Request for FreeBSD 4.9-RELEASE: PLEASE include this patch to BIND and turn it on by default

Brett Glass brett at lariat.org
Wed Sep 17 09:38:01 PDT 2003 

All:

As many of you may know, Verisign/Network Solutions has recently added wildcard
records to the .com and .net TLDs. All typographical errors that result in failed
resolution of a host name now cause the user's browser to be bounced to a
search engine page maintained by Verisign.

A nasty side effect of this attempt at "universal typosquatting" is that mail
transfer agents such as Sendmail can no longer block reduce spam by rejecting 
mail that claims to come from an unresolvable host name.

The message below describes an emergency patch, made by ISC to BIND, which
defeats Verisign's TLD wildcards. Please incorporate this patch into the
version of BIND that ships with FreeBSD 4.9-RELEASE. It will save many of
us a lot of tedious manual patching!

--Brett Glass

-------------------

Date: Wed, 17 Sep 2003 15:58:01 +0200
From: "Remco B. Brink" <remco at rc6.org>
Subject: Evil VeriSign, patch included
To: dave at farber.net

Hello Dave,

this might be of interest for IP.

VeriSign's controversial "typo-squatting" Site Finder service is about to be
bypassed [1] by an emergency software patch to many of the Internet's backbone
computers.

The Internet Software Consortium, a nonprofit that publishes BIND, the software
that runs many of the Net's domain name servers, has just released an emergency
patch [2] to block VeriSign's new Site Finder service.

After patching Bind, the magic named.conf incantation to counter the VeriSign
braindamage is as easy as:

 zone "com" { type delegation-only; };
 zone "net" { type delegation-only; };

Jason Garman wrote a nice little rant explaining why this typo-squatting is
so totally evil [3].

Another thing to consider is that ISPs mail queues will get much larger as mail
delivery failures etc will now queue for retry rather than being failed as a
permanent error.

That makes you just really pray the next spamming worm is going to be a long
time away...

regards,
Remco

[1] http://www.wired.com/news/technology/0,1282,60473,00.html
[2] http://www.isc.org/products/BIND/delegation-only.html
[3] http://www.haque.net/verisign_dns_rant.php

--

More information about the freebsd-stable mailing list