lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <6FB083FB72EFD21181D30004AC4CA18A02B53483@srv002>
From: sam.pointer at hpdsoftware.com (Sam Pointer)
Subject: Verisign abusing .COM/.NET monopoly, BIND r
	eleases new

Thor Larholm wrote:
>For now, it is returning the same IP address, but I have no trouble
>imagining Verisign evading DNS filters by changing the A records every
>now and then. Any solution to prevent Verisigns greed should keep this
>in mind.

AFAIK the BIND patch (when setup) accepts delegation RRs *only* from
configured domains (ie. SOA and NS records) and forces any in-zone replies
(ie A records such as the one used by Verisign in this instance) in these
domains to be interpreted as NXDOMAIN responses (paraphrase of the ISC's
text at http://www.isc.org/products/BIND/delegation-only.html); giving
normal DNS behaviour.

In short: it doesn't matter what the A record changed to, if you apply and
configure the patch and you get an A record back from a delegation only
domain then it's discarded. What IP address is returned is immaterial, so
moving it about is a no-go.

This is much better than any hard-coded constant or updated list of IP
address options I've seen on various lists.

IMHO I think that this system will die a death as soon as the major BIND
shops have time to test and implement this patch. Most do not run their own
nameservers and when the major ISPs completely bypass this 'feature'
Verisign will give it up as a hopeless task. That combined with the fact
that they seem to have trouble merely keeping the boxes at the other end of
'sitefinder' alive.


This email and any attachments are strictly confidential and are intended
solely for the addressee. If you are not the intended recipient you must
not disclose, forward, copy or take any action in reliance on this message
or its attachments. If you have received this email in error please notify
the sender as soon as possible and delete it from your computer systems.
Any views or opinions presented are solely those of the author and do not
necessarily reflect those of HPD Software Limited or its affiliates.

 At present the integrity of email across the internet cannot be guaranteed
and messages sent via this medium are potentially at risk.  All liability
is excluded to the extent permitted by law for any claims arising as a re-
sult of the use of this medium to transmit information by or to 
HPD Software Limited or its affiliates.



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