Kudos Tanner (and all the good folks at ISC). Now, what is there to stop Verisign from further modifying the root servers so that they return a delgate that simply points to one of their Name servers?
I guess nothing. I wonder if Verisign will bother though, after the fury this last move engendered. Still, their track record for saying "screw you" to rest of the world is fairly high: http://www.aetherlumina.com/verisignsucks.html On Wed, 2003-09-17 at 15:45, Tanner Lovelace wrote: > Hi folks, > > After the furor yesterday over Verisign's adding wildcard entries > to the .com and .net namespaces, ISC, the people who brought you > the nameserver BIND have come out with a patch to designate that > certain zones should be "delegation only". This patch "fixes" > what Verisign has done. > > Some background, for those of you that are already lost. > DNS works this way. To find the hostname of a domain, say > trilug.org, your nameserver first queries a root nameserver. > The root nameserver is only supposed to tell you where you > can find the information. Or, in other words, it is supposed > to "delegate" that information to the true name server. > (Actually, this is supposed to work recursively from the > root domain "." through each successive domain until you > come to an authoritative source.). So, a root server would > say, hmm.. a ".org", go ask over at x.x.x.x for .org domains. > The name server would then go ask x.x.x.x and it would send > it to the name server for trilug.org which could then answer > the question. (Generally, though, the root nameservers and > the generic top level domain servers are the same, so there > would only be one step.) What verisign did was to place a wildcard > record for *.com and *.net pointing to their host. This way, if > someone asked for something like SDLKFJSKDJF.COM it would see > that there was no delegation for that domain and instead return > the record that matched: *.com which points to verisign. > This breaks several things, including spam checking by > verifying that a domain exists before accepting it. > > What this patch from ISC does is that you can now specify > certain zones (portions of a domain name) must be "delegation only". > So, if the name server receives any responses other than another > name server for specified domains it will discard them and > return an NXDOMAIN error (no such domain), which is how things > used to be. > > The patch can be found at ISC's website: > http://www.isc.org/products/BIND/delegation-only.html > > However, if you don't feel like downloading, patching and > rebuilding, we've gone ahead and built some rpms for you > for Red Hat Linux 7.3, 9, Aurora Linux, and Mandrake 9.1. > They can be found here: > > Red Hat 7.3, 9 and Aurora Linux: > > ftp://ftp.trilug.org/pub/linux/contrib/trilug/ > http://mirrors.trilug.org/linux/contrib/trilug/ > > (note that trilug members must use the e-mail > address they signed up with and their membership > number for access. If you're not a trilug member, > anonymous ftp will work, but is bandwidth limited.) > > Mandrake 9.1 > > http://rpms.wayfarer.org/ > > The Red Hat 7.3, 9 and Mandrake 9.1 rpms are signed with > my gpg key and the Aurora ones should be signed with Jeremy > Portzer's key. > > If you use apt for rpm, you can find instructions for > setting it up to access these rpms at > http://members.trilug.org/services_faq/TriLUG-mail-faq-4.html#ss4.6 > > Currently there is no urpmi setup for Mandrake, sorry. > > Just installing this patch, however, isn't all you need to do. > You must also configure which zones are delegation only > in /etc/named.conf. The following lines should fix what > verisign has done: > > zone "com" { > type delegation-only; > }; > > zone "net" { > type delegation-only; > }; > > Note that you may or may not have to add "IN" (without quotes) between > "com"/"net" and the "{". (I've seen both, and both seem to work.) > > Add those to /etc/named.conf, restart named, and voila, unregistered > domains now return no such domain (NXDOMAIN) again like they did > before Verisign added the wildcard domains. > > If you have any questions, feel free to post them here. > > Cheers, > Tanner Lovelace and Jeremy Portzer -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
