News from PANUG/BizNix - September 17, 2003 http://panug.org - http://biznix.org This broadcast focuses entirely on the DNS issues that arose on Monday when Verisign/NSI added wildcard records to the root (GTLD) DNS servers for the .COM and .NET domains. The first two articles bring you up to speed on the problem and the last article tells you about a solution. VERISIGN PULLS A MICROSOFT by Russ Washington For those who haven't heard already, this week Verisign threw a wildcard DNS record into the .COM and .NET TLDs. In effect, that means that you will never get told by DNS that a domain ending in .COM or .NET doesn't exist. They all exist. Those who manage mail servers will very quickly understand the impact of this. One of the first anti-spam defenses of a good mail server is to toss anything from a sender whose domain doesn't exist. It's crude, but effective, and for anyone who doubted its effectiveness, we are now learning about the impact of no longer being able to do that check in the form of increased counts of spam that gets through. One client of mine described their get-through spam volume as having "simply gone crazy." I would like to know how other members are dealing with this issue. Have you figured out how to get your DNS server to translate the Verisign-visit-our-ad-page DNS response to an NXDOMAIN? Are you blackholing? Would love to know. For those who haven't heard the details yet, here are some URLs for reference: http://panug.org/39 - Slashdot http://panug.org/40 - News.com http://panug.org/41 - Verisign's white paper WHEN DNS LIES by Ed Sawicki - Accelerated Learning Center / Tailored Computers In the past, DNS has had problems but at least you could rely on the root servers to tell you the truth. No longer. Now they lie. The downside is that this breaks some software and systems. The most obvious breakage was immediately noticed by the e-mail/anti-spam community. You may have noticed an increase in spam mail this week. When root servers lie, we can no longer reject mail based on invalid domain names. Thousands of people are now trying to figure out how to fix their mail servers. Other things have likely been broken as well though we may not discover them right away. Our ability to troubleshoot DNS-related problems has certainly been made a bit more complex. For most IT people, DNS is complicated enough. Servers that lie add to the complexity, time, and expense of maintaining your IP-based systems. The bad guy in all this is Verisign/NSI. I don't know whether they saw this as an opportunity for cheap advertising at our expense or whether they wanted to provide a helpful service as their white paper suggests. I do know that it's a mistake to have our critical DNS infrastructure in their hands. Control of DNS should be in the hands of those that prioritize their public trust over their lust for profits and have the needed technical competence to understand the impact of their actions. Verisign seems to fail on both counts. FIXING DNS by Ed Sawicki - Accelerated Learning Center / Tailored Computers The Verisign/DNS root server problem can be solved with smart DNS software that eliminates the wildcard records sent by the root servers. Numerous people are working on such solutions. My company has already implemented a solution. By fixing the DNS wildcard problem, you eliminate the need to find a fix for your e-mail server. You also eliminate other potential problems with other protocols that may occur as a result of the wildcard problem. In addition to solving the root server wildcard problem, our DNS solutions also provide other value-added features such as resolving all the Top Level Domains - not just those approved by ICANN. There are two ways you can take advantage of this: 1. You can point your DNS resolvers or servers to our DNS servers instead of pointing them to the ICANN root servers. It will then behave as it did before Verisign made the change on Monday. There's a charge for the service. 2. We can supply you with the smart DNS software that you install on one of your computers. It's supplied as a sealed system on a CD-ROM. We configure it for your environment in advance so you just boot from the CD-ROM. The system starts up and you've done no installation or configuration. It just works - similar to using a Nintendo or PlayStation video game system. Give me a call at 503-635-6370 for more information. DISCLAIMER PANUG and BizNix welcome contributions from all members. Member contributions do not necessarily represent the official positions of PANUG or BizNix. The views of members that contribute frequently may appear to be the official position of the group(s). If you contribute, you'll be adding vital diversity of opinion and outlook to these broadcasts.