My view would concur with this, these are really old battles starting back in the
netsol days and now the verisign has taken the same short sighted path.
It is time that neutral party is in charge
-Henry R LinnewehPaul Vixie <[EMAIL PROTECTED]> wrote:
> > ICANN can seek specific performance of t
On Sat, Sep 20, 2003 at 08:31:27PM -0400, Joe Provo wrote:
> > We are interested in feedback on the best way within the SMTP protocol
> > to definitively reject mail at these servers. One alternate option we
> [snip]
>
> Wrong protocol. There should be *NO* SMTP transactions for
> non-extistan
On Sat, Sep 20, 2003 at 06:06:06PM -0500, David A. Ulevitch wrote:
> There are plenty of hardworking people at good companies who get crap on
> NANOG all the time, why don't we save our relief for them. Tight job
> market or not, everyone has a choice of where they work. He's made a poor
> choic
On Sat, 20 Sep 2003, Dan Hollis wrote:
> On Sat, 20 Sep 2003, Sean Donelan wrote:
> > On Sat, 20 Sep 2003, Dan Hollis wrote:
> > > I'd like to see actual numbers
> > I'm willing to be proved wrong. Go ahead.
>
> you made the claim, lets see the data behind it
>
> its up to the claimant to support
On Sat, 20 Sep 2003, Sean Donelan wrote:
> On Sat, 20 Sep 2003, Dan Hollis wrote:
> > I'd like to see actual numbers
> I'm willing to be proved wrong. Go ahead.
you made the claim, lets see the data behind it
its up to the claimant to support it with data, not for others to
disprove it.
-Dan
Andrew Fried writes:
> Simply put, I would like to publicly express my appreciation to
> Mr. Vixie for taking the time to add the "root-delegation-only" patch
> for Bind.
You speak for many.
> Andrew Fried, Senior Special Agent
> United States Department of the Treasury
> Treasury Inspector Gen
On Sat, 20 Sep 2003, Dan Hollis wrote:
> I'd like to see actual numbers
I'm willing to be proved wrong. Go ahead.
On Sat, 20 Sep 2003, Justin Shore wrote:
> This veers off the original topic. Of course I don't think any of us
> recall what that was anyways... I remember back when I first started
> using the DUL. Of all the DNSBLs I used at the time it blocked the most
> spam of any of them. I mean that b
On Sat, 20 Sep 2003, Justin Shore wrote:
> Abosulutely. At least if the customer wants technical support or plans on
> paying for their bandwidth. It costs *more* resources for an ISP to *not*
> filter ports and it costs them *less* resources to filter known ports that
> are rarely used by Joe B
On Sat, 20 Sep 2003, Sean Donelan wrote:
> It costs service providers more (cpu/ram/equipment) to filter a
> connection. And even more for every exception. Should service providers
> charge customers with filtering less (even though it costs more), and
> customers without filtering more (even tho
Is there any work being done on adding this support
to BIND 8 ??
On Sat, 20 Sep 2003, Margie wrote:
> Very little spam coming off dialups and other dynamically assigned,
> "residential" type connections has anything to do with open relays.
> The vast majority of it is related to open proxies (which the machine
> owners do not realize they are running) and mach
On Sat, Sep 20, 2003 at 02:01:39PM -0400, Matt Larson wrote:
[snip]
> We are interested in feedback on the best way within the SMTP protocol
> to definitively reject mail at these servers. One alternate option we
[snip]
Wrong protocol. There should be *NO* SMTP transactions for
non-extistant d
On Sat, 20 Sep 2003, Andrew Fried wrote:
> I have been following the various threads relating to Verisign and
> wanted to make one comment that I feel has been missing. Simply put, I
> would like to publicly express my appreciation to Mr. Vixie for taking
> the time to add the "root-delegation-o
On Sat, 20 Sep 2003, Andrew Fried wrote:
> I have been following the various threads relating to Verisign and wanted
> to make one comment that I feel has been missing. Simply put, I would like
> to publicly express my appreciation to Mr. Vixie for taking the time to add
> the "root-delegation-o
> I have been following the various threads relating to Verisign and wanted
> to make one comment that I feel has been missing. Simply put, I would like
> to publicly express my appreciation to Mr. Vixie for taking the time to add
> the "root-delegation-only" patch for Bind. I'm fairly new to NA
On Sat, 20 Sep 2003, David B Harris wrote:
> Worth noting that they don't accept mail to [EMAIL PROTECTED]
>
> 250-SIZE 1024
> 250-ETRN
Those two capabilities are bogus as well.
