freebsd stable - Sep 2003 - Request for FreeBSD 4.9-RELEASE: PLEASE include this patch to BIND and turn it on by default

All:

As many of you may know, Verisign/Network Solutions has recently added wildcard
records to the .com and .net TLDs. All typographical errors that result in
failed
resolution of a host name now cause the user's browser to be bounced to a
search engine page maintained by Verisign.

A nasty side effect of this attempt at "universal typosquatting" is
that mail
transfer agents such as Sendmail can no longer block reduce spam by rejecting 
mail that claims to come from an unresolvable host name.

The message below describes an emergency patch, made by ISC to BIND, which
defeats Verisign's TLD wildcards. Please incorporate this patch into the
version of BIND that ships with FreeBSD 4.9-RELEASE. It will save many of
us a lot of tedious manual patching!

--Brett Glass

-------------------

Date: Wed, 17 Sep 2003 15:58:01 +0200
From: "Remco B. Brink" <remco@rc6.org>
Subject: Evil VeriSign, patch included
To: dave@farber.net

Hello Dave,

this might be of interest for IP.

VeriSign's controversial "typo-squatting" Site Finder service is
about to be
bypassed [1] by an emergency software patch to many of the Internet's
backbone
computers.

The Internet Software Consortium, a nonprofit that publishes BIND, the software
that runs many of the Net's domain name servers, has just released an
emergency
patch [2] to block VeriSign's new Site Finder service.

After patching Bind, the magic named.conf incantation to counter the VeriSign
braindamage is as easy as:

 zone "com" { type delegation-only; };
 zone "net" { type delegation-only; };

Jason Garman wrote a nice little rant explaining why this typo-squatting is
so totally evil [3].

Another thing to consider is that ISPs mail queues will get much larger as mail
delivery failures etc will now queue for retry rather than being failed as a
permanent error.

That makes you just really pray the next spamming worm is going to be a long
time away...

regards,
Remco

[1] http://www.wired.com/news/technology/0,1282,60473,00.html
[2] http://www.isc.org/products/BIND/delegation-only.html
[3] http://www.haque.net/verisign_dns_rant.php

--

On Wed, 2003-09-17 at 12:37, Brett Glass wrote:
> The message below describes an emergency patch, made by ISC to BIND, which
> defeats Verisign's TLD wildcards. Please incorporate this patch into
the
> version of BIND that ships with FreeBSD 4.9-RELEASE. It will save many of
> us a lot of tedious manual patching!
Please do NOT incorporate it.  Discussion on the SAGE list indicates
that there is a bug which prevents NS entries for domains with no cached
data from being recognized.  A corrected patch is expected "soon".

-- 
brandon s. allbery    [linux,solaris,freebsd,perl]     allbery@kf8nh.com
system administrator      [WAY too many hats]        allbery@ece.cmu.edu
electrical and computer engineering, carnegie mellon univ.         KF8NH
URGENT!  E-xpedient nuked APK subdomains; kf8nh.apk.net is DEAD.  Sorry.

At 10:43 AM 9/17/2003, Brandon S. Allbery KF8NH wrote:
>Discussion on the SAGE list indicates
>that there is a bug which prevents NS entries for domains with no cached
>data from being recognized.  A corrected patch is expected "soon".
Obviously, if there's a bug, we should incorporate the corrected
patch.

--Brett Glass

From: "Brett Glass" <brett@lariat.org>
> As many of you may know, Verisign/Network Solutions has recently added
wildcard
> records to the .com and .net TLDs. All typographical errors that result in
failed
> resolution of a host name now cause the user's browser to be bounced to
a
> search engine page maintained by Verisign.
>
> A nasty side effect of this attempt at "universal typosquatting"
is that
mail
> transfer agents such as Sendmail can no longer block reduce spam by
rejecting
> mail that claims to come from an unresolvable host name.
>
> The message below describes an emergency patch, made by ISC to BIND, which
> defeats Verisign's TLD wildcards. Please incorporate this patch into
the
> version of BIND that ships with FreeBSD 4.9-RELEASE. It will save many of
> us a lot of tedious manual patching!
>
> [2] http://www.isc.org/products/BIND/delegation-only.html
>
Currently, there is no delegation-only patch available from isc.org for Bind
8.  According to Paul Vixie [1], Bind 8 is not a priority as they would
rather put it into feature freeze, but they are considering it.

Several administrators [2,3] have created a patch for bind8, but it hard
codes the IP address being used by Verisign into the named daemon.

Scot

[1] NANOG Mail List - http://www.merit.edu/mail.archives/nanog/msg13868.html
[2] NANOG Mail List - http://www.merit.edu/mail.archives/nanog/msg13704.html
[3] BIND Users List -
http://marc.theaimsgroup.com/?l=bind-users&m=106381817926374&w=2

At 01:50 PM 9/17/2003, Scot W. Hetzel wrote:
>Several administrators [2,3] have created a patch for bind8, but it hard
>codes the IP address being used by Verisign into the named daemon.
Perhaps it could be made to look at an environment variable?

--Brett

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've commented on this a couple times already, but it's probably worth
stating again.

If a proper patch is available for bind 9, from the ISC, it'll be
included in the port.

If a proper patch is available for bind 8, from the ISC, it'll be
included in HEAD, the ports, and MFC'ed asap.

Whether any of the above happens before 4.9-RELEASE or not is partly up
to the timing of said patches, and partly up to the judgement of the re
and portmgr teams as to whether or not the patches have had sufficient
time to mature.

Under no circumstances will any of the available options be enabled by
default. FreeBSD's philosophy has always been "Tools, not policy,"
and I
can't think of a better example of when this is a good idea.

Doug (BIND maintainer)

- -- 

    This .signature sanitized for your protection

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQE/aXeDyIakK9Wy8PsRAuRLAKC4zI13AgkOeHKnRaIcjgYmOWjemgCeMNt+
bUeogpBgyjSVdtX2Wd6W2wQ=ND4Q
-----END PGP SIGNATURE-----