doc_strange (![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
doc_strange) wrote2004-10-12 12:34 pm
doc_strange) wrote2004-10-12 12:34 pm
Verisign... UGH.
You may recall with some degree of clarity Verisign's attempt to (in effect) take over all unallocated .com/.net space with their SiteFinder thing.
The IP used by VeriSign for SiteFinder was 64.94.110.11.
SiteFinder caused typoed email addresses to delay and (later) bounce with "user doesn't exist" errors, causing information to wind up in inappropriate places, and much confusion. It had a wide range of other side effects on software that was intelligently looking for NXDOMAIN (no such domain) responses.
In order to get around this potential mess, many NSPs adapted their nameservice software such that -any- forward DNS lookup responding with the IP address above was changed into an NXDOMAIN response. Problem solved. Eventually, Verisign turned down the service, but since they keep threatening to turn it back up, NSPs leave the software adaptation in place.
Now VeriSign has reused this IP address... as one of the redundant addresses for their Certificate Revocation List (CRL) host crl.verisign.net (and apparently they cname crl.thawte.com, crl.verisign.com, and -perhaps- more to it).
Yes.
Nice job guys.
The IP used by VeriSign for SiteFinder was 64.94.110.11.
SiteFinder caused typoed email addresses to delay and (later) bounce with "user doesn't exist" errors, causing information to wind up in inappropriate places, and much confusion. It had a wide range of other side effects on software that was intelligently looking for NXDOMAIN (no such domain) responses.
In order to get around this potential mess, many NSPs adapted their nameservice software such that -any- forward DNS lookup responding with the IP address above was changed into an NXDOMAIN response. Problem solved. Eventually, Verisign turned down the service, but since they keep threatening to turn it back up, NSPs leave the software adaptation in place.
Now VeriSign has reused this IP address... as one of the redundant addresses for their Certificate Revocation List (CRL) host crl.verisign.net (and apparently they cname crl.thawte.com, crl.verisign.com, and -perhaps- more to it).
prompt> host crl.verisign.net crl.verisign.net has address 64.94.110.11 crl.verisign.net has address 64.94.110.12 crl.verisign.net has address 12.158.80.10 prompt> host 64.94.110.11 11.110.94.64.in-addr.arpa domain name pointer crl.verisign.com.
Yes.
Nice job guys.