RE: [squid-users] Verisign puts wildcard in .com and .net TLDs

From: Sam Pointer <[email protected]>
Date: Tue, 16 Sep 2003 17:05:49 +0100

Henrik Nordstrom wrote:

>As someone else in the Slashdot thread said Internet is not only the web.

It's also worth bearing in mind that Squid will no longer display you're
nicely customised "dnsserver can't find this site" pages;
"verisignsucks.com" will resolve to their new "sales" page. In short,
everything now resolves ;)

I've said it on a few lists, but this breaks DNS so badly I can't even
comprehend who let this go ahead. I think we'll see a fair few things
breaking and this being revoked. Even if that doesn't happen I'm sure
Microsoft will have something to say about the reams of people who will no
longer be visiting their MSN search pages which are the default in IE for
non-resolution errors. Imagine that! Microsoft complaining about
anti-competitive measures! LOL.

To add to Henrik's list this also breaks:

* Negative caching of NXDOMAIN instances; everything resolves and is cached
for 15mins with Verisign's default TTL

* Forces more positive caching; great - more DNS traffic as most DNS servers
are setup to negatively cache for quite a long time to save keep looking up
downed sites

More on-topic, how will Squid handle this? Say I visit `Verisignsucks.com`
and get their sitesearch page. Squid caches it. Now I go to
`zzzxfeuoiwqueoiwqe.com` and get the exact same content. Does Squid cache
another whole instance or recognise that it already has the correct files,
albeit from the wrong domain? I'll wager that it stores another instance.
Therefore, every time a user does a typo on a URL we'll have another load of
redundant stuff hitting our caches rather than the normal sane behaviour of
a failure in DNS resolution. Great.

All ways, this is a very bad thing - something that I don't think most
people will realise for some time to come.

This email and any attachments are strictly confidential and are intended
solely for the addressee. If you are not the intended recipient you must
not disclose, forward, copy or take any action in reliance on this message
or its attachments. If you have received this email in error please notify
the sender as soon as possible and delete it from your computer systems.
Any views or opinions presented are solely those of the author and do not
necessarily reflect those of HPD Software Limited or its affiliates.

 At present the integrity of email across the internet cannot be guaranteed
and messages sent via this medium are potentially at risk. All liability
is excluded to the extent permitted by law for any claims arising as a re-
sult of the use of this medium to transmit information by or to
HPD Software Limited or its affiliates.
Received on Tue Sep 16 2003 - 10:07:09 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:19:54 MST