[swinog] FYI [from nanog] use of DNS wildcards in TLD
[...] Today VeriSign is adding a wildcard A record to the .com and .net zones. The wildcard record in the .net zone was activated from 10:45AM EDT to 13:30PM EDT. The wildcard record in the .com zone is being added now. We have prepared a white paper describing VeriSign's wildcard implementation, which is available here: http://www.verisign.com/resources/gd/sitefinder/implementation.pdf julien [EMAIL PROTECTED] -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
[swinog] For the ones not reading nanog (was Re: Change to .com/.net behavior)
FYI - Original Message - From: George William Herbert [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, September 16, 2003 10:21 AM Subject: Re: Change to .com/.net behavior I would like to make a few evolving observations about the wildcard DNS entries which Verisign initiated in .net and .com earlier today. 1) By all reasonable interpretations, Verisign is now operating in violation of the .com and .net Registry Agreements. Specifically, Sect 24 of the main agreement for .com and Sect 3.5.3, 3.5.5, and 3.6, 3.8 of the main agreement for .net, and the rather blank Appendix X. I believe it to be trivial to demonstrate that even if Verisign issued an ammended Appendix X, such a wildcard entry will exceed the numerical limits specified of 5000 domains, and that the anti-competitive and code of conduct sections will still apply and prohibit this behaviour. Explicitly. 2) By any reasonable interpretation this sort of change should have been clearly announced beforehand to technical communities that would be affected, including but not limited to NANOG, and was not. 3) By any reasonable interpretation this sort of change should have been clearly announced beforehand to policy communities that would be affected, and was not. 4) By any reasonable interpretation of safe and conservative operational procedure, when the various technical and policy issues which were raised over the course of today were made public, Verisign should have rolled the changes back out and announced so until such time as at least *proper* and extensive announcements were made, preferably until such time as Verisign obtained technical community and policy community approval. Verisign has not done so as of when this email was being prepared, at least not querying A.GTLD... 5) An organization which displays this sort of behaviour is not a reasonable candidate from an operational standpoint to stand as the manager of any GTLD. 6) An organization which displays this sort of behaviour is not a reasonable candidate from a legal standpoint to stand as the manager of any GTLD. 7) An organization which displays this sort of behaviour is not a reasonable candidate from a technical standpoint to stand as technical manager of any GTLD or the registrar coordination processes. 8) An organization which displays these sorts of behaviours clearly calls into question the operating assumptions about fair registrar behaviour in the .com and .net registry agreements and thus the entire validity of allowing one company to both manage and act as a registrar for those domains. 9) The apparent complete lack of clue on Verisigns' part as to the magnitude of the hornets nest that this change would kick over, and its lack of any appropriate responses even simply better wider information releases, calls into question the suitability of Verisign's staff and management structure for operating the key central registry functions. 10) Given items 1-9, I call upon ICANN to immediately launch an investegation into the validity and legality of Verisign's wildcard DNS entries; into the operational procedures Verisign is using; into the apparent material breach of Verisign's .com and .net management contracts; and into the suitability of Verisign to remain the .com and .net manager in the future and in pariticular the suitability of the current Verisign management team for participation in that key neutral operational role. I specifically request that ICANN initiate community policy discussions as to whether the GTLD management functions should be required to be spun off into a separate entity from Verisign and not sharing any ownership or management structure. 11) Given items 1-9, I call upon the Department of Commerce to immediately investigate whether Verisign is in material breach of its cooperative agreements and whether Verisign in its current form and with its current staff are suitable to remain manager of the .com and .net GTLDs, and the same set of questions I pose to ICANN, in such areas as DOC is engaged in policymaking regarding Internet Domain Names. -george william herbert [EMAIL PROTECTED] -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
