Cheers - L~R

Thanks for the link. For anyone who is patching their BIND servers details are here. You add this to named.conf (if what is shown on the patch page seems a little obique :-)

zone "com" { type delegation-only; };
zone "net" { type delegation-only; };
[download]

Happiness, all is back to normal :-)

[root@devel3 root]# dig @localhost verisign-are-pirates.com

; <<>> DiG 9.2.3rc4 <<>> @localhost verisign-are-pirates.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12600
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;verisign-are-pirates.com.      IN      A

;; Query time: 116 msec
;; SERVER: 127.0.0.1#53(localhost)
;; WHEN: Tue Sep 30 07:26:26 2003
;; MSG SIZE  rcvd: 42

[root@devel3 root]#
[download]

cheers

tachyon

s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

(if what is shown on the patch page seems a little obique :-)

The way this works is actually pretty simple. The DNS servers for .com and .net should only send to you NS records. NS records are like pointers to other DNS servers. This patch rejects everything except NS records when they come from the VeriSign servers. Now when they send to you an A record (which has the IP address inside it), it will ignore it and the patch will instead give you the "does not exist" response.

This is a good way to work around the problem, because it will still work correctly even if VeriSign changes the IP address that they use.

The Acme::DNS::Correct module does not work this way. It merely looks for the hardcoded IP address in the response and filters it out. It will not work if the IP address is ever changed. Well, it's only an Acme module, after all.

Pressure your DNS provider to apply a patch and enable a feature if possible.

That's a start, but it definately isn't a solution. Verisign does not own the .com and .net domains. Verisign needs to be reminded of its responsibilities and how easily they could be taken away. They should also have realized the plethora of legal problems this will create for them (think trademarks amoung others).

Common sense would dictate that Verisign will remember (or be forcefully reminded of) its responsibilities and put this silly action behind them. Unfortunately common sense is in short supply these days.

If you're truly interested in preventing these type of abuses in the future (and fixing this situation) I'd suggest getting involved immediately. Write your representatives (standard rules apply: be nice, coherent, and know what you're talking about) and take further steps as necessary.

If you're truly interested in preventing these type of abuses in the future (and fixing this situation) I'd suggest getting involved immediately. Write your representatives (standard rules apply: be nice, coherent, and know what you're talking about) and take further steps as necessary.

For the people who don't live in the States, do as I did, and sign the online petition.

"Stop Verisign DNS Abuse"
http://www.whois.sc/verisign-dns/

Well, Verisign DOES manage .tv! Which IS a country based domain. But I figure that the government concerned did not want to play, or was a t least waiting to see what the reaction was.

There were one or two other TLD's doing this earlier, but I noticed when the Verisign do-do hit the fan the others stopped pretty suddenly!

jdtoronto

To be fair, Tuvalu (the .tv country,) is leasing their ccTLD. I remembered reading about it when it happened.
The good old CIA World Factbook mentions this item here.

Might I suggest Acme::DNS::Correct?

What's the world coming to, broken DNS and a useful Acme:: module! Whatever next ;-) I've patched all of our (6) DNS servers at the source but thanks for the link.

cheers

tachyon

s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

cLive ;-)