Change to .com/.net behavior

Today VeriSign is adding a wildcard A record to the .com and .net
zones. The wildcard record in the .net zone was activated from
10:45AM EDT to 13:30PM EDT. The wildcard record in the .com zone is
being added now. We have prepared a white paper describing VeriSign's
wildcard implementation, which is available here:

http://www.verisign.com/resources/gd/sitefinder/implementation.pdf

By way of background, over the course of last year, VeriSign has been
engaged in various aspects of web navigation work and study. These
activities were prompted by analysis of the IAB's recommendations
regarding IDN navigation and discussions within the Council of
European National Top-Level Domain Registries (CENTR) prompted by DNS
wildcard testing in the .biz and .us top-level domains. Understanding
that some registries have already implemented wildcards and that
others may in the future, we believe that it would be helpful to have
a set of guidelines for registries and would like to make them
publicly available for that purpose. Accordingly, we drafted a white
paper describing guidelines for the use of DNS wildcards in top-level
domain zones. This document, which may be of interest to the NANOG
community, is available here:

http://www.verisign.com/resources/gd/sitefinder/bestpractices.pdf

Matt

I'm going to hack my BIND so it'll discard wildcard RRs in TLDs, as a
matter of reducing the flood of advertising junk reaching my desktop.

I think BIND & resolver developers would do everyone a service by adding
an option having the same effect.

Thank you, VeriSign, I will never do business with you again. You are as
bad as any spammer lowlife simply because you leave everyone with no
choice to opt out of your advertising blitz.

--vadim

Please share your hack !

You mean you have been studying a way for more people to buy domain through you.

I also am modifying BIND to convert your wildcard #$%^^% to NXDOMAIN.

Between the domains that I have with you and all the problems we've had with it
each time you 'change' your web interface, I've already made my decision to
avoid VeriSign/NetworkSolutions for rest of my life.

Before I figure out this BIND thing, for now..

box02jp5-cr01.twdx.net# set routing-options static route 64.94.110.11/32 discard;

-hc

Haesu wrote:

Before I figure out this BIND thing, for now..

box02jp5-cr01.twdx.net# set routing-options static route 64.94.110.11/32 discard;

Please do no do that. You, or your users, will end up having
TONS of undeliverable bounces for forged/bogus domains sitting
in mail spools...

/mjt

Looks like they pulled it now.

star@extremepcgaming:/var/log$ host rarrarrarrarblah.com
rarrarrarrarblah.com does not exist (Authoritative answer)

thanks,
-a-

It looks like it broke. Your web server (64.94.110.11) is inoperative. How about backing out the change!!!!

Matt Larson wrote:

Today VeriSign is adding a wildcard A record to the .com and .net
zones. The wildcard record in the .net zone was activated from
10:45AM EDT to 13:30PM EDT. The wildcard record in the .com zone is
being added now. We have prepared a white paper describing VeriSign's
wildcard implementation, which is available here:

http://www.verisign.com/resources/gd/sitefinder/implementation.pdf

.....

; <<>> DiG 8.4 <<>> any rarrarrarrarblah.com.
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58435
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 13
;; QUERY SECTION:
;; rarrarrarrarblah.com, type = ANY, class = IN

;; ANSWER SECTION:
rarrarrarrarblah.com. 15M IN A 64.94.110.11

They haven't implemented it on .com, only .net .

Yeah, speaking too quickly.

*hides*

Thanks

-a-

Adam 'Starblazer' Romberg wrote:

Looks like they pulled it now.

star@extremepcgaming:/var/log$ host rarrarrarrarblah.com
rarrarrarrarblah.com does not exist (Authoritative answer)

Nah, just zone propagation issues. Some gtld servers still
have old zone data.

/mjt

Yeah, speaking too quickly.

*hides*

  I also typed a bit too quickly.

  I'm guessing due to the uprising they've pulled this.

  I was just going to call the dept of commerce tomorrow and
file a complaint myself. perhaps I still will.

  - jared

% dig any rarrarrarrarblah.com. @f.gtld-servers.net.

; <<>> DiG 8.4 <<>> any rarrarrarrarblah.com. @f.gtld-servers.net.
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 43204
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;; rarrarrarrarblah.com, type = ANY, class = IN

;; AUTHORITY SECTION:
com. 2D IN SOA a.gtld-servers.net. nstld.verisign-grs.com. (
                                        2003091500 ; serial
                                        30M ; refresh
                                        15M ; retry
                                        1W ; expiry
                                        1D ) ; minimum

;; Total query time: 213 msec
;; FROM: puck.nether.net to SERVER: 192.35.51.30
;; WHEN: Mon Sep 15 20:39:47 2003
;; MSG SIZE sent: 38 rcvd: 111

I want my root servers back

Matt Larson wrote:

% dig any rarrarrarrarblah.com. @f.gtld-servers.net.

