[Pdns-users] Verisign bullshit

Ben Merrills ben at griffin.net.uk
Tue Sep 16 14:11:58 UTC 2003 

I've never done any DNS server programming but have been having a think
on a few ways round the VeriSign madness. I've come up with a few
suggestions, I'm not sure how realistic they would be...

a) Random Lookup

If you do a random lookup on a domain, say 3 times, generating a random
domain name each time, and resolving it, you'd get the IP that verisign
were using as the pagefinder site. You would need to check that each of
the lookups returned the same IP.

b) Same as above, but with RIPE (American equivalent) lookup

Lookup the IPs from the above method then check the IP assignment window
and ensure they belong to VeriSign.

c)

Dig returns the authority section of the non existent domains as the
tld. Do any others? The non existent ones seem to return quite a few of
the root .COM servers (or .NET) as the Authority!

The first two would need some kind of process to run periodically and
they're not a great solution. However, if this helps in anyway, then
that's good :)

Thanks,

Ben Merrills

Internet Applications Developer
Griffin Internet

> -----Original Message-----
> From: pdns-users-bounces at mailman.powerdns.com [mailto:pdns-users-
> bounces at mailman.powerdns.com] On Behalf Of Damian Gerow
> Sent: 16 September 2003 15:00
> To: pdns-users
> Subject: Re: [Pdns-users] Verisign bullshit
> 
> Thus spake bert hubert (ahu at ds9a.nl) [16/09/03 02:30]:
> > It's not that simple. The only way so far to recognize their bogus
> answers
> > is by IP address. They control the GTLD servers and all GTLD servers
now
> > show this behaviour. You can't easily do without, except by
downloading
> the
> > .COM and .NET source yourself.
> >
> > I'll add a feature to pdns to ignore answers containing a specified
IP
> > address, which will effectively make this go away.
> 
> NANOG has posted some good ideas about this.  Instead of hardcoding
the IP
> address, why not maintain a cache of '*.tld'?  i.e. when a request
comes
> in
> for www.domain.nu, do a lookup on '*.nu', and if the IP addresses
match,
> return NXDOMAIN.  That way, you don't need to maintain a hard-coded
list
> of
> IP addresses, and the cache should be relatively up-to-date.  This
also
> catches all the other domains (.nu is one) that are pulling the same
shit.
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users

More information about the Pdns-users mailing list