[swinog] Colt Italien
Hallo Colt Italy blocks us on the mail side. So far, our requests for more information to Colt Italy's abuse and postmaster remained unanswered (or returned as non deliverables). Can someone point me to the right place or forward it colt-internally? The message we get is: 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1) And it happens on ns2.it.colt.net whith bluewin.ch sender addresses... Cheers, Alain Wyss Bluewin AG -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
RE: [swinog] Colt Italien
hi alain i dont know anyone @ colt italy. but you might ask Ron Daniel COLT Telecom 42 Adler Street London E1 1EE UK E-Mail: ron [at] colt [dot] net he is the one who set up the peering with us in switzerland. i have also (from the peering contract) these NOC informations: 24x7 NOC phone: +44 207 390 7848 NOC Fax: +44 207 863 5876 NOC E-Mail: Ops [at] colt [dot] net Technical Contact Name: Neil McRae Technical Contact Title: IP Services Director Technical COntact Tel: +44 207 390 78 48 Technical COntact Fax: +44 207 863 58 76 -steven -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Tuesday, September 16, 2003 11:43 AM To: [EMAIL PROTECTED] Subject: [swinog] Colt Italien Hallo Colt Italy blocks us on the mail side. So far, our requests for more information to Colt Italy's abuse and postmaster remained unanswered (or returned as non deliverables). Can someone point me to the right place or forward it colt-internally? The message we get is: 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1) And it happens on ns2.it.colt.net whith bluewin.ch sender addresses... Cheers, Alain Wyss Bluewin AG -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/ -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
RE: [swinog] Colt Italien
I'll ask someone to look into this. -- Neil J. McRae - COLT [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 16 September 2003 10:43 To: [EMAIL PROTECTED] Subject: [swinog] Colt Italien Hallo Colt Italy blocks us on the mail side. So far, our requests for more information to Colt Italy's abuse and postmaster remained unanswered (or returned as non deliverables). Can someone point me to the right place or forward it colt-internally? The message we get is: 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1) And it happens on ns2.it.colt.net whith bluewin.ch sender addresses... Cheers, Alain Wyss Bluewin AG -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog% 40swinog.ch/ -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
Re: [swinog] Colt Italien
On Tuesday 16 September 2003 11:42, [EMAIL PROTECTED] wrote: The message we get is: 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1) Isn't that a general problem with their qmail installation? This error means, that the server does not accept the recipients domain, regardless of the senders address. Greetz, Matthias -- Murphy's Law is recursive. Washing your car to make it rain doesn't work. -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
Re: [swinog] FYI [from nanog] use of DNS wildcards in TLD
[EMAIL PROTECTED] wrote: Today VeriSign is adding a wildcard A record to the .com and .net zones. The wildcard record in the .net zone was activated from 10:45AM EDT to 13:30PM EDT. The wildcard record in the .com zone is being added now. We have prepared a white paper describing VeriSign's wildcard implementation, which is available here: http://www.verisign.com/resources/gd/sitefinder/implementation.pdf Anyone mistyping is forwarded to http://sitefinder.verisign.com/index.jsp I'm gonna register *.ch and *.li now. Some extra traffic is rather nice (a lot of $$$banners and $$$popups), isn't it? F. -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
RE: [swinog] Colt Italien
looks like an mx pointing to our server without the relevent qmail config. yes. -- Neil J. McRae - COLT [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthias Blaser Sent: 16 September 2003 10:57 To: [EMAIL PROTECTED] Subject: Re: [swinog] Colt Italien On Tuesday 16 September 2003 11:42, [EMAIL PROTECTED] wrote: The message we get is: 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1) Isn't that a general problem with their qmail installation? This error means, that the server does not accept the recipients domain, regardless of the senders address. Greetz, Matthias -- Murphy's Law is recursive. Washing your car to make it rain doesn't work. -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog% 40swinog.ch/ -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
