[Dshield] New Verisign Policy
security at admin.fulgan.com
Wed Sep 17 16:12:55 GMT 2003
BJ> <1. How does this affect a mis-type where you get the domain
BJ> correct, but the page doesn't exist? For instance
BJ> If one owns/registered a domain, but doesn't have a DNS for it
BJ> The verisign DNS's resolve to there own page thus effectively
BJ> "Hijacking" your domain in a sense.
You are NOT allowed to own a domain and not have a valid DNS server
for it. The server might be unavailable, it might be outdated but it
MUSt exists in the record for a domain being granted to you.
BJ> <2. How does this affect Email? I saw some talk a while back
BJ> about email and bouncing, but I didn't understand the effects
BJ> that this change will have on it.>
BJ> If a spammer sends me email and spoofs from say
BJ> "jack at unresolvabledomain.com"
BJ> my mail server firstly verifies that the domain sender exists, then
BJ> verisign's DNSs reply "yeap" (breaking one of my checks for spam).
BJ> Not sure about the actual problems regarding bounces, other than
BJ> you won't get a response that the domain doesn't exist anymore which
BJ> is misleading.
Maybe that's one more reason why rejecting mail based on the sender's
domain existence is NOT a good idea (even if many people do it).
More information about the list