more stuff regarding verisign
Jose Nazario writes:
a number of options exist to help you remedy this issue:
- bind 9.2.3rc2 supports "delegation-only", stopping some
wildcard implementations from making any difference
if you simply want to stop traffic getting there (they are running a
website and a partially functional MTA on that IP):
- you can BGP null route this
http://www.merit.edu/mail.archives/nanog/msg13715.html
- cisco's NBAR functionality may be used to detect and block those
reply packets from coming in by looking for the response from
the nameservers.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121limit/121e/121e2/nbar2e.htm
note that this wont stop the query from reaching verisign, it will just
stop you from going to that IP. however, for some enforcing network
privacy concerns, that may be worthwhile.
hope this helps,
Damaged Industries writes:
> > This is simply amazing, Verisign has just turned the .COM and .NET TLD
> > DNS servers up-side-down for their own economical gain and, in doing so,
> > disrupted network traffic for most of the Internet. Mail administrators
> > who use any non-existant DNSBL to mark email as spam suddenly has all
> > their mails deleted, people using localhost.localdomain.com on their
> > servers for administrative purposes are scrambling to find out the cause
> > of their problems and DNS problems arise everywhere as neg caching is
> > essentially disabled and all DNS caches have to cache each and every
> > randomly typed DNS query.
> >
> > The BIND patch that prevents this should be released Wednesday.
>
> djbdns already has a patch (make that two patches).
>
> They are available from djbdns.org
>
Several patches have been out:
Bind9 patch:
http://www.isc.org/products/BIND/delegation-only.html
Bind8 patch:
http://achurch.org/bind-verisign-patch.html
Djbdns patch:
http://tinydns.org/djbdns-1.05-ignoreip.patch
PowerDNS patch:
http://www.imperialviolet.org/binary/powerdns.patch
Userfriendly :)
http://ars.userfriendly.org/cartoons/?id=20030917&mode=classic
a number of options exist to help you remedy this issue:
- bind 9.2.3rc2 supports "delegation-only", stopping some
wildcard implementations from making any difference
if you simply want to stop traffic getting there (they are running a
website and a partially functional MTA on that IP):
- you can BGP null route this
http://www.merit.edu/mail.archives/nanog/msg13715.html
- cisco's NBAR functionality may be used to detect and block those
reply packets from coming in by looking for the response from
the nameservers.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121limit/121e/121e2/nbar2e.htm
note that this wont stop the query from reaching verisign, it will just
stop you from going to that IP. however, for some enforcing network
privacy concerns, that may be worthwhile.
hope this helps,
Damaged Industries writes:
> > This is simply amazing, Verisign has just turned the .COM and .NET TLD
> > DNS servers up-side-down for their own economical gain and, in doing so,
> > disrupted network traffic for most of the Internet. Mail administrators
> > who use any non-existant DNSBL to mark email as spam suddenly has all
> > their mails deleted, people using localhost.localdomain.com on their
> > servers for administrative purposes are scrambling to find out the cause
> > of their problems and DNS problems arise everywhere as neg caching is
> > essentially disabled and all DNS caches have to cache each and every
> > randomly typed DNS query.
> >
> > The BIND patch that prevents this should be released Wednesday.
>
> djbdns already has a patch (make that two patches).
>
> They are available from djbdns.org
>
Several patches have been out:
Bind9 patch:
http://www.isc.org/products/BIND/delegation-only.html
Bind8 patch:
http://achurch.org/bind-verisign-patch.html
Djbdns patch:
http://tinydns.org/djbdns-1.05-ignoreip.patch
PowerDNS patch:
http://www.imperialviolet.org/binary/powerdns.patch
Userfriendly :)
http://ars.userfriendly.org/cartoons/?id=20030917&mode=classic
