[plug] verisign DNS breakage - bind patch FYI

[Craig Ringer]

Hi folks

If it's of any use for customers severely affected by the verisign DNS 
breakage (the new .net/.com wildcard A record), I've found a preliminary 
patch to BIND.

http://achurch.org/bind-verisign-patch.html

As the author notes, this is not production quality, and only applies to 
bind8. It may be worth informing your tech support staff of, however, in 
case you have customers using BIND8 locally who are severly affected and 
need to try any available fix.

I hope that later iiNet will be able to patch their nameservers to 
correctly return NXDOMAIN to any DNS reply with an A record of 
64.94.110.11 .

I'm going to be porting this patch to BIND9 and applying it here. We get 
a lot of amateur spam 'press releases' etc, which spoof a non-existant 
domain instead of the traditional webmail address. As such, they're easy 
to reject or tarpit at the MAIL FROM: stage of the SMTP transaction, 
avoiding wasting our bandwidth and staff time. They're the vast majority 
of our incoming spam. SpamAssassin is not good at catching this kind of 
spam, as it looks a lot like a legit press release and it's only really 
a major problem for organisations on the "newspaper" email address lists 
floating around the 'net. The Verisign changes have totally broken this, 
and I'm already seeing our mail volumes increasing sharply.
Even accepting these messages at all also increases our bandwidth costs 
and mail server load (especially with SpamAssassin).

I'll be delighted to hear if iiNet patches it's nameservers to restore 
the proper behaviour of the DNS, in the process rejecting Verisign's 
money-grubbing move and saving yourselves and your customers time, 
aggrivation, and wasted bandwidth.

Craig Ringer
IT Manager
POST Newspapers


_______________________________________________
plug mailing list
plug at plug.linux.org.au
http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug