From owner-freebsd-stable@FreeBSD.ORG Wed Sep 17 09:38:01 2003 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 88CF316A4B3; Wed, 17 Sep 2003 09:38:01 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 716BF43F75; Wed, 17 Sep 2003 09:38:00 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id KAA20211; Wed, 17 Sep 2003 10:37:47 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20030917103213.02926750@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 17 Sep 2003 10:37:41 -0600 To: stable@freebsd.org From: Brett Glass Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: Request for FreeBSD 4.9-RELEASE: PLEASE include this patch to BIND and turn it on by default X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 16:38:01 -0000 All: As many of you may know, Verisign/Network Solutions has recently added wildcard records to the .com and .net TLDs. All typographical errors that result in failed resolution of a host name now cause the user's browser to be bounced to a search engine page maintained by Verisign. A nasty side effect of this attempt at "universal typosquatting" is that mail transfer agents such as Sendmail can no longer block reduce spam by rejecting mail that claims to come from an unresolvable host name. The message below describes an emergency patch, made by ISC to BIND, which defeats Verisign's TLD wildcards. Please incorporate this patch into the version of BIND that ships with FreeBSD 4.9-RELEASE. It will save many of us a lot of tedious manual patching! --Brett Glass ------------------- Date: Wed, 17 Sep 2003 15:58:01 +0200 From: "Remco B. Brink" Subject: Evil VeriSign, patch included To: dave@farber.net Hello Dave, this might be of interest for IP. VeriSign's controversial "typo-squatting" Site Finder service is about to be bypassed [1] by an emergency software patch to many of the Internet's backbone computers. The Internet Software Consortium, a nonprofit that publishes BIND, the software that runs many of the Net's domain name servers, has just released an emergency patch [2] to block VeriSign's new Site Finder service. After patching Bind, the magic named.conf incantation to counter the VeriSign braindamage is as easy as: zone "com" { type delegation-only; }; zone "net" { type delegation-only; }; Jason Garman wrote a nice little rant explaining why this typo-squatting is so totally evil [3]. Another thing to consider is that ISPs mail queues will get much larger as mail delivery failures etc will now queue for retry rather than being failed as a permanent error. That makes you just really pray the next spamming worm is going to be a long time away... regards, Remco [1] http://www.wired.com/news/technology/0,1282,60473,00.html [2] http://www.isc.org/products/BIND/delegation-only.html [3] http://www.haque.net/verisign_dns_rant.php --