Nameserver madness

Mailman List Mirror (Read Only)
1

Ok folks, this has gone way too far.

First and foremost, let me clear a few points up.

1) I never supported Eugene's antics or his piracy (nor cache
  poisoning) which he engaged in.

2) We updated our BIND versions on ALL our nameservers, including the
  two listed below, within a few hours of his games beginning, so that
  we would NOT distribute or load bad data.

3) We *DO* run a completely separate faction of enhanced DNS, known as
  eDNS. This has NOTHING to do with Mr. Kaspuereff or his antics.

4) Our nameservers were not "polluted", nor will they be in the future.
  We are running BIND 8.1.1 which prevents this from happening.

5) We do not, never did, and won't support the kinds of games which
  Eugene pulled. I disagree *vehemently* with the IAHC and iPOC, and
  believe their process is both improper and possibly illegal.
  Nonetheless, that you believe someone is breaking the law and
  all boundaries of ethics does *NOT* entitle you to go and do the
  same in "retaliation". Two wrongs do NOT make a right.

6) Your blocking of the IP addresses is *NOT* effective. Eugene's
  stunt was not quite as simple as you might think; he was
  deliberately hitting nameservers with recursive requests to force
  them to load his data. You would have to isolate yourself ENTIRELY
  to be completely free of the problem through your method. The
  PROPER fix is to load the newer BIND code which doesn't suffer from
  the weakness which was being exploited.

MCSNet will take immediate and strong retaliatory action against *ANY*
ISP which blockades our network in this fashion. It is one thing to
block packets from our network for something which we have in fact done.
It is quite another to do so based on "guilt by association" and flat-out
untruths.

It is my hope that you will reconsider this insanity, and drop the filters
in 192.160.127.x. We are *NOT* your enemies, but we can become them if you
insist on it.

A prompt response is appreciated and expected.

Sincerely,

2

Ok folks, this has gone way too far.

First and foremost, let me clear a few points up.

1) I never supported Eugene's antics or his piracy (nor cache
  poisoning) which he engaged in.

2) We updated our BIND versions on ALL our nameservers, including the
  two listed below, within a few hours of his games beginning, so that
  we would NOT distribute or load bad data.

3) We *DO* run a completely separate faction of enhanced DNS, known as
  eDNS. This has NOTHING to do with Mr. Kaspuereff or his antics.

4) Our nameservers were not "polluted", nor will they be in the future.
  We are running BIND 8.1.1 which prevents this from happening.

5) We do not, never did, and won't support the kinds of games which
  Eugene pulled. I disagree *vehemently* with the IAHC and iPOC, and
  believe their process is both improper and possibly illegal.
  Nonetheless, that you believe someone is breaking the law and
  all boundaries of ethics does *NOT* entitle you to go and do the
  same in "retaliation". Two wrongs do NOT make a right.

6) Your blocking of the IP addresses is *NOT* effective. Eugene's
  stunt was not quite as simple as you might think; he was
  deliberately hitting nameservers with recursive requests to force
  them to load his data. You would have to isolate yourself ENTIRELY
  to be completely free of the problem through your method. The
  PROPER fix is to load the newer BIND code which doesn't suffer from
  the weakness which was being exploited.

MCSNet will take immediate and strong retaliatory action against *ANY*
ISP which blockades our network in this fashion. It is one thing to
block packets from our network for something which we have in fact done.
It is quite another to do so based on "guilt by association" and flat-out
untruths.

It is my hope that you will reconsider this insanity, and drop the filters
in 192.160.127.x. We are *NOT* your enemies, but we can become them if you
insist on it.

A prompt response is appreciated and expected.

Karl,

I never said anything about your politics or association with
Kashpureff. But it also isn't as simple as you and Paul seem to
think (i.e. upgrade to a new bind).

The fact remains that one or more of your nameservers are being
pointed to by the alternic root. I know that talking with Kashpureff's
nameservers may pollute my nameservers or one of my customers
nameservers. If his nameservers are pointing to your nameservers
then there is a high likelihood that his nameservers have been talking
to your nameservers. I have no control over your nameservers and
have no way of being absolutely sure they are not polluted. At the
moment I do not have time to build and install N binds on N machines
and even if I did, it would not help my customers who may not even
know *how* to upgrade to a new bind. So if keeping my net from
speaking to Kashpureff's nameservers and the known quantity that his
nameservers talk to reduces the risk to my and my customer's nameservers,
then so be it.

This seems like a logical and reasonable approach to me and is the
quickest thing I could think of to limit our risk. If you have a
better solution, then I'm all ears.

We are not your enemy either, but it is not our fault you picked
Kashpureff to do business with previously. Maybe you should get him
to quit pointing to your IPs? You never know when he'll uncover the
next bug that effects the latest bind releases. Who knows - maybe
it will only effect the latest bind and everyone with a supposedly
"fixed" nameserver will be dead in the water.

As for blocking your net: I'm blocking the specific IPs - not your
whole net. I'm not impressed by your threats either. We have the
right to allow or disallow whatever we want within our net.

Cheers,
Ray