[TriLUG] Delegation Only patch for Bind

Jon Carnes jonc at nc.rr.com
Wed Sep 17 20:34:00 EDT 2003 

Kudos Tanner (and all the good folks at ISC).

Now, what is there to stop Verisign from further modifying the root
servers so that they return a delgate that simply points to one of their
Name servers?

I guess nothing.  I wonder if Verisign will bother though, after the
fury this last move engendered.  Still, their track record for saying
"screw you" to rest of the world is fairly high:

http://www.aetherlumina.com/verisignsucks.html

On Wed, 2003-09-17 at 15:45, Tanner Lovelace wrote:
> Hi folks,
> 
> After the furor yesterday over Verisign's adding wildcard entries
> to the .com and .net namespaces, ISC, the people who brought you
> the nameserver BIND have come out with a patch to designate that
> certain zones should be "delegation only".  This patch "fixes"
> what Verisign has done.
> 
> Some background, for those of you that are already lost.
> DNS works this way.  To find the hostname of a domain, say
> trilug.org, your nameserver first queries a root nameserver.
> The root nameserver is only supposed to tell you where you
> can find the information. Or, in other words, it is supposed
> to "delegate" that information to the true name server.
> (Actually, this is supposed to work recursively from the
> root domain "." through each successive domain until you
> come to an authoritative source.).  So, a root server would
> say, hmm.. a ".org", go ask over at x.x.x.x for .org domains.
> The name server would then go ask x.x.x.x and it would send
> it to the name server for trilug.org which could then answer
> the question.  (Generally, though, the root nameservers and
> the generic top level domain servers are the same, so there
> would only be one step.)  What verisign did was to place a wildcard
> record for *.com and *.net pointing to their host.  This way, if
> someone asked for something like SDLKFJSKDJF.COM it would see
> that there was no delegation for that domain and instead return
> the record that matched: *.com which points to verisign.
> This breaks several things, including spam checking by
> verifying that a domain exists before accepting it.
> 
> What this patch from ISC does is that you can now specify
> certain zones (portions of a domain name) must be "delegation only".
> So, if the name server receives any responses other than another
> name server for specified domains it will discard them and
> return an NXDOMAIN error (no such domain), which is how things
> used to be.
> 
> The patch can be found at ISC's website:
> http://www.isc.org/products/BIND/delegation-only.html
> 
> However, if you don't feel like downloading, patching and
> rebuilding, we've gone ahead and built some rpms for you
> for Red Hat Linux 7.3, 9, Aurora Linux, and Mandrake 9.1.
> They can be found here:
> 
> Red Hat 7.3, 9 and Aurora Linux:
> 
> ftp://ftp.trilug.org/pub/linux/contrib/trilug/
> http://mirrors.trilug.org/linux/contrib/trilug/
> 
> (note that trilug members must use the e-mail
> address they signed up with and their membership
> number for access.  If you're not a trilug member,
> anonymous ftp will work, but is bandwidth limited.)
> 
> Mandrake 9.1
> 
> http://rpms.wayfarer.org/
> 
> The Red Hat 7.3, 9 and Mandrake 9.1 rpms are signed with
> my gpg key and the Aurora ones should be signed with Jeremy
> Portzer's key.
> 
> If you use apt for rpm, you can find instructions for
> setting it up to access these rpms at
> http://members.trilug.org/services_faq/TriLUG-mail-faq-4.html#ss4.6
> 
> Currently there is no urpmi setup for Mandrake, sorry.
> 
> Just installing this patch, however, isn't all you need to do.
> You must also configure which zones are delegation only
> in /etc/named.conf.  The following lines should fix what
> verisign has done:
> 
> zone "com" {
>          type delegation-only;
> };
> 
> zone "net" {
>          type delegation-only;
> };
> 
> Note that you may or may not have to add "IN" (without quotes) between
> "com"/"net" and the "{". (I've seen both, and both seem to work.)
> 
> Add those to /etc/named.conf, restart named, and voila, unregistered
> domains now return no such domain (NXDOMAIN) again like they did
> before Verisign added the wildcard domains.
> 
> If you have any questions, feel free to post them here.
> 
> Cheers,
> Tanner Lovelace and Jeremy Portzer

More information about the TriLUG mailing list