[IP] VeriSign prepares to relaunch "Site Finder" -- calls
Michael Loftis
mloftis at wgops.com
Tue Feb 10 05:28:36 UTC 2004
--On Tuesday, February 10, 2004 10:21 +0530 Suresh Ramasubramanian
<suresh at outblaze.com> wrote:
<>
> You are of course right. The problem posed by sitefinder in its previous
> form has been discussed already, and our bind / djbdns resolvers have
> been patched appropriately to ignore the aberrant behavior introduced by
> verisign.
>
> There ends the operational impact of verisign's decision, till such time
> as they revive sitefinder, and till such time as resolver patches in
> existence are modified if necessary to cope with the new edition of
> sitefinder.
But that's a HUGE operational impact. Now we're all expected to go around
and run patched versions of our resolvers or nameservers to get around a
company using shady tactics to just increase it's bottom line! Lets say it
takes on average about 10 minutes per machine to do the necessary changes,
I'll have to spend several hours installing patched software for something
that is harmful. They remove the ONLY method for testing if a domain
exists or not, and certainly the only 'lightweight' method.
Not to mention there is no guarantee the patch will continue to work. Well
already know of a few ways in which it can break, and anything we do to get
around those surely introduces maintenance or other headaches. Who's going
to pay me to maintain these parts of systems that until now just worked?
Who's going to pay any of us? Not VeriSign. But they'll be making quite
likely millions off of the hijacked hits.
So I ask again, who's going to pay for my time to that? Last time they
turned this thing on globally I also spent at least two hours on the phone
trying to explain it to various users. And what about the systems or
platforms that *CAN'T* be patched? What about systems that have long
depended on the way things are supposed to work?
--
Michael Loftis
More information about the NANOG
mailing list