Crossing the line

Posted 16 Sep 2003 at 02:12 UTC by itamar Share This

VeriSign has setup a wildcard DNS on the .net TLD, no doubt .com will follow. The Internet is defined by software. We write the software. It's up to us to fix this.

Possesion is nine-tenths of the law, and Verisign are taking upon themselves possesion not only in theory but in practice of the whole DNS namespace. It is not common property, it is Verisign's, and they condescend to allow us to buy them.

Switch all your domains and SSL certificates from Network Solutions, VeriSign and Thawte (all the same company).

Are you the maintainer of a DNS server? Fix it so it does the right thing for invalid domains, rather than forwarding to to Verisign's server. (And yes, the trivial hard-coded implementation would be broken -- figure out the right way to do it.)

Do you run an ISP? Block the Verisign catchall domain.

Are you the author of a browser? Likewise.

Choose your side.

UA, posted 16 Sep 2003 at 14:43 UTC by Malx » (Journeyer)

Actually blocking this domain is censorship :)

Other possible negative things:

- AntiSpam based on DNS resolving no longer works
- All mail to mistyped domain will be forwarded (and posibbly saved) by VS

In .UA some of ISPs are already blocking sitefinder's host/ip. Other in process of desiding. If they will not - they loose money on channel traffic payment.

Someone here says: "We are not going to support biggest cybersquatter of the world" :)

I didn't mean block the domain, posted 16 Sep 2003 at 16:00 UTC by itamar » (Master)

What should happen is the old behaviour - "no such host".

opennic, posted 16 Sep 2003 at 20:05 UTC by brondsem » (Journeyer)

I haven't used opennic but it was suggested on a local email list discussing this same topic. opennic

opennic, posted 16 Sep 2003 at 20:18 UTC by brondsem » (Journeyer)

I haven't used opennic but it was suggested on a local email list discussing this same topic. opennic

Can you trust VeriSign?, posted 17 Sep 2003 at 07:18 UTC by jmg » (Master)

Did you say no?

Do you still have VeriSign's certs in your browser? How can you answer no to the above if you haven't done this. Certificates are based upon us trusting VeriSign to do their jobs properly. How can we trust them to properly verify people's and company's identies if we don't trust their stewardship of the domains. I would recommend that everyone remove VeriSign's certificates and ask any secure site to obtain another signed certificate that isn't signed by VeriSign.

Luckily, Paul Vixie has said that he plans on releasing a patch today that will remove the reply of the wild card domain from bind. Hopefully it will be like someone suggested, and query the *.{com,net} record, and return NXDOMAIN on any domain that matches the wildcard record. I believe that FreeBSD will add such a patch (at least under a knob), and I think I have also convinced my place of work to apply the patch. Currently, I'm using other people's dns servers, but once I get my dsl line attached, I'll be appling that patch myself.

The fun of internet trust.

Don't forget Thawte, posted 17 Sep 2003 at 12:42 UTC by trs80 » (Apprentice)

Thawte are owned by Verisign, so don't forget to remove their certificates as well.

Not wildcarding mx (yet...), posted 17 Sep 2003 at 17:43 UTC by mwh » (Master)

Malx: email to mistyped domains will still bounce (unless you've done funny things to your mail setup).

MX wildcarding doesn't matter, posted 17 Sep 2003 at 19:16 UTC by trs80 » (Apprentice)

If there's no MX record, then mail delivery reverts to the A record. And VeriSign is running a broken mail server on port 25.

oops, posted 18 Sep 2003 at 10:39 UTC by mwh » (Master)

I misread the bounce...

Very strange..., posted 21 Sep 2003 at 20:21 UTC by DeepNorth » (Journeyer)

It is very strange that this happened. It is stranger still that there is any discussion about it. Those guys should have been slapped down ages ago for their terrible manners.

It is MOST ironic that they are trusted to issue certificates when they are not trustworthy themselves. The Internet is indeed a strange and wonderful place where almost anything can happen and eventually does.

I fear that power in cyberspace is aligning with power in meatspace. I am hopeful that the Internet will route around this, but I have my doubtful moments.

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!

Share this page