VeriSign has setup a wildcard DNS on the .net TLD, no doubt .com will follow. The Internet is defined by software. We write the software. It's up to us to fix this.
[ Home | Articles | Account | People | Projects | FAQ ] 
VeriSign has setup a wildcard DNS on the .net TLD, no doubt .com will follow. The Internet is defined by software. We write the software. It's up to us to fix this.
Possesion is nine-tenths of the law, and Verisign are taking upon themselves possesion not only in theory but in practice of the whole DNS namespace. It is not common property, it is Verisign's, and they condescend to allow us to buy them.
Switch all your domains and SSL certificates from Network Solutions, VeriSign and Thawte (all the same company).
Are you the maintainer of a DNS server? Fix it so it does the right thing for invalid domains, rather than forwarding to to Verisign's server. (And yes, the trivial hard-coded implementation would be broken -- figure out the right way to do it.)
Do you run an ISP? Block the Verisign catchall domain.
Are you the author of a browser? Likewise.
Choose your side.
Actually blocking this domain is censorship :)
Other possible negative things:
- AntiSpam based on DNS resolving no longer works
- All mail to mistyped domain will be forwarded (and posibbly saved) by VS
In .UA some of ISPs are already blocking sitefinder's host/ip. Other in process of desiding. If they will not - they loose money on channel traffic payment.
Someone here says: "We are not going to support biggest cybersquatter of the world" :)
What should happen is the old behaviour - "no such host".
I haven't used opennic but it was suggested on a local email list discussing this same topic. opennic
I haven't used opennic but it was suggested on a local email list discussing this same topic. opennic
Did you say no?
Do you still have VeriSign's certs in your browser? How can you answer no to the above if you haven't done this. Certificates are based upon us trusting VeriSign to do their jobs properly. How can we trust them to properly verify people's and company's identies if we don't trust their stewardship of the domains. I would recommend that everyone remove VeriSign's certificates and ask any secure site to obtain another signed certificate that isn't signed by VeriSign.
Luckily, Paul Vixie has said that he plans on releasing a patch today that will remove the reply of the wild card domain from bind. Hopefully it will be like someone suggested, and query the *.{com,net} record, and return NXDOMAIN on any domain that matches the wildcard record. I believe that FreeBSD will add such a patch (at least under a knob), and I think I have also convinced my place of work to apply the patch. Currently, I'm using other people's dns servers, but once I get my dsl line attached, I'll be appling that patch myself.
The fun of internet trust.
If there's no MX record, then mail delivery reverts to the A record. And VeriSign is running a broken mail server on port 25.
I misread the bounce...
It is very strange that this happened. It is stranger still that there is any discussion about it. Those guys should have been slapped down ages ago for their terrible manners.
It is MOST ironic that they are trusted to issue certificates when they are not trustworthy themselves. The Internet is indeed a strange and wonderful place where almost anything can happen and eventually does.
I fear that power in cyberspace is aligning with power in meatspace. I am hopeful that the Internet will route around this, but I have my doubtful moments.
New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.
Keep up with the latest Advogato features by reading the Advogato status blog.
If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!
del.icio.us
Digg
Google bookmark
reddit
Simpy
StumbleUpon
Furl
Newsvine
Technorati
Tailrank