Re: [swinog] FYI [from nanog] use of DNS wildcards in TLD
- Original Message - From: Fredy Kuenzler [EMAIL PROTECTED] [..] I'm gonna register *.ch and *.li now. Some extra traffic is rather nice (a lot of $$$banners and $$$popups), isn't it? *.ch for Fredy is fine with me - and *.com and *.net for versign also. Because I will take .* nik -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
Re: [swinog] FYI [from nanog] use of DNS wildcards in TLD
*.ch for Fredy is fine with me - and *.com and *.net for versign also. Because I will take .* Makes nice mail addresses: [EMAIL PROTECTED] ;-) -- Matthias -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
Re: [swinog] FYI [from nanog] use of DNS wildcards in TLD
Makes nice mail addresses: [EMAIL PROTECTED] ;-) r@@t is even better and is RFC compliant.. as t is the TLD and r@ the alias (yes @ is allowed in the alias :-P) Pascal -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
RE: [swinog] Colt Italien
Hi Thanks all, folks. This one looks like a very valid point. I'll check back if there is indeed a wrong MX defined... Cheers, Alain -Original Message- From: Neil J. McRae [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 16, 2003 12:07 PM To: [EMAIL PROTECTED] Subject: RE: [swinog] Colt Italien looks like an mx pointing to our server without the relevent qmail config. yes. -- Neil J. McRae - COLT [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthias Blaser Sent: 16 September 2003 10:57 To: [EMAIL PROTECTED] Subject: Re: [swinog] Colt Italien On Tuesday 16 September 2003 11:42, [EMAIL PROTECTED] wrote: The message we get is: 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1) Isn't that a general problem with their qmail installation? This error means, that the server does not accept the recipients domain, regardless of the senders address. Greetz, Matthias -- Murphy's Law is recursive. Washing your car to make it rain doesn't work. -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog% 40swinog.ch/ -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/ -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
Re: [swinog] FYI [from nanog] use of DNS wildcards in TLD
Matthias Leisi wrote: *.ch for Fredy is fine with me - and *.com and *.net for versign also. Because I will take .* Makes nice mail addresses: [EMAIL PROTECTED] ;-) No prob, we show a lot of valid mail addrs with the storage folder /dev/null %-] F. -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
[swinog] Re: orbs.dorkslayer.com listet ALLES
Benoit Panizzon wrote: Scheint als habe es nun auch die gelupft... openrbl ist wegen DDOS Down... Seit einigen Stunden habe ich keine Mails mehr erhalten. Nun ist die Ursache klar: Dorkslayers listet alles und deren Website ist tot. Weiss jemand mehr? Nein, nur dass wir Mailsubscriber (z.B. swinog) unsubscriben, wenn sie wegen orbs.dorkslayers keine Mails von uns annehmen wollen. Selber schuld. F. -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
Re: [swinog] Colt Italien
Am Die, 2003-09-16 um 11.42 schrieb [EMAIL PROTECTED]: Hallo Colt Italy blocks us on the mail side. So far, our requests for more information to Colt Italy's abuse and postmaster remained unanswered (or returned as non deliverables). Can someone point me to the right place or forward it colt-internally? Maybe the problem of the orbs.dorkslayers.com RBL having disappeared from DNS and now every address of the form 1.2.3.4.orbs.dorkslayers.com resolving to Verisigns search engine and thus resulting in a positive hit... -Benoit- -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
Re: [swinog] Colt Italien
Maybe the problem of the orbs.dorkslayers.com RBL having disappeared from DNS and now every address of the form 1.2.3.4.orbs.dorkslayers.com resolving to Verisigns search engine and thus resulting in a positive hit... remove the maybe and you got your answer... Everyone running multiple RBL checks, should^H^H^H^H^H^HMUST remove all the non working RBLs Pascal -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
[swinog] Fw: Verisign HOWTO
