[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Asrg] 5. Challenge/Response Internetworking - DNS wildcards (was 7. BCP - Verisign: All Your Misspelling Are Belong To Us)
Wouldn't the entire world, minus the few of us that use CR, be
non-compliant with CRI? As per the issues with SMTP, the entire world
including CR, will have some concerns with wildcarding.
> -----Original Message-----
> From: yshafranovich02@sprintpcs.com
[mailto:yshafranovich02@sprintpcs.com]
> On Behalf Of Yakov Shafranovich
> Sent: Thursday, September 18, 2003 8:51 PM
> To: Eric Dean
> Cc: 'ASRG list'
> Subject: Re: [Asrg] 5. Challenge/Response Internetworking - DNS
wildcards
> (was 7. BCP - Verisign: All Your Misspelling Are Belong To Us)
>
> When using CRI over SMTP, not CRI over MIME, this would equal to
dealing
> with a non-compliant SMTP server. As long as dealing with abnormal
SMTP
> servers is accounted in CRI, this would be fine. When dealing with CRI
> over MIME, this does not make a difference aside from regular problems
> with SMTP delivering messages over and over.
>
> Yakov
>
> Eric Dean wrote:
>
> > I still don't see how CRI will break. We send CRI headers...we
don't
> > get a response...how is that broken?
> >
> >
> >>-----Original Message-----
> >>From: asrg-admin@ietf.org [mailto:asrg-admin@ietf.org] On Behalf Of
> >
> > Yakov
> >
> >>Shafranovich
> >>Sent: Tuesday, September 16, 2003 8:48 AM
> >>To: ASRG list
> >>Subject: [Asrg] 5. Challenge/Response Internetworking - DNS
wildcards
> >
> > (was
> >
> >>7. BCP - Verisign: All Your Misspelling Are Belong To Us)
> >>
> >>The message below has direct relevance to the CRI proposal,
> >
> > specifically
> >
> >>the part about verifying the sender via SMTP. With wildcards
enabled,
> >>CRI via SMTP will break.
> >>
> >>Yakov
> >>
> >>-------- Original Message --------
> >>Subject: 7. BCP - Verisign: All Your Misspelling Are Belong To Us
> >>Date: Tue, 16 Sep 2003 01:26:23 -0400
> >>From: Yakov Shafranovich <research@solidmatrix.com>
> >>To: Brad Knowles <brad.knowles@skynet.be>
> >>CC: IRTF ASRG <asrg@ietf.org>
> >>References: <a06001a20bb8c10de2061@[10.0.1.2]>
> >>
> >>PLEASE BE ADVISED THAT VERISIGN IS OPERATING AN SMTP SERVER AT THAT
> >>ADDRESS. The SMTP server appears fake, take a look at the following
> >>transaction:
> >>
> >>----snip---
> >>open 64.94.110.11 25
> >>220 snubby1-wceast Snubby Mail Rejector Daemon v1.3 ready
> >>blahblahbla
> >>250 OK
> >>blahblahbla
> >>250 OK
> >>blahblabhjla
> >>550 User domain does not exist.
> >>blahblbjhbj
> >>250 OK
> >>blajbjbjb
> >>221 snubby1-wceast Snubby Mail Rejector Daemon v1.3 closing
> >
> > transmission
> >
> >>channel
> >>
> >>Connection to host lost.
> >>----snip---
> >>
> >>Brad Knowles wrote:
> >>
> >>
> >>>Folks,
> >>>
> >>> This was just posted to the NANOG mailing list. There are
> >
> > already
> >
> >>>people who are working on hacking BIND to return NXDOMAIN for
> >
> > wildcard
> >
> >>>records in TLD zones, or perhaps for any reference to the specific
> >
> > IP
> >
> >>>address(es) they are using (so far, we only know about
> >
> > 64.94.110.11).
> >
> >>>Meanwhile, many are already null-routing this IP address.
> >>>
> >>> This affects us, because now anyone can send spam with an
> >
> > address
> >
> >>>like "i@spam.from.verisign.becausethisdomaindoesntreallyexist.net",
> >
> > and
> >
> >>>yet still have that pass standard anti-spam checks like "Does this
> >>>domain really exist in the DNS"?
> >>>
> >>>
> >>> Another one for the service provider BCP, I think.
> >>>
> >>>
> >>> Anyway, the full message announcing this "enhancement" is:
> >>>
> >>>
> >>>>Date: Mon, 15 Sep 2003 19:24:29 -0400
> >>>>From: Matt Larson <mlarson@verisign.com>
> >>>>To: nanog@nanog.org
> >>>>Subject: Change to .com/.net behavior
> >>>>
> >>>>
> >>>>Today VeriSign is adding a wildcard A record to the .com and .net
> >>>>zones. The wildcard record in the .net zone was activated from
> >>>>10:45AM EDT to 13:30PM EDT. The wildcard record in the .com zone
> >
> > is
> >
> >>>>being added now. We have prepared a white paper describing
> >
> > VeriSign's
> >
> >>>>wildcard implementation, which is available here:
> >>>>
> >>>>http://www.verisign.com/resources/gd/sitefinder/implementation.pdf
> >>>>
> >>>>By way of background, over the course of last year, VeriSign has
> >
> > been
> >
> >>>>engaged in various aspects of web navigation work and study.
These
> >>>>activities were prompted by analysis of the IAB's recommendations
> >>>>regarding IDN navigation and discussions within the Council of
> >>>>European National Top-Level Domain Registries (CENTR) prompted by
> >
> > DNS
> >
> >>>>wildcard testing in the .biz and .us top-level domains.
> >
> > Understanding
> >
> >>>>that some registries have already implemented wildcards and that
> >>>>others may in the future, we believe that it would be helpful to
> >
> > have
> >
> >>>>a set of guidelines for registries and would like to make them
> >>>>publicly available for that purpose. Accordingly, we drafted a
> >
> > white
> >
> >>>>paper describing guidelines for the use of DNS wildcards in
> >
> > top-level
> >
> >>>>domain zones. This document, which may be of interest to the
NANOG
> >>>>community, is available here:
> >>>>
> >>>>http://www.verisign.com/resources/gd/sitefinder/bestpractices.pdf
> >>>>
> >>>>Matt
> >>>>--
> >>>>Matt Larson <mlarson@verisign.com>
> >>>>VeriSign Naming and Directory Services
> >>
> >>
> >>
> >>
> >>
> >>
> >>_______________________________________________
> >>Asrg mailing list
> >>Asrg@ietf.org
> >>https://www1.ietf.org/mailman/listinfo/asrg
> >
> >
> >
>
>
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg