in reply to Re: Re: Verisign Hijack - Patches may be available
in thread Verisign Hijack all possible .com .net domains and destroy Email::Valid, Net::DNS, gethostbyname() etc

(if what is shown on the patch page seems a little obique :-)

The way this works is actually pretty simple. The DNS servers for .com and .net should only send to you NS records. NS records are like pointers to other DNS servers. This patch rejects everything except NS records when they come from the VeriSign servers. Now when they send to you an A record (which has the IP address inside it), it will ignore it and the patch will instead give you the "does not exist" response.

This is a good way to work around the problem, because it will still work correctly even if VeriSign changes the IP address that they use.

The Acme::DNS::Correct module does not work this way. It merely looks for the hardcoded IP address in the response and filters it out. It will not work if the IP address is ever changed. Well, it's only an Acme module, after all.

  • Comment on Re: Re: Re: Verisign Hijack - Patches may be available

Replies are listed 'Best First'.
Re: Re: Re: Re: Verisign Hijack - Patches may be available
by tachyon (Chancellor) on Oct 01, 2003 at 01:03 UTC

    Sadly it would be a trivial hack at Verisign to return NS records to their own NS servers at which point you simply could not tell if they were faking it. They have said they won't. I trust them ;-)

    cheers

    tachyon

    s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

[reply]

In Section Meditations