nanog is slow... :-P however, what do our swiss majors think about this? Pascal - Original Message - From: Pascal Gloor [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, September 16, 2003 1:22 PM Subject: Re: Verisign HOWTO http://www.hinterlands.org/ver/txt It's a 'How to get your IP block removed from the list that Verisign will reply with SiteFinder for'. And for each new IP block I'll have to call again? Who's gonna pay for my call? if this number is free in the USA, it isnt from foreign countries... By this, Verisign just added the world by default to a content distribution and the world has to unsubscribe?? Perhaps some ISPs would be happy to use such a * domain if they would NOT be forced to, but this is more like we own the world, we redirect the world and if you're not happy, unsubscribe... I still think this is unacceptable and the community should NOW do something against such actions. If some majors would move forward and build up a alternative-non-commercial-non-whateverisbad ROOT network, I think the world could follow. ICANN and their roots are not a standart, they're just the most used dns service on the top of IP and nothing can stop the community to build up a widely used alternative ROOT service. however, a consensus of majors is needed to start a widely used alt-roots. Now the question is, are the majors willing to do something or not... Just my 0.02 cents Pascal -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
Re: [swinog] FYI [from nanog] use of DNS wildcards in TLD
On Tue, 16 Sep 2003 14:33, Matthias Leisi wrote: *.ch for Fredy is fine with me - and *.com and *.net for versign also. Because I will take .* Makes nice mail addresses: [EMAIL PROTECTED] ;-) another bad thing about this stupid idea is that the reject_unknown_sender_domain rules in the mailserver won't work anymore :( -tom -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
[swinog] qmail dns fix for Versign Breakage
I've written a patch to qmail's dns lookup routines to detect the wildcard responses from Verisign and convert it internally back into a NX_DOMAIN. I think the same dynamic strategy can also be used for Postfix and Sendwhale. -- read on here -- With Verisigns wildcard match for any unregistered domains they broke the DNS in many ways. One is that return MX checks won't work anymore and if someone mistypes a mail recipients domain the message will end up on Versigns dummy server. Today it is rejecting that stuff, but for how long given their track record? I bet they'll use it soon to grab mail froms for their spam list. We've written a patch to fix detect a TLD wildcard match and convert it into an NX_DOMAIN (domain not existent) as it should be. You can find the patch here: http://www.nrg4u.com How does it work? Since it is not possible to directly detect whether we get a faked wildcard response, we first do a *.tld lookup (tld is dynamic from the lookup domain). If we get a response for that, remember its IP address. Now we proceed to the true and full MX/IP lookup. Then we check if one of the IP addresses we get this time is the same as the one we remembered from the wildcard lookup. If yes, we have been tricked and skip over it. If it was the only one, well, then it's in reality a non-existent domain. The advantage of this way of doing it (instead of statically blocking Versigns IP address) is of course that it adjusts itself dynamically when Verisign changes it's setup. In one of their papers Verisign cites some other TLDs who do the same. We kill them too. The disadvantage is that we always do one more DNS lookup for *.tld. -- Andre -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
Re: [swinog] qmail dns fix for Versign Breakage
I've written a patch to qmail's dns lookup routines to detect the wildcard responses from Verisign and convert it internally back into a NX_DOMAIN. I think the same dynamic strategy can also be used for Postfix and Sendwhale. This is good Andre, but it looks more like a patch (in its 1st sense) to glue a politicial stupidity. We should do something against the source of the problem and not find workarounds. I'm pretty sure you think so too... Pascal -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
Re: [swinog] qmail dns fix for Versign Breakage
Pascal Gloor wrote: I've written a patch to qmail's dns lookup routines to detect the wildcard responses from Verisign and convert it internally back into a NX_DOMAIN. I think the same dynamic strategy can also be used for Postfix and Sendwhale. This is good Andre, but it looks more like a patch (in its 1st sense) to glue a politicial stupidity. We should do something against the source of the problem and not find workarounds. I'm pretty sure you think so too... For sure I do. But when watching the behaviour of American corporations in recent times (SCO, Enron, Worldcom, ...) I doubt that we will get a quick political solutions short of a UN intervention with soldiers from Bangladesh raiding the Verisign headquarters in California... However I don't like Verisign rejecting emails from my customers and later going to step 2, collection of email addresses to spam them. I guess there must be some mental 'connection' between Verisign and SCO executives... Hmmm... Maybe they are brothers but have been separated in their early childhood and suffer some psychological disorder best cured with repeated hits on their greedy fingers... -- Andre -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
