After the furor yesterday over Verisign's adding wildcard entries to the .com and .net namespaces, ISC, the people who brought you the nameserver BIND have come out with a patch to designate that certain zones should be "delegation only". This patch "fixes" what Verisign has done.
Some background, for those of you that are already lost. DNS works this way. To find the hostname of a domain, say trilug.org, your nameserver first queries a root nameserver. The root nameserver is only supposed to tell you where you can find the information. Or, in other words, it is supposed to "delegate" that information to the true name server. (Actually, this is supposed to work recursively from the root domain "." through each successive domain until you come to an authoritative source.). So, a root server would say, hmm.. a ".org", go ask over at x.x.x.x for .org domains. The name server would then go ask x.x.x.x and it would send it to the name server for trilug.org which could then answer the question. (Generally, though, the root nameservers and the generic top level domain servers are the same, so there would only be one step.) What verisign did was to place a wildcard record for *.com and *.net pointing to their host. This way, if someone asked for something like SDLKFJSKDJF.COM it would see that there was no delegation for that domain and instead return the record that matched: *.com which points to verisign. This breaks several things, including spam checking by verifying that a domain exists before accepting it.
What this patch from ISC does is that you can now specify certain zones (portions of a domain name) must be "delegation only". So, if the name server receives any responses other than another name server for specified domains it will discard them and return an NXDOMAIN error (no such domain), which is how things used to be.
The patch can be found at ISC's website: http://www.isc.org/products/BIND/delegation-only.html
However, if you don't feel like downloading, patching and rebuilding, we've gone ahead and built some rpms for you for Red Hat Linux 7.3, 9, Aurora Linux, and Mandrake 9.1. They can be found here:
Red Hat 7.3, 9 and Aurora Linux:
ftp://ftp.trilug.org/pub/linux/contrib/trilug/ http://mirrors.trilug.org/linux/contrib/trilug/
(note that trilug members must use the e-mail address they signed up with and their membership number for access. If you're not a trilug member, anonymous ftp will work, but is bandwidth limited.)
Mandrake 9.1
http://rpms.wayfarer.org/
The Red Hat 7.3, 9 and Mandrake 9.1 rpms are signed with my gpg key and the Aurora ones should be signed with Jeremy Portzer's key.
If you use apt for rpm, you can find instructions for setting it up to access these rpms at http://members.trilug.org/services_faq/TriLUG-mail-faq-4.html#ss4.6
Currently there is no urpmi setup for Mandrake, sorry.
Just installing this patch, however, isn't all you need to do. You must also configure which zones are delegation only in /etc/named.conf. The following lines should fix what verisign has done:
zone "com" {
type delegation-only;
};zone "net" {
type delegation-only;
};Note that you may or may not have to add "IN" (without quotes) between
"com"/"net" and the "{". (I've seen both, and both seem to work.)Add those to /etc/named.conf, restart named, and voila, unregistered domains now return no such domain (NXDOMAIN) again like they did before Verisign added the wildcard domains.
If you have any questions, feel free to post them here.
Cheers, Tanner Lovelace and Jeremy Portzer -- Tanner Lovelace | lovelace(at)trilug.org | http://www.trilug.org/ --*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*-- GPG Fingerprint = A66C 8660 924F 5F8C 71DA BDD0 CE09 4F8E DE76 39D4 GPG Key can be found at http://wtl.wayfarer.org/lovelace.gpg.asc --*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*-- Create like it's 1790. -- Lawrence Lessig
pgp00000.pgp
Description: PGP signature
-- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