;; AUTHORITY SECTION:
com. 2D IN SOA a.gtld-servers.net. nstld.verisign-grs.com. (
                                        2003091500 ; serial
                                        30M ; refresh
                                        15M ; retry
                                        1W ; expiry
                                        1D ) ; minimum

Unless I'm missing something here.. Why not just block root servers or
nstld.verisign-grs.com being listed as an authority?

I can not find any instance where a root server should be listed as an
authority.. I've been seeing varying results between .com and .net today.

.net *always* has the root servers listed as its authoratitive servers

.com sometimes does.. but often its just listing:

;; AUTHORITY SECTION:
com. 172800 IN SOA a.gtld-servers.net.
nstld.verisi gn-grs.com. 2003091500 1800 900 604800 86400

Blocking the Answer response isn't going to work, as you know they'll change
the IP.. However, one crappy thing for them.. When kids start DoS'ing the
verisign IP. hey can just pick any domain they feel like that doesn't exist,
and hard code it.

From the news, Micrsoft and AOL are both fairly upset of their.. I imagine

Google probably will be too, since Verisign is teaming with Yahoo on this one,
and Yahoo is trying to revive their own engine and stop using google.

Anyhow.. What am I missing about this fix.. why won't this work?

Chances are your ISP has null-routed that IP address. Two of the larger
ISPs in my area (Ontario, Canada) have, as well as the upstreams for a
number of incidental networks I have access to.

It appears GTLD servers A-D are running a serial number of 2003091501 and
contain the wildcard record in .com. The other GTLD servers are running
2003091500 and don't have the wildcard record. So, unless there's a
2003091502 floating around out there somewhere that I haven't seen, it
doesn't look to me like they pulled it.

For .net, I'm now seeing 2003091501 everywhere, with the wildcard record.
It doesn't look like they pulled that either.

In other news, Verisign has a press release on their website announcing
something called "Next Registration Rights Service," where you can place
an order to have somebody else's domain transferred to you if they ever
don't pay their bill. The press release goes on to say that this is a
great way for holders of existing domain names to buy insurance to protect
themselves from the loss of their domain names if their bill doesn't get
paid, but apparrently only if nobody beats them to it.

-Steve

In other news, Verisign has a press release on their website announcing
something called "Next Registration Rights Service," where you can place
an order to have somebody else's domain transferred to you if they ever
don't pay their bill. The press release goes on to say that this is a
great way for holders of existing domain names to buy insurance to protect
themselves from the loss of their domain names if their bill doesn't get
paid, but apparrently only if nobody beats them to it.

-Steve

If you make the mistake of letting a domain reach the 'redemption' period
Verisign holds it hostage and dead for a couple of weeks unless you pay them
a $150 extortion fee to get it back. Apparently ICANN approved the
redemption period and allows the registrar to set whatever fee they like.

I can not prove but I suspect that Verislime is now leaving expired domain
in the GTLD servers until they reach the redemption period in the hope that
people will not notice the domain not resolving until it reaches the
extortion period.

Why are we still putting up with this garbage from Verisign and ICANN?

Mark Radabaugh
Amplex
(419) 720-3635

Chances are your ISP has null-routed that IP address. Two of the larger
ISPs in my area (Ontario, Canada) have, as well as the upstreams for a
number of incidental networks I have access to.

Sorry for the double-post folks, I got a bounce and didn't look closely
at it.

If somebody could check the subscriber list for an address that might
result in postmaster@ldmi.com filtering really innocent emails (I know
this has happened to others too), and contacting the owner, that would
be great.

Thanks.

In <20030915232429.GA15402@chinook.rgy.netsol.com> Matt Larson <mlarson@verisign.com> writes:

Today VeriSign is adding a wildcard A record to the .com and .net
zones. The wildcard record in the .net zone was activated from
10:45AM EDT to 13:30PM EDT. The wildcard record in the .com zone is
being added now.

Well, I hope you have the worlds most secure server running on this IP
address as it is going to be a prime target for crackers.

And, just to give you some idea how carefully VeriSlim considered this
aspect, I saw this link on /.

http://sitefinder.verisign.com/lpc?url='%3E%3Ch1%3Ehi%20mom%3C/h1%3E

-wayne