Re: [swinog] qmail dns fix for Versign Breakage
I agree, I would say that we have to react first to avoid any beahviour that can pollute the Net anymore. I will also think about some patches this week end. then we can maybe find a more political solution. however the consequences of the versigin behaviour won't be politically discussed before they happen.. On Tue, Sep 16, 2003 at 05:32:48PM +0200, Andre Oppermann wrote: Pascal Gloor wrote: I've written a patch to qmail's dns lookup routines to detect the wildcard responses from Verisign and convert it internally back into a NX_DOMAIN. I think the same dynamic strategy can also be used for Postfix and Sendwhale. This is good Andre, but it looks more like a patch (in its 1st sense) to glue a politicial stupidity. We should do something against the source of the problem and not find workarounds. I'm pretty sure you think so too... For sure I do. But when watching the behaviour of American corporations in recent times (SCO, Enron, Worldcom, ...) I doubt that we will get a quick political solutions short of a UN intervention with soldiers from Bangladesh raiding the Verisign headquarters in California... However I don't like Verisign rejecting emails from my customers and later going to step 2, collection of email addresses to spam them. I guess there must be some mental 'connection' between Verisign and SCO executives... Hmmm... Maybe they are brothers but have been separated in their early childhood and suffer some psychological disorder best cured with repeated hits on their greedy fingers... -- Andre -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/ -- Key fingerprint = C549 46E1 1B75 116E 3321 BC0A E502 9457 319E B340 RFC822: [EMAIL PROTECTED] || [EMAIL PROTECTED] www.NetBSD.org -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
[swinog] Rate-Limiting ICMP
We seem to experience quite a bit of ICMP DOS attacks. The come along in waves, which makes some devices within our backbone stumble and loosing packets. As ICMP should generally not be blocked, I'm thinking about rate limiting it on core routers. Any hints, links, suggestions? Thanks Fredy -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
Re: [swinog] Rate-Limiting ICMP
* Fredy Kuenzler [EMAIL PROTECTED]: We seem to experience quite a bit of ICMP DOS attacks. The come along in waves, which makes some devices within our backbone stumble and loosing packets. DoS, or the well known nacchi worm? (Nacchi uses 92byte Packets exclusively, so it should be easy to sort that out) As ICMP should generally not be blocked, I'm thinking about rate limiting it on core routers. Any hints, links, suggestions? There was a discussion about this Topic just one or two Weeks ago on the nanog lists. I do consider rate limiting a very bad idea, because it produces a non-predictable behaviour. Sometimes ICMP works, some time it doesn't. Just think about all those poor people that have ADSL, and those good damn PMTUD Problems (which can be work arounded, but still). Filtering Bogons and proper Abuse Reports should be way to go to fight DoS Attacks. -- Today is the first day of the rest of our lives. http://www.suug.ch -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
[swinog] our lovely dot com and dot net
Some stuff I found around... --- http://www.washingtonpost.com/wp-dyn/articles/A996-2003Sep12.html ... The Internet Corporation for Assigned Names and Numbers (ICANN), which manages the Internet's addressing system and oversees addressing companies like VeriSign, had no comment on the VeriSign plan. ... --- http://www.iab.org/Documents/icann-vgrs-response.html IAB = A committee of the Internet Engineering Task Force (IETF). ... The first response is a misuse of the 404 response code as described in RFC 2616, section 10.4.5; an application level error like 404 is not a replacement for the DNS-level NXDOMAIN. ... To restore the data integrity and predictability of the DNS infrastructure, the IAB believes it would be best to return the .com and .net TLD servers to the behavior specified by the DNS protocols. ... --- PS: I've disabled resolutions match the wildcard TLD .com and .net in our dns caches. Will swiss majors follow this too? (you should ;)) Pascal -- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
