Re: How can I block Verisign?

Dave Lugo <dlugo@etherboy.com> wrote in message news:<bkcuch$13vi$1@sf1.isc.org>...
> Joseph S D Yao wrote:
> > On Thu, Sep 18, 2003 at 02:08:26PM +0000, Mark wrote:
> >
> >>Ever since Verisign horribly abused its root server privileges (which should
> >>be revoked) and usurped all previously invalid "com" and "net" domains, I
> >>have been looking for a reliable way to block the
> >>"sitefinder-idn.verisign.com" (64.94.110.11) reply.
> >
> > ...
> >
> > Try using the new versions of BIND just announced.
> >
>
>
> Joseph,
>
> Can you comment at all on the "9.2.3rc2 NS lookups failing" issue I
> raised previously? I'm somewhat concerned that the fix may have broken
> something else.
>
> See:
>
> <http://groups.google.com/groups?selm=bkb1uq%2426tl%241%40sf1.isc.org&oe=UTF-8&output=gplain>
>
> Best regards,
>
> Dave

I can attest that the patch I provided in a recent thread (Bind 8.4.1
patch for blocking Verisign's new wildcar...) has held up for us for
about 24 hours now. We have about 15,000 - 17,000 users, so those
systems see a fair amount of activity.

The patch is still just a bandaid. If Verisign changes that IP
address then it ceases to work. Anyone know if there is a
delegation-only update in the works for BIND 8? If not, I'll need to
fortify that patch a bit.

Clay