--lyndon
Always carry a short length of fibre-optic cable. If you get lost
then you can drop it on the ground,
> I would suggest instead that you have mandatory
> sending via your relays, and allow inbound
> connections to port 25.
We're a fairly big provider on the GRIC (global roaming) network.
That means that it's not feasible for us to prevent many of our POPs' users
from contacting off-net SMTP serv
--On Saturday, September 20, 2003 6:36 PM -0500 Andy Walden
<[EMAIL PROTECTED]> wrote:
>
> Would this be a reference to the qmail-smtp-auth patch that
> recently was discovered, that if misconfigured, could allow
> incorrect relays?
No, that was the tip of the iceberg.
> If so, I would say th
I have been following the various threads relating to Verisign and wanted
to make one comment that I feel has been missing. Simply put, I would like
to publicly express my appreciation to Mr. Vixie for taking the time to add
the "root-delegation-only" patch for Bind. I'm fairly new to NANOG, b
On Sat, 20 Sep 2003 09:39:34 + (GMT)
"Stephen J. Wilcox" <[EMAIL PROTECTED]> wrote:
> Ooh, when did Verisign get rid of their Snubby program and put in something that
> actually behaves like an SMTP server? Seems verisign are watching the community
> reaction and acting to rectify their error
I fairly certain the previous poster is talking not-in-service numbers, not
busy numbers. Busy number redial is available here in the states, but most
places you have to bang a *XX code when you get the busy signal, you don't
tend to get any recording for it. Not in service numbers may get the
> Declan McCullagh wrote:
>
> >On Sat, Sep 20, 2003 at 11:34:17AM -0700, ken emery wrote:
> >
> >
> >>I think you haven't "gotten it". I'm getting the message from you that
> >>the changes made to the com and net gTLD's are fait accompli. From the
> >>
> >>
> >
> >That's the exact message
On Sat, 20 Sep 2003, Margie wrote:
> If the person running the system in question wants to run server
> class services, such as ftp, smtp, etc, then they need to get a
> compatible connection to the internet. There are residential service
> providers that allow static IP addressing, will provide r
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> Behalf Of Sean Donelan
> Sent: September 20, 2003 6:29 PM
> To: Lyndon Nerenberg
> Cc: [EMAIL PROTECTED]
> Subject: Re: If Verisign *really* wants to help ...
>
>
>
> On Sat, 20 Sep 2003, Lyndon Nerenberg wro
> Verisign has become the single point of failure for almost all of the
> USA's public networks (voice, data, Internet, etc).
I seriously don't like this situation, especially considering latest
marketing twists with verisign's new "services". What we have however are
number of people working th
* [EMAIL PROTECTED] (Ray Bellis) [Sun 21 Sep 2003, 00:25 CEST]:
> What we do have though are (optional) *inbound* filters that make sure
> no-one can connect to their privileged ports over TCP/IP, and a mandatory
> filter that says only our network can deliver to their SMTP service.
There's an IS
On Sat, 20 Sep 2003 23:22:34 +0100
"Ray Bellis" <[EMAIL PROTECTED]> wrote:
> What we do have though are (optional) *inbound* filters that make sure
> no-one can connect to their privileged ports over TCP/IP, and a mandatory
> filter that says only our network can deliver to their SMTP service.
>
>
On Sat, 20 Sep 2003 15:05:08 -0700
Owen DeLong <[EMAIL PROTECTED]> wrote:
| I'm not convinced blocking port 25 on dialups helps much with that.
| What it does help with is preventing them from connecting to open
| relays.
There are so few open relays now that spammers have moved on. They
now us
On Sat, 20 Sep 2003, Margie wrote:
> My guess is that you haven't heard of the current issue with various
> servers running SMTP AUTH. These MTAs are secure by normal
> mechanisms, but are being made to relay spam anyway.
