Veresigned

Maybe, just maybe, they underestimated the scope of this change. As of this writing, all the .com/.net roots have a wildcard: [pvenezia@t800 pvenezia]$ dnstracer -s . -o www.notarealdomain.com Tracing to www.notarealdomain.com via A.ROOT-SERVERS.NET, timeout 15 seconds A.ROOT-SERVERS.NET [.] (198.41.0.4) |\___ M.GTLD-SERVERS.NET [com] (192.55.83.30) Got authoritative answer |\___ E.GTLD-SERVERS.NET [com] (192.12

Maybe, just maybe, they underestimated the scope of this change. As of this writing, all the .com/.net roots have a wildcard:

[pvenezia@t800 pvenezia]$ dnstracer -s . -o www.notarealdomain.com
Tracing to www.notarealdomain.com via A.ROOT-SERVERS.NET, timeout 15 seconds
A.ROOT-SERVERS.NET [.] (198.41.0.4)
|\___ M.GTLD-SERVERS.NET [com] (192.55.83.30) Got authoritative answer
|\___ E.GTLD-SERVERS.NET [com] (192.12.94.30) Got authoritative answer
|\___ K.GTLD-SERVERS.NET [com] (192.52.178.30) Got authoritative answer
|\___ J.GTLD-SERVERS.NET [com] (192.48.79.30) Got authoritative answer
|\___ F.GTLD-SERVERS.NET [com] (192.35.51.30) Got authoritative answer
|\___ L.GTLD-SERVERS.NET [com] (192.41.162.30) Got authoritative answer
|\___ D.GTLD-SERVERS.NET [com] (192.31.80.30) Got authoritative answer
|\___ B.GTLD-SERVERS.NET [com] (192.33.14.30) Got authoritative answer
|\___ I.GTLD-SERVERS.NET [com] (192.43.172.30) Got authoritative answer
|\___ C.GTLD-SERVERS.NET [com] (192.26.92.30) Got authoritative answer
|\___ H.GTLD-SERVERS.NET [com] (192.54.112.30) Got authoritative answer
|\___ G.GTLD-SERVERS.NET [com] (192.42.93.30) Got authoritative answer
\___ A.GTLD-SERVERS.NET [com] (192.5.6.30) Got authoritative answer

A.GTLD-SERVERS.NET (192.5.6.30) www.notarealdomain.com -> 64.94.110.11
G.GTLD-SERVERS.NET (192.42.93.30) www.notarealdomain.com -> 64.94.110.11
H.GTLD-SERVERS.NET (192.54.112.30) www.notarealdomain.com -> 64.94.110.11
C.GTLD-SERVERS.NET (192.26.92.30) www.notarealdomain.com -> 64.94.110.11
I.GTLD-SERVERS.NET (192.43.172.30) www.notarealdomain.com -> 64.94.110.11
B.GTLD-SERVERS.NET (192.33.14.30) www.notarealdomain.com -> 64.94.110.11
D.GTLD-SERVERS.NET (192.31.80.30) www.notarealdomain.com -> 64.94.110.11
L.GTLD-SERVERS.NET (192.41.162.30) www.notarealdomain.com -> 64.94.110.11
F.GTLD-SERVERS.NET (192.35.51.30) www.notarealdomain.com -> 64.94.110.11
J.GTLD-SERVERS.NET (192.48.79.30) www.notarealdomain.com -> 64.94.110.11
K.GTLD-SERVERS.NET (192.52.178.30) www.notarealdomain.com -> 64.94.110.11
E.GTLD-SERVERS.NET (192.12.94.30) www.notarealdomain.com -> 64.94.110.11
M.GTLD-SERVERS.NET (192.55.83.30) www.notarealdomain.com -> 64.94.110.11


But nothing at 64.94.110.11 answers except the mail rejector:


[root@blues root]# nmap -P0 -sS 64.94.110.11

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on sitefinder-idn.verisign.com (64.94.110.11):
(The 1593 ports scanned but not shown below are in state: closed)
Port State Service
23/tcp filtered telnet
25/tcp open smtp
79/tcp filtered finger
80/tcp filtered http
135/tcp filtered loc-srv
161/tcp filtered snmp
162/tcp filtered snmptrap
514/tcp filtered shell

Nmap run completed -- 1 IP address (1 host up) scanned in 8 seconds
[root@blues root]# telnet 64.94.110.11 25
Trying 64.94.110.11...
Connected to sitefinder-idn.verisign.com.
Escape character is '^]'.
220 snubby2-wceast Snubby Mail Rejector Daemon v1.3 ready

I've heard tell that ISPs are filtering this IP, although I haven't seen that yet... besides, that would result in timeouts, rather than a nearly immediate reject.

I give them another couple of days, and we will be rid of this. Even more, I hope this provokes an investigation into VeriSign's business practices.

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies