll find out the next time a terrorist buys a plane ticket or 1000 lbs of fertilizer using a bogus email address. KL
Re: Providers removing blocks on port 135?
On Sun, 21 Sep 2003, Mike Tancsa wrote: Yes, this is all too familiar. Luckily it was not so acute for us. The porn company in question was using legit credit cards and we knew where they were located. We too got to the point where I had to contemplate blocking dialups with no ANI as I had already blocked all access from their phone numbers. However, once they started doing that I called up their office yelling and screaming law suits and I guess they figured there were other ISPs that didnt care as much and moved on to them. I don't know if you did this but if it were me I'd have contacted two other places. The first would have been the credit card companies with the stolen credit cards. They are usuaully fairly responsive when it comes to them loosing money. Secondly after I contacted the local police, state BI, and perhaps the FBI (assuming no luck could be had with any of them) I would have given the story to the local media. There's nothing like a little bad PR to give law enforcement a little kick in the butt. If your newspapers where you're at are anything like our's, they love to print a good scandal involving the local government. Justin
Re: VeriSign SMTP reject server updated
On Sat, Sep 20, 2003 at 08:31:27PM -0400, Joe Provo wrote: Wrong protocol. There should be *NO* SMTP transactions for non-extistant domains. After being bit by this over the weekend I would have to agree, due to a screwup at netSOL a companies domain I manage was resolving to their sitefinder service, and all mail just went *poof*. -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Re: When is Verisign's registry contract up for renewal
This sort of not-for-profit is exactly what I proposed when the VeriSign discussion started. A non-technical response to a non-technical problem. Since my inital email, I've recruited a few other NANOG folks and put up a website: www.alt-servers.org. what a BAD idea. worse than anything else on the table or in existence today. -- Paul Vixie
Re: When is Verisign's registry contract up for renewal
On Sun, 21 Sep 2003, Paul Vixie wrote: This sort of not-for-profit is exactly what I proposed when the VeriSign discussion started. A non-technical response to a non-technical problem. Since my inital email, I've recruited a few other NANOG folks and put up a website: www.alt-servers.org. what a BAD idea. worse than anything else on the table or in existence today. Splitting the root you mean? I'm not sure there was enough info on that site to come to any other conclusion, but I wanted to make sure. andy -- PGP Key Available at http://www.tigerteam.net/andy/pgp
Re: When is Verisign's registry contract up for renewal
website: www.alt-servers.org. what a BAD idea. worse than anything else on the table or in existence today. Splitting the root you mean? I'm not sure there was enough info on that site to come to any other conclusion, but I wanted to make sure. this is just dns piracy, dressed up in a morality play. it won't hold.
Re: If Verisign *really* wants to help ...
On Sun, 21 Sep 2003, Owen DeLong wrote: That gets even more frightening when you look at the background of Verisign's management team. I'm not usually one to buy into conspiracy theorys, and, I'm not suggesting any evidence supports one here. However, these guys are from the government, and, it's obvious they're not here to help. Wow, and here comes the Tri-Lateral Commision :( So what if they were former Gov't employees? They were likely culled from the copious numbers of ex-gov't folks in the Washington, DC area. That and they opening some doors via networking and contacts in the DC area for Verisign. I'm not sure that their background has really any bearing in this case. A case where it DID would be them directing ALL domains through a central location for monitoring, which clearly isn't happening here.
Re: Windows updates and dial up users
On Sun, 21 Sep 2003 18:25:50 EDT, Sean Donelan [EMAIL PROTECTED] said: I recently put this suggestion to Microsoft and their response basically avoided the whole issue. Why wouldn't the company want to offer such a CD, assuming that's the motivation behind their stonewalling? It would cost money to produce and ship a new CD on a frequent enough basis for it to do any good. Consider that we're seeing worms within 4 weeks of the patch coming out. How many CD duplicating places are willing to take on a multi-million run with a 1-2 week turn-around, once a month, every month? And how much of a market would there really be? Are there enough people that would apply patches if they got a monthly CD that it would actually make a measurable difference? What price point are they willing to pay for the CD, and what does it mean for Microsoft? I mean... look at it from Microsoft's point of view - why should they *CARE* if 65% or 85% of the hosts on the Infobahn are exploding Pintos, when unlike a Pinto exploding on the Washington Beltway, a Pinto exploding on the Infobahn doesn't affect their bottom line any? pgp0.pgp Description: PGP signature
RE: VeriSign SMTP reject server updated
Just wait until they start accepting the mail, logging it, and then returning it to sender. Make one hell of an interesting way to monitor whats going on out there Nahh, wouldn't happen, would it Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Matthew S. Hallacy Sent: Sunday, September 21, 2003 2:02 PM To: [EMAIL PROTECTED] Subject: Re: VeriSign SMTP reject server updated On Sat, Sep 20, 2003 at 08:31:27PM -0400, Joe Provo wrote: Wrong protocol. There should be *NO* SMTP transactions for non-extistant domains. After being bit by this over the weekend I would have to agree, due to a screwup at netSOL a companies domain I manage was resolving to their sitefinder service, and all mail just went *poof*. -- Matthew S. HallacyFUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
ICANN asks VeriSign to pull redirect service
http://msnbc-cnet.com.com/2100-1024_3-5079768.html?part=msnbc-cnettag=alert form=feedsubj=cnetnews The agency that oversees Internet domain names has asked VeriSign to voluntarily suspend a new service that redirects Web surfers to its own site when they seek to access unassigned Web addresses, rather than return an error message. == Eric GermannCCTec [EMAIL PROTECTED] Van Wert OH 45891 http://www.cctec.comPh: 419 968 2640 Fax: 603 825 5893 The fact that there are actually ways of knowing and characterizing the extent of ones ignorance, while still remaining ignorant, may ultimately be more interesting and useful to people than Yarkovsky -- Jon Giorgini of NASAs Jet Propulsion Laboratory
Re: ICANN asks VeriSign to pull redirect service
It's been about 2 days since ICANN requested Verisign to stop breaking. http://www.icann.org/announcements/advisory-19sep03.htm Recognizing the concerns about the wildcard service, ICANN has called upon VeriSign to voluntarily suspend the service until the various reviews now underway are completed. -hc -- Haesu C. TowardEX Technologies, Inc. Consulting, colocation, web hosting, network design and implementation http://www.towardex.com | [EMAIL PROTECTED] Cell: (978)394-2867 | Office: (978)263-3399 Ext. 174 Fax: (978)263-0033 | POC: HAESU-ARIN On Sun, Sep 21, 2003 at 10:42:37PM -0400, Eric Germann wrote: http://msnbc-cnet.com.com/2100-1024_3-5079768.html?part=msnbc-cnettag=alert form=feedsubj=cnetnews The agency that oversees Internet domain names has asked VeriSign to voluntarily suspend a new service that redirects Web surfers to its own site when they seek to access unassigned Web addresses, rather than return an error message. == Eric GermannCCTec [EMAIL PROTECTED] Van Wert OH 45891 http://www.cctec.comPh: 419 968 2640 Fax: 603 825 5893 The fact that there are actually ways of knowing and characterizing the extent of one?s ignorance, while still remaining ignorant, may ultimately be more interesting and useful to people than Yarkovsky -- Jon Giorgini of NASA?s Jet Propulsion Laboratory