[TriLUG] Delegation Only patch for Bind

Wed Sep 17 15:45:09 EDT 2003

Hi folks,

After the furor yesterday over Verisign's adding wildcard entries
to the .com and .net namespaces, ISC, the people who brought you
the nameserver BIND have come out with a patch to designate that
certain zones should be "delegation only".  This patch "fixes"
what Verisign has done.

Some background, for those of you that are already lost.
DNS works this way.  To find the hostname of a domain, say
trilug.org, your nameserver first queries a root nameserver.
The root nameserver is only supposed to tell you where you
can find the information. Or, in other words, it is supposed
to "delegate" that information to the true name server.
(Actually, this is supposed to work recursively from the
root domain "." through each successive domain until you
come to an authoritative source.).  So, a root server would
say, hmm.. a ".org", go ask over at x.x.x.x for .org domains.
The name server would then go ask x.x.x.x and it would send
it to the name server for trilug.org which could then answer
the question.  (Generally, though, the root nameservers and
the generic top level domain servers are the same, so there
would only be one step.)  What verisign did was to place a wildcard
record for *.com and *.net pointing to their host.  This way, if
someone asked for something like SDLKFJSKDJF.COM it would see
that there was no delegation for that domain and instead return
the record that matched: *.com which points to verisign.
This breaks several things, including spam checking by
verifying that a domain exists before accepting it.

What this patch from ISC does is that you can now specify
certain zones (portions of a domain name) must be "delegation only".
So, if the name server receives any responses other than another
name server for specified domains it will discard them and
return an NXDOMAIN error (no such domain), which is how things
used to be.

The patch can be found at ISC's website:
http://www.isc.org/products/BIND/delegation-only.html

However, if you don't feel like downloading, patching and
rebuilding, we've gone ahead and built some rpms for you
for Red Hat Linux 7.3, 9, Aurora Linux, and Mandrake 9.1.
They can be found here:

Red Hat 7.3, 9 and Aurora Linux:

ftp://ftp.trilug.org/pub/linux/contrib/trilug/
http://mirrors.trilug.org/linux/contrib/trilug/

(note that trilug members must use the e-mail
address they signed up with and their membership
number for access.  If you're not a trilug member,
anonymous ftp will work, but is bandwidth limited.)

Mandrake 9.1

http://rpms.wayfarer.org/

The Red Hat 7.3, 9 and Mandrake 9.1 rpms are signed with
my gpg key and the Aurora ones should be signed with Jeremy
Portzer's key.

If you use apt for rpm, you can find instructions for
setting it up to access these rpms at
http://members.trilug.org/services_faq/TriLUG-mail-faq-4.html#ss4.6

Currently there is no urpmi setup for Mandrake, sorry.

Just installing this patch, however, isn't all you need to do.
You must also configure which zones are delegation only
in /etc/named.conf.  The following lines should fix what
verisign has done:

zone "com" {
         type delegation-only;
};

zone "net" {
         type delegation-only;
};

Note that you may or may not have to add "IN" (without quotes) between
"com"/"net" and the "{". (I've seen both, and both seem to work.)

Add those to /etc/named.conf, restart named, and voila, unregistered
domains now return no such domain (NXDOMAIN) again like they did
before Verisign added the wildcard domains.

If you have any questions, feel free to post them here.

Cheers,
Tanner Lovelace and Jeremy Portzer
-- 
Tanner Lovelace |  lovelace(at)trilug.org  | http://www.trilug.org/
--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--
GPG Fingerprint = A66C 8660 924F 5F8C 71DA  BDD0 CE09 4F8E DE76 39D4
GPG Key can be found at http://wtl.wayfarer.org/lovelace.gpg.asc
--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--
Create like it's 1790. -- Lawrence Lessig
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 222 bytes
Desc: not available
URL: <http://www.trilug.org/pipermail/trilug/attachments/20030917/122385b6/attachment.pgp>