Verisign Countermeasures

For information about what is wrong with Verisign's actions, see this page. For a list of technical problems that have been/could be caused by Verisign, see this

ICANN take (some sort of) action

new Official Postfix patches at http://www.postfix.org/download.html, filename postfix-2.0-ns-mx-acl-patch.gz
Yet more ISC BIND patches. The recommended config setting is now root-delegation-only exclude { "org"; "de"; "lv"; "museum"; };:
- 9.1.3-P3 tarball, announcement
- 9.2.2-P3 tarball, announcement
- 9.2.3rc4 tarball, announcement
ISC Bind patches (it's in Rawhide for RedHat users with version 9.2.2-23). Rob Brown has also made RPMS. Debian packages are here. More RPMS (for RedHat 7.3 and above) by Brian Bruns are here
Instructions for reconfiguring BIND 8.3.4 to ignore the bad gTLD server are here
And for BIND 8.4.1 there is a patch here and another one (more general) here

Note for BIND users: The /. patch is reported to make all lookups very slow. The phirate patch is reported to crash BIND in some cases and the ISC patch causes NS lookups for non-cached domains to fail with NXDOMAIN - expect another version soon.

updated And a djbdns patch here. And here is a Gentoo build for that.
A patch for the Mailtraq email server
A patch for PowerDNS
An LD_PRELOAD able library for Linux is here
A sendmail ruleset is here.
Another sendmail ruleset that doesn't hard code the IP addresses into the main config (from Philip Kizer. Add to the config with HACK(check_nxdomain)).
An Exim ACL condition here
And another change to the Exim 4 config
A new release of Simple DNS Plus now has the ability to translate given IP addresses to NXDOMAIN
DNSMasq 1.15 has added a --bogus-nxdomain option which will filter Verisign wildcards.

If anyone has any other URLs that should be in the list above, please email them to me.

The start of a list of wildcard ips:

gTLD	Wildcard IPs
`.AC`	194.205.62.122
`.BZ`	216.220.34.101 (listed as `*.bz` but doesn't actually do anything)
`.CC`	194.205.62.122 206.253.214.102
`.COM`	64.94.110.11
`.CN`	159.226.7.162 (listed as `*.cn` but doesn't actually do anything)
`.CX`	219.88.106.80
`.MP`	202.128.12.163
`.MUSEUM`	195.7.77.20
`.NU`	64.55.105.9 212.181.91.6
`.NET`	64.94.110.11
`.PH`	203.119.4.6
`.PW`	216.98.141.250 65.125.231.178
`.SH`	194.205.62.62
`.TD`	146.101.245.154
`.TK`	195.20.32.83 195.20.32.86
`.TM`	194.205.62.42 (194.205.62.62 also reported, but cannot confirm)
`.TW`	203.73.24.11
`.WS`	216.35.187.246

Here is a script to automatically generate a list like the table above

Aaron Swartz has written a more comprehensive find-all-wildcards script:

for dom in `curl -s ftp://ftp.internic.net/domain/root.zone.gz | gunzip -c | grep NS | awk '{print $1}' | uniq | egrep "^[^\.]*\.$"`; do
	Y=`dnsip "*.$dom"`
	if [ "$Y" ]; then echo $dom $Y; fi
done

An if you don't have dnsip (it's a part of djbdns) Rob Brown has rewritten the above to use dig

curl -s ftp://ftp.internic.net/domain/root.zone.gz | gunzip -c | grep NS | awk '{print $1}' | uniq | egrep '^[^\.]+\.' | xargs -i dig _.{} | perl -n -e 'print if s/^_\.(\w+)\..*\s([\d\.]+)$/$1 $2/;'

Another script to find wildcard domains

Marc Boucher has contributed a variation on the above scripts to get all information for the hostname: A, CNAME and MX records.

Site Map

/	Root
Alternate	The Weird and Wonderful
Backlinks	What are backlinks
John Gilmore	What's Wrong with Copy Protection
Archives	Blog Archives
One	Archive 1
Two	Archive 2
Three	Archive 3
Four	Archive 4
Five	Archive 5
Six	Archive 6
Seven	Archive 7
Eight	Archive 8
Nine	Archive 9
Ten	Archive 10
Eleven	Archive 11
Twelve	Archive 12
Thirteen	Archive 13
Fourteen	Archive 14
Fifteen	Archive 15
Sixteen	Archive 16
Seventeen	Archive 17
Eighteen	Archive 18
Nineteen	Archive 19
Twenty	Archive 20
Twenty One	Archive 21
Twenty Two	Archive 22
Twenty Three	Archive 23
Twenty Four	Archive 24
Twenty Five	Archive 25
Twenty Six	Archive 26
Twenty Seven	Archive 27
Twenty Eight	Archive 28
Twenty Nine	Archive 29
Thirty	Archive 30
Thirty One	Archive 31
Photos	Poor People Caught on Film
Jack and the Beanstalk	Jack and the Beanstalk
RIP Scan	Results of a Stage Scan Fire
Yosemite	Yosemite National Park
Projects	Incomplete things from the lab
Seagull's Bane	Linux Automounter
bttrackd	BitTorrent Tracker
CAPTCHA	CAPTCHA CGI script
Conserv	Console Serving
Deerpark	Using Tor with Firefox/1.1 (Deerpark)
DNSFix	Fixing DNS
Xovers	XTA Crossover Control
IAFS	Archive Org Storage
JBIG2	JBIG2 Encoder
Verify	PGP Key Verifier
MaxFlow	Maximal Flow in Python
PyBloom	Bloom Filters in Python
pyGnuTLS	Python wrapping of GnuTLS
Sxmap	Apache SuEXEC Map
Hellard	Union Server Notes
Recordings	Free recordings
ICSM Choir	St Paul's Church
School	Ancient School Stuff
Writings	Who knows
Cap Systems	Capability Systems
Intro	Introduction to me
Suprema	JMC2 Group Project
MP Letters	Letters I've written to my MP
Sound	Sound With Dramsoc
SyncThreading	The wonders of user-land threads