Would this be a reference to the qmail-smtp-auth patch that recently was
Declan McCullagh wrote:
On Sat, Sep 20, 2003 at 11:34:17AM -0700, ken emery wrote:
I think you haven't "gotten it". I'm getting the message from you that
the changes made to the com and net gTLD's are fait accompli. From the
That's the exact message I got from Verisign on Thursday. See:
--On Saturday, September 20, 2003 2:46 PM -0700 Owen DeLong
<[EMAIL PROTECTED]> wrote:
> I still disagree with this. To prevent SPAM, people shouldn't run
> open relays and the open relay problem should be solved. Breaking
> legitimate port 25 traffic is a temporary hack.
Very little spam comi
On Sat, 20 Sep 2003, Lyndon Nerenberg wrote:
> The logical follow-on to IP-based Sitefinder is SS7-based Phonefinder. I
> propose we redirect all "not in service" telephone numbers to Verisign's
> CEOs direct telephone number.
Actually, AT&T already tried that once upon a time.
If you dialed a n
On 9/20/03 6:09 PM, "Brian Bruns" <[EMAIL PROTECTED]> wrote:
> * Root servers or any critical DNS servers should not be in the control of
> companies. It should be handed over to Non-profit/not-for-profit orgs who
> will not be tempted to do the things Verisign has done.We feel
> completely
> However, I'm not convinced blocking port 25 on
> dialups helps much with that. What it does
> help with is preventing them from connecting to
> open relays.
We don't stop our dial customers from getting *to* anything.
What we do have though are (optional) *inbound* filters that make sure
no-o
The logical follow-on to IP-based Sitefinder is SS7-based Phonefinder. I
propose we redirect all "not in service" telephone numbers to Verisign's
CEOs direct telephone number.
--lyndon
NT as a file server is faster than a dead bat carrying Post-It notes
underwater. But not by much.
KH> Date: Sat, 20 Sep 2003 17:03:04 -0400
KH> From: Kee Hinckley
KH> The whois database is not a replacement for a DNS query.
Especially considering how Verisign whois info often lags waaay
behind what is correct. Outdated NS info, anyone?
Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet
- Original Message -
From: "Robert Blayzor" <[EMAIL PROTECTED]>
To: "Sean Donelan" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Saturday, September 20, 2003 5:01 PM
Subject: Re: When is Verisign's registry contract up for renewal
> Quiet honestly I'd like to see all of the GTLD serv
However, I'm not convinced blocking port 25 on dialups helps much with that.
What it does help with is preventing them from connecting to open relays.
The real solution in the long run will be two-fold:
1. Internet hosts need to become less penetrable. (or at least
one
Correction:
They need to pull themselves out of the loop on this and allow DNS
to work as intended.
Owen
--On Saturday, September 20, 2003 3:06 PM -0500 "Eric A. Hall"
<[EMAIL PROTECTED]> wrote:
on 9/20/2003 1:01 PM Matt Larson wrote:
We are interested in feedback on the best way wit
Hi, NANOGers.
] I still disagree with this. To prevent SPAM, people shouldn't run open
] relays and the open relay problem should be solved. Breaking legitimate
] port 25 traffic is a temporary hack.
I suspect that most spam avoids open relays. The abuse of
proxies, routers, and bots for this
--On Saturday, September 20, 2003 3:36 PM -0400 Sean Donelan
<[EMAIL PROTECTED]> wrote:
Has anyone else notice the flip-flops?
To prevent spam providers should block port 25.
I still disagree with this. To prevent SPAM, people shouldn't run open
relays and the open relay problem should be so
> > ICANN can seek specific performance of the agreement by Verisign, or
> > seek to terminate Verisign's contract as the .COM/.NET registry operator
> > and transfer the operation to a successor registry.
>
> Quiet honestly I'd like to see all of the GTLD servers given to neutral
> companies, on
At 8:37 PM +0100 9/20/03, Simon Lockhart wrote:
Okay, to Internet "Experts", things are broken - their domain checking scripts
no longer return "domain available" (why not just check whois.internic.net?).
To quote Verisign, although this is true of all other whois providers:
TERMS OF USE: You are n
On 9/20/03 4:45 PM, "Sean Donelan" <[EMAIL PROTECTED]> wrote:
> ICANN can seek specific performance of the agreement by Verisign, or
> seek to terminate Verisign's contract as the .COM/.NET registry operator
> and transfer the operation to a successor registry.
