Re: Re: Verisign Hijack - Patches may be available

Thanks for the link. For anyone who is patching their BIND servers details are here. You add this to named.conf (if what is shown on the patch page seems a little obique :-)

zone "com" { type delegation-only; };
zone "net" { type delegation-only; };
[download]

Happiness, all is back to normal :-)

[root@devel3 root]# dig @localhost verisign-are-pirates.com

; <<>> DiG 9.2.3rc4 <<>> @localhost verisign-are-pirates.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12600
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;verisign-are-pirates.com.      IN      A

;; Query time: 116 msec
;; SERVER: 127.0.0.1#53(localhost)
;; WHEN: Tue Sep 30 07:26:26 2003
;; MSG SIZE  rcvd: 42

[root@devel3 root]#
[download]

cheers

tachyon

s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

Comment on Re: Re: Verisign Hijack - Patches may be available Select or Download Code

Replies are listed 'Best First'.
Re: Re: Re: Verisign Hijack - Patches may be available by bunnyman (Hermit) on Sep 30, 2003 at 15:59 UTC
(if what is shown on the patch page seems a little obique :-) The way this works is actually pretty simple. The DNS servers for .com and .net should only send to you NS records. NS records are like pointers to other DNS servers. This patch rejects everything except NS records when they come from the VeriSign servers. Now when they send to you an A record (which has the IP address inside it), it will ignore it and the patch will instead give you the "does not exist" response. This is a good way to work around the problem, because it will still work correctly even if VeriSign changes the IP address that they use. The Acme::DNS::Correct module does not work this way. It merely looks for the hardcoded IP address in the response and filters it out. It will not work if the IP address is ever changed. Well, it's only an Acme module, after all.	[reply]
Re: Re: Re: Re: Verisign Hijack - Patches may be available by tachyon (Chancellor) on Oct 01, 2003 at 01:03 UTC
Sadly it would be a trivial hack at Verisign to return NS records to their own NS servers at which point you simply could not tell if they were faking it. They have said they won't. I trust them ;-) cheers tachyon s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print	[reply]