Re: [Asrg] 5. Challenge/Response Internetworking - DNS wildcards (was 7.

When using CRI over SMTP, not CRI over MIME, this would equal to dealing 
with a non-compliant SMTP server. As long as dealing with abnormal SMTP 
servers is accounted in CRI, this would be fine. When dealing with CRI 
over MIME, this does not make a difference aside from regular problems 
with SMTP delivering messages over and over.
Yakov

Eric Dean wrote:

> I still don't see how CRI will break.  We send CRI headers...we don't
> get a response...how is that broken?
>
>
> > -----Original Message-----
> > From: asrg-admin(_at_)ietf(_dot_)org [mailto:asrg-admin(_at_)ietf(_dot_)org] On 
> > Behalf Of
> Yakov
>
> > Shafranovich
> > Sent: Tuesday, September 16, 2003 8:48 AM
> > To: ASRG list
> > Subject: [Asrg] 5. Challenge/Response Internetworking - DNS wildcards
> (was
>
> > 7. BCP - Verisign: All Your Misspelling Are Belong To Us)
> >
> > The message below has direct relevance to the CRI proposal,
> specifically
>
> > the part about verifying the sender via SMTP. With wildcards enabled,
> > CRI via SMTP will break.
> >
> > Yakov
> >
> > -------- Original Message --------
> > Subject: 7. BCP - Verisign: All Your Misspelling Are Belong To Us
> > Date: Tue, 16 Sep 2003 01:26:23 -0400
> > From: Yakov Shafranovich <research(_at_)solidmatrix(_dot_)com>
> > To: Brad Knowles <brad(_dot_)knowles(_at_)skynet(_dot_)be>
> > CC: IRTF ASRG <asrg(_at_)ietf(_dot_)org>
> > References: <a06001a20bb8c10de2061(_at_)[10(_dot_)0(_dot_)1(_dot_)2]>
> >
> > PLEASE BE ADVISED THAT VERISIGN IS OPERATING AN SMTP SERVER AT THAT
> > ADDRESS. The SMTP server appears fake, take a look at the following
> > transaction:
> >
> > ----snip---
> > open 64.94.110.11 25
> > 220 snubby1-wceast Snubby Mail Rejector Daemon v1.3 ready
> > blahblahbla
> > 250 OK
> > blahblahbla
> > 250 OK
> > blahblabhjla
> > 550 User domain does not exist.
> > blahblbjhbj
> > 250 OK
> > blajbjbjb
> > 221 snubby1-wceast Snubby Mail Rejector Daemon v1.3 closing
> transmission
>
> > channel
> >
> > Connection to host lost.
> > ----snip---
> >
> > Brad Knowles wrote:
> >
> >
> > > Folks,
> > >
> > >    This was just posted to the NANOG mailing list.  There are
> already
>
> > > people who are working on hacking BIND to return NXDOMAIN for
> wildcard
>
> > > records in TLD zones, or perhaps for any reference to the specific
> IP
>
> > > address(es) they are using (so far, we only know about
> 64.94.110.11).
>
> > > Meanwhile, many are already null-routing this IP address.
> > >
> > >    This affects us, because now anyone can send spam with an
> address
>
> > > like 
> > > "i(_at_)spam(_dot_)from(_dot_)verisign(_dot_)becausethisdomaindoesntreallyexist(_dot_)net",
> and
>
> > > yet still have that pass standard anti-spam checks like "Does this
> > > domain really exist in the DNS"?
> > >
> > >
> > >    Another one for the service provider BCP, I think.
> > >
> > >
> > >    Anyway, the full message announcing this "enhancement" is:
> > >
> > >
> > > > Date: Mon, 15 Sep 2003 19:24:29 -0400
> > > > From: Matt Larson <mlarson(_at_)verisign(_dot_)com>
> > > > To: nanog(_at_)nanog(_dot_)org
> > > > Subject: Change to .com/.net behavior
> > > >
> > > >
> > > > Today VeriSign is adding a wildcard A record to the .com and .net
> > > > zones.  The wildcard record in the .net zone was activated from
> > > > 10:45AM EDT to 13:30PM EDT.  The wildcard record in the .com zone
> is
>
> > > > being added now.  We have prepared a white paper describing
> VeriSign's
>
> > > > wildcard implementation, which is available here:
> > > >
> > > > http://www.verisign.com/resources/gd/sitefinder/implementation.pdf
> > > >
> > > > By way of background, over the course of last year, VeriSign has
> been
>
> > > > engaged in various aspects of web navigation work and study.  These
> > > > activities were prompted by analysis of the IAB's recommendations
> > > > regarding IDN navigation and discussions within the Council of
> > > > European National Top-Level Domain Registries (CENTR) prompted by
> DNS
>
> > > > wildcard testing in the .biz and .us top-level domains.
> Understanding
>
> > > > that some registries have already implemented wildcards and that
> > > > others may in the future, we believe that it would be helpful to
> have
>
> > > > a set of guidelines for registries and would like to make them
> > > > publicly available for that purpose.  Accordingly, we drafted a
> white
>
> > > > paper describing guidelines for the use of DNS wildcards in
> top-level
>
> > > > domain zones.  This document, which may be of interest to the NANOG
> > > > community, is available here:
> > > >
> > > > http://www.verisign.com/resources/gd/sitefinder/bestpractices.pdf
> > > >
> > > > Matt
> > > > --
> > > > Matt Larson <mlarson(_at_)verisign(_dot_)com>
> > > > VeriSign Naming and Directory Services
> >
> >
> >
> >
> >
> > _______________________________________________
> > Asrg mailing list
> > Asrg(_at_)ietf(_dot_)org
> > https://www1.ietf.org/mailman/listinfo/asrg


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg