[Dshield] New Verisign Policy

Stephane Grobety security at admin.fulgan.com
Wed Sep 17 16:12:55 GMT 2003


BJ> <1. How does this affect a mis-type where you get the domain
BJ> correct, but the page doesn't exist? For instance 
wwww.verisign.com>>

BJ> If one owns/registered a domain, but doesn't have a DNS for it
BJ> The verisign DNS's resolve to there own page thus effectively
BJ> "Hijacking" your domain in a sense.

You are NOT allowed to own a domain and not have a valid DNS server
for it. The server might be unavailable, it might be outdated but it
MUSt exists in the record for a domain being granted to you.

BJ> <2. How does this affect Email? I saw some talk a while back 
BJ> about email and bouncing, but I didn't understand the effects 
BJ> that this change will have on it.>

BJ> If a spammer sends me email and spoofs from say
BJ> "jack at unresolvabledomain.com"
BJ> my mail server firstly verifies that the domain sender exists, then
BJ> verisign's DNSs reply "yeap" (breaking one of my checks for spam).
BJ> Not sure about the actual problems regarding bounces, other than 
BJ> you won't get a response that the domain doesn't exist anymore which
BJ> is misleading.

Maybe that's one more reason why rejecting mail based on the sender's
domain existence is NOT a good idea (even if many people do it).

Good luck,
Stephane





More information about the list mailing list