Quiet honestly I'd like to see all
What happens when Verisigns monopoly registry agreement for .COM and .NET
expires on November 10 2007?
http://www.icann.org/tlds/agreements/verisign/com-index.htm
According to the contract signed between ICANN and Verisign, Zone File
Data is defined as
13. "Zone File Data" means all data con
On 9/20/03 3:39 PM, "Roy" <[EMAIL PROTECTED]> wrote:
> While 550 may be the proper answer for a domain that does not exist, it
> is an improper answer for a domain that does exist but that is not
> included in the zone for some reason. Verisign is not the owner of the
> domain and, as such, has
on 9/20/2003 3:01 PM Sean Donelan wrote:
> Is it possible for the client resolver code to distinguish between a
> wildcard answer and an explicit answer? Or would the require another
> flag passed between the client and a recursive name server?
>
> If this was available, it would mail client
on 9/20/2003 1:01 PM Matt Larson wrote:
> We are interested in feedback on the best way within the SMTP protocol
> to definitively reject mail at these servers.
You need to:
1) fatally reject mail for domains that are not delegated with 5xx
-and-
2) softly reject mail for domains that are
> Is it possible for the client resolver code to distinguish between a
> wildcard answer and an explicit answer?
no.
> If this was available, it would mail clients and other things
> interested in the specific domain name could get the answers they
> want. While other stuff would get the wildca
Is it possible for the client resolver code to distinguish between a
wildcard answer and an explicit answer? Or would the require another
flag passed between the client and a recursive name server?
If this was available, it would mail clients and other things interested
in the specific domain n
On Sat, Sep 20, 2003 at 11:34:17AM -0700, ken emery wrote:
> I think you haven't "gotten it". I'm getting the message from you that
> the changes made to the com and net gTLD's are fait accompli. From the
That's the exact message I got from Verisign on Thursday. See:
http://news.com.com/2100-10
I have lots of dns-related activity on both systems and
within applicaitons that are broken now because I am no
longer able to differentiate between a bad domain name and
a working domain.
It's not at all minor. You underestimate what this has done,
I think.
A major change in key functionali
[EMAIL PROTECTED] (Matt Larson) writes:
> We are interested in feedback on the best way within the SMTP protocol
> to definitively reject mail at these servers. One alternate option we
> are considering is rejecting the SMTP transaction by returning a 554
> response code as described in Section
While 550 may be the proper answer for a domain that does not exist, it
is an improper answer for a domain that does exist but that is not
included in the zone for some reason. Verisign is not the owner of the
domain and, as such, has no right to discard mail destined for that
domain. Mail
On Sat Sep 20, 2003 at 03:28:59PM -0400, Len Rose wrote:
> Verisign has broken everything and unlike the success
> of their grandfathered monopoly on registrations this
> might spell the end of their reign over these zones.
>
> This has broken the net, an intense attack on the
> domain name sys
Has anyone else notice the flip-flops?
To prevent spam providers should block port 25.
If providers block ports, e.g. port 135, they aren't providing access to
the "full" Internet.
Should any dialup, dsl, cable, wi-fi, dhcp host be able to use any service
at any time? For example run an SMT
this feature is only in the latest release candidate is 9.2.3rc3.
our patches to 9.2.2 and 9.1 only support "delegation-only" zones.
to get the "root-delegation-only" option you need 9.2.3rc3.
see www.isc.org/products/BIND/delegation-only.html for details.
re:
> Date: Sat, 20 Sep 2003 14:22:57
I don't think anyone holds Matt personally responsible
for what has happened so please remember that when
responding.
Verisign has broken everything and unlike the success
of their grandfathered monopoly on registrations this
might spell the end of their reign over these zones.
This has broke
On Sat, 20 Sep 2003, neal rauhauser wrote:
> Oh come on people, this guy *implements* stuff. Here he is on the list
> describing how he has implemented something to alleviate the problems
> caused by PHBs at Verisign.
He is a representative of Verisign and asked for feedback. He
has gotten som
> On Sat, 20 Sep 2003, Matt Larson wrote:
>> One piece of feedback we received multiple times after the addition of
>> the wildcard A record to the .com/.net zones concerned snubby, our
[..]
