It's Verisign's return shot at the web browser "couldn't find this page"
searches. Doesn't seem to have much by way of advertising yet, but I'm
sure that'll change. I heard about this coming from somewhere last week,
though I don't recall where. Probably Wired or the WSJ. Verisign wants
the revenue that all those typos are generating. It's just the next shot
in the eyeball war.
This is sufficiently technically and business slimy that
I would null-route that IP, personally.
>> A wildcard A record in the net TLD.
>
>It's Verisign's return shot at the web browser "couldn't find this page"
>searches. Doesn't seem to have much by way of advertising yet, but I'm
>sure that'll change. I heard about this coming from somewhere last week,
>though I don't recall where. Probably Wired or the WSJ. Verisign wants
>the revenue that all those typos are generating. It's just the next shot
>in the eyeball war.
This is sufficiently technically and business slimy that
I would null-route that IP, personally.
The bigger issue is DNS troubleshooting.....what a nightmare when a query of
the *.gtld-servers.net servers does not return an error. What happens when
they change the IP because of null-route'ing of the current IP to a
completely different /8 subnet.
Who engineered this!!!!! Or better yet, who allowed this blatant commercial
use of the TLD servers.
> This is sufficiently technically and business slimy that
I agree completely. Verisign marketing practices are getting worse by the
day with introduction of redeption period, fees for non-working international
domains, prevention of domain transferes, emails to all their customers
(including isp affiliates) advertising their webhosting services, etc.
> I would null-route that IP, personally.
The bigger issue is DNS troubleshooting.....what a nightmare when a query of
the *.gtld-servers.net servers does not return an error. What happens when
they change the IP because of null-route'ing of the current IP to a
completely different /8 subnet.
You can potentionally check on what ip(s) are currently set by querying for
*.com and *.net (yes "*" is valid name for dns query that should provide
info on what is set for as * in zone file). One way to deal with it
automnaticly is to have dns server at the time when it started, check the
tld zone files that it cashes for '*' and if option is specified, then
dns server can return nxdomain for those top-level domains where '*' is
present. ISC and other software dns vendors should consider writing thise
option for next release and ISP should then implement it.
Another way to fight this new scheme is to complain to ICANN and to US
Department of Commerce regarding Verisign semi-illegal marketing
practices. You might mention that if this continies root tlds may soon
return 'A' record for non-existant top level domains (www.verisign.die
for example :), after all half the root dns servers are controlled by
verisign as well...
Who engineered this!!!!
You can thank the ruthless capitalistic approach of the current Verisign
board of directors and their attempts to extract money in every possible
way related to .com/.net domains at the registry (verisign-grs) level because
they are loosing so many domain at the registry level to their competitors.
Anyone wanna patch BIND such that replies of that IP addy are replaced with NXDOMAIN? That solves the web site and the spam problem, and all others, all at once.
Unbelievable where Internet got over the last 10 years. Looks like the
last cluons at VeriSign were eaten up by their sales/marketing
departments (finally). Now they are "hijacking" two complete gTLD
namespaces...
VeriSign: WHO DO YOU THINK YOU ARE?
And don't try to tell us that you want to "help" users who mistype
addresses. You want to make money with typos, that's all. Any "Site
Finder" stuff is absurd by itself.
and their list of justifications for why what they are doing in
their whitepaper is just... completely laughable.
And so much for the claims their representatives made to the press
the other week that it would only impact "web browsing" (as if such
a thing were even possible.
They clearly are not thinking very well at all of anything beyond
HTTP requests made by humans sitting in front of a web browser.
Oh, I'm sure their technical people are very aware of all the stuff it
will break. But the company doesn't care, why should they?
They know very well who they are and what they are breaking.
Date: Mon, 15 Sep 2003 19:40:33 -0400
From: Patrick W. Gilmore
Anyone wanna patch BIND such that replies of that IP addy
are replaced with NXDOMAIN? That solves the web site and
the spam problem, and all others, all at once.
I'd actually go for keeping the A RR for '*.net.' and '*.com.' in
an authoritative NS's cache. If any other A RR matches the
cached IP address(es), nuke the RRSet and replace with NXDOMAIN.
Until then, I guess it's time to null route and check for
circumvention. Is AS30060 used for anything legitimate?
based on the ASNAME, its seems a nice little route-map
/dev/null will be real easy. As long as they keep prefixs
used in this really dumb idea for this idea.
OrgName: VeriSign Infrastructure & Operations
OrgID: VIO-2
Address: 21345 Ridgetop Circle
City: Dulles
StateProv: VA
PostalCode: 20166
Country: US
I took a look at the Bind 8.3.4 code this afternoon, but couldn't readily
find where to do it. I'll take another look later.
isc's patch is running internally. if anyone wants to try out our public
recursive server, it's name is F.6TO4-SERVERS.NET, and it's running the patch.
(we'll release it as soon as we get done with some release engineering goo.)
((no fair declaring a forward zone for com/net pointing at us, by the way.))
(Last time I tried it Bind 9 sucked up twice as much server CPU as 8.x)
we run bind9 on f-root, and it's fine. you should give it another try,
since it has gotten faster of late, and so have cpus/memory/motherboards.
But I think your patch is working a little too well:
sequoia# host nanog.org.
nanog.org has address 198.108.1.50
nanog.org mail is handled (pri=0) by mail.merit.edu
sequoia# host nanog.org. F.6TO4-SERVERS.NET
Using domain server:
Name: F.6TO4-SERVERS.NET
Addresses: 2001:4f8:0:2::14 204.152.184.76
Host not found, try again.
that's certainly not from the patch, since "org" isn't delegation-only there.
Just when I thought I had a DNS server I could point my IPv6-only hosts
to...
that's the purpose of the f.6to4-servers.net server, and if it's not working
for you then please send "dig" results and we'll check it out. (not "host",
and probably not to "nanog".)