Re: Verisign brain damage and DNSSec.....Was:Re: What *are* they smoking?
Eric Germann wrote: And whats to say they don't get around our methods of blacklisting it by changing the IP around every zone update? result=query domain.tld wild=query *.tld if result=wild & dontwantwild then result=NXDOMAIN -Jack
Re: Verisign brain damage and DNSSec.....Was:Re: What *are* they smoking?
On Tue, 16 Sep 2003 [EMAIL PROTECTED] wrote: > > How frikking many hacks will we need to BIND9 to work around this braindamage? > One to stuff back in the NXDomain if the A record points there, another to > do something with make-believe DNSsec from them. What's next? Well, you can always vote... http://www.forbes.com/2003/05/01/cx_ceointernetpoll.html Link courtesy of inet-access. -- Jay Hennigan - CCIE #7880 - Network Administration - [EMAIL PROTECTED] WestNet: Connecting you to the planet. 805 884-6323 WB6RDV NetLojix Communications, Inc. - http://www.netlojix.com/
RE: Verisign brain damage and DNSSec.....Was:Re: What *are* they smoking?
Title: Re: Verisign brain damage and DNSSec.Was:Re: What *are* they smoking? And whats to say they don't get around our methods of blacklisting it by changing the IP around every zone update? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, September 16, 2003 2:18 PMTo: [EMAIL PROTECTED]Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]Subject: Re: Verisign brain damage and DNSSec.Was:Re: What *are* they smoking? On Tue, 16 Sep 2003 11:08:11 PDT, [EMAIL PROTECTED] said: > > On Tue, 16 Sep 2003 09:59:40 PDT, [EMAIL PROTECTED] said: > thats one aspect yes. the valdiation chain should tell > you who signed the delegations. It won't lie. > you will know that V'sign put that data there. How frikking many hacks will we need to BIND9 to work around this braindamage? One to stuff back in the NXDomain if the A record points there, another to do something with make-believe DNSsec from them. What's next?
Re: Verisign brain damage and DNSSec.....Was:Re: What *are* they smoking?
On Tue, 16 Sep 2003 11:27:08 PDT, [EMAIL PROTECTED] said: > if vt.edu wants to place a: > > * in a 198.82.247.53 > > in the vt.edu zone, why should anyone complain that now vt.edu > doesn't return NXDOMAIN for all un-delegated entries? You want > that everyone should hack the DNS to force NXDOMAINS for your > wildcard? Feh. So you're saying it's OK when Verisign does the same exact thing one level up? Or are you surprised that people are coding it for the Verisign case? The difference is when we urinate in our zone of the DNS, it's OUR zone. When Verisign does it, they're not urinating in *THEIR* .COM, they're urinating in a .COM they were holding in the public trust. If in fact .COM is now Verisign's playground rather than a public trust, then that's a different matter. > DNSSEC will tell a validating resolver the signature of each > party that signed part of the chain. If Verisign wishes to > sign bits of data that might exist under the delegation point > they have responsibility for, I'm in favor. Its not "make-believe" > ... or perhaps I don't understand your angst. The point is they're not signing data that might exist, they're signing data that doesn't exist. If a query comes in for www.never-existed.com comes in, what exactly is getting signed? (Yes, if it's a synthesized reply based on a wildcard, you can count the NXT's and stuff to determine that - but I quite frankly don't trust the Verisign people to not intentionally obfuscate the replies to make this impossible.) pgp0.pgp Description: PGP signature
Re: Verisign brain damage and DNSSec.....Was:Re: What *are* they smoking?
[EMAIL PROTECTED] wrote: How frikking many hacks will we need to BIND9 to work around this braindamage? One to stuff back in the NXDomain if the A record points there, another to do something with make-believe DNSsec from them. What's next? You mean that you don't like it when the Authority the community places its trust in abuses that power? heh. Go figure. I hope they are sued out of existance. At the least, ICANN needs to do its job. I have a severe issue with changes being made that cause a lot of damage. -Jack
Re: Verisign brain damage and DNSSec.....Was:Re: What *are* they smoking?