* [EMAIL PROTECTED] (ken emery) [Sat 20 Sep 2003, 20:35 CEST]:
> I think you haven't "gotten it". I'm get
> We are interested in feedback on the best way within the SMTP protocol
> to definitively reject mail at these servers. One alternate option we
> I would welcome feedback on these options sent to me privately or the
> list; I will summarize the former.
OK feedback, I suggest you withdraw
Oh come on people, this guy *implements* stuff. Here he is on the list
describing how he has implemented something to alleviate the problems
caused by PHBs at Verisign.
ISC bind mods, ICANN displeasure, and other sources of pressure will
either remove this issue or make it irrelevant.
Rath
On Sat, 20 Sep 2003, Matt Larson wrote:
>
> Folks,
>
> One piece of feedback we received multiple times after the addition of
> the wildcard A record to the .com/.net zones concerned snubby, our
> SMTP mail rejection server. This server was designed to be the most
> modest of SMTP implementation
On Sat, Sep 20, 2003 at 02:16:34PM -0400, Dave Stewart wrote:
> >implementation using Postfix that should address many of the concerns
> >we've heard. Like snubby, this server rejects any mail sent to it (by
> >returning 550 in response to any number of RCPT TO commands).
>
> ICANN has requeste
> One piece of feedback we received multiple times after the
> addition of the wildcard A record to the .com/.net zones
> concerned snubby, our SMTP mail rejection server.
Did you miss the other pieces of feedback about how wildcard records in .com
and .net are simply a bad idea for numerous r
Hello Paul , Am I correct in the understanding that the below
tells me that 9.2.2p2 does NOT contain the ablility to do
root-delegation-only ? Tia , JimL
On Sat, 20 Sep 2003, Paul Vixie wrote:
> if you installed the first isc wildcard patch you probably want the second.
At 02:01 PM 9/20/2003, Matt Larson wrote:
In response to this feedback, we have deployed an alternate SMTP
implementation using Postfix that should address many of the concerns
we've heard. Like snubby, this server rejects any mail sent to it (by
returning 550 in response to any number of RCPT TO
Folks,
One piece of feedback we received multiple times after the addition of
the wildcard A record to the .com/.net zones concerned snubby, our
SMTP mail rejection server. This server was designed to be the most
modest of SMTP implementations and supported only the most common
sequence of SMTP
if you installed the first isc wildcard patch you probably want the second.
see www.isc.org/products/BIND/delegation-only.html for details. the first
patch didn't handle NS lookups (which don't occur in nature but it's sort of
unnerving when they don't work in "dig").
in addition to the "type de
On Sat, 2003-09-20 at 06:29, Robert Blayzor wrote:
> On 9/20/03 6:33 AM, "Matthew S. Hallacy" <[EMAIL PROTECTED]> wrote:
>
> > Is there anyone with a clue at verisign who's able to actually repair
> > a broken entry in their database? I've got a companies domain name that
> > seems to be stuck wi
On 9/20/03 6:33 AM, "Matthew S. Hallacy" <[EMAIL PROTECTED]> wrote:
> Is there anyone with a clue at verisign who's able to actually repair
> a broken entry in their database? I've got a companies domain name that
> seems to be stuck with nameservers listed in whois, but none in the .com
> zone.
Its even funnier what happens when a customer confuses a Netopia console
connector with that of the power connector from the next revision :)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, September 18, 2003 10:57 AM
To
I think it was the new MG F, where if you had the top down
on the car and there was moisture on the boot [trunk] when
you opened the boot [trunk] people in the car would get showered!
They fixed it by adding a tighter spring so that the boot [trunk]
opened slowly and the water dripped down the sid
Is there anyone with a clue at verisign who's able to actually repair
a broken entry in their database? I've got a companies domain name that
seems to be stuck with nameservers listed in whois, but none in the .com
zone.
This means that everything for this companies domain is hitting the sitefind
Ooh, when did Verisign get rid of their Snubby program and put in something that
actually behaves like an SMTP server? Seems verisign are watching the community
reaction and acting to rectify their errors.. well some of them
$ telnet sdfjsdfjsdjflsd.com 25
Trying 64.94.110.11...
Connected
76 matches
Mail list logo