> > thats one aspect yes. the valdiation chain should tell > > you who signed the delegations. It won't lie. > > you will know that V'sign put that data there. > > How frikking many hacks will we need to BIND9 to work around this braindamage? > One to stuff back in the NXDomain if the A record points there, another to > do something with make-believe DNSsec from them. What's next? 'splain "braindamage" in this context please. DNSSEC - signed data in the zone. wildcards - part of the spec. if vt.edu wants to place a: * in a 198.82.247.53 in the vt.edu zone, why should anyone complain that now vt.edu doesn't return NXDOMAIN for all un-delegated entries? You want that everyone should hack the DNS to force NXDOMAINS for your wildcard? Feh. DNSSEC will tell a validating resolver the signature of each party that signed part of the chain. If Verisign wishes to sign bits of data that might exist under the delegation point they have responsibility for, I'm in favor. Its not "make-believe" ... or perhaps I don't understand your angst.
Re: Verisign brain damage and DNSSec.....Was:Re: What *are* they smoking?
On Tue, 16 Sep 2003 11:08:11 PDT, [EMAIL PROTECTED] said: > > On Tue, 16 Sep 2003 09:59:40 PDT, [EMAIL PROTECTED] said: > thats one aspect yes. the valdiation chain should tell > you who signed the delegations. It won't lie. > you will know that V'sign put that data there. How frikking many hacks will we need to BIND9 to work around this braindamage? One to stuff back in the NXDomain if the A record points there, another to do something with make-believe DNSsec from them. What's next? pgp0.pgp Description: PGP signature
Re: Verisign brain damage and DNSSec.....Was:Re: What *are* they smoking?
> On Tue, 16 Sep 2003 09:59:40 PDT, [EMAIL PROTECTED] said: > > DNSsec will work properly with wildcards, regardless of where they are > > in the DNS. > > Which means that a rogue DNS can lead you down the garden path and > DNSsec won't give you a clue that you're being lied to. It's the same > question as the "what happens to SSL to a phantom site?" - Verisign can > provide an A record for the server and an SSL cert that will work. thats one aspect yes. the valdiation chain should tell you who signed the delegations. It won't lie. you will know that V'sign put that data there. --bill
Re: Verisign brain damage and DNSSec.....Was:Re: What *are* they smoking?
On Tue, 16 Sep 2003 09:59:40 PDT, [EMAIL PROTECTED] said: > DNSsec will work properly with wildcards, regardless of where they are > in the DNS. Which means that a rogue DNS can lead you down the garden path and DNSsec won't give you a clue that you're being lied to. It's the same question as the "what happens to SSL to a phantom site?" - Verisign can provide an A record for the server and an SSL cert that will work. pgp0.pgp Description: PGP signature
Re: Verisign brain damage and DNSSec.....Was:Re: What *are* they smoking?
[EMAIL PROTECTED] wrote: > > > yes. you might want to view/review > http://www.ietf.org/internet-drafts/draft-ietf-dnsext-wcard-clarify-01.txt > Wow. That's supposed to clarify? Needs serious editting! (heck, there are typos in the first sentence of the first paragraph of the introduction, and it gets worse from there.) > DNSsec will work properly with wildcards, regardless of where they are > in the DNS. Well, maybe. Only when the world changes to follow this internet-draft. But at least it's good that somebody is thinking about it -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
Re: Verisign brain damage and DNSSec.....Was:Re: What *are* they smoking?
yes. you might want to view/review http://www.ietf.org/internet-drafts/draft-ietf-dnsext-wcard-clarify-01.txt DNSsec will work properly with wildcards, regardless of where they are in the DNS. > > > > Has anyone thought through the DNSsec implications of this? > > (spool up the black helicopters) > > > > > Greg Maxwell wrote: > > > On Tue, 16 Sep 2003, Haesu wrote: > > > > > >>I must ask the subject again. What in the name of < censored > *are* they smoking? > >>Who exclusively gave them the right to own the 'net and decide which domain points > >>to where? > >>Completely unacceptable. > > > > > > It's very amusing to see people on *this* list asking *who* gave control > > to them. Who else configures your customers DNS settings? > > > > > >
Verisign brain damage and DNSSec.....Was:Re: What *are* they smoking?
Has anyone thought through the DNSsec implications of this? (spool up the black helicopters) Greg Maxwell wrote: On Tue, 16 Sep 2003, Haesu wrote: I must ask the subject again. What in the name of < censored > *are* they smoking? Who exclusively gave them the right to own the 'net and decide which domain points to where? Completely unacceptable. It's very amusing to see people on *this* list asking *who* gave control to them. Who else configures your customers DNS settings?