Veresigned

Maybe, just maybe, they underestimated the scope of this change. As of this writing, all the .com/.net roots have a wildcard:

[pvenezia@t800 pvenezia]$ dnstracer -s . -o www.notarealdomain.com Tracing to www.notarealdomain.com via A.ROOT-SERVERS.NET, timeout 15 seconds A.ROOT-SERVERS.NET [.] (198.41.0.4) |___ M.GTLD-SERVERS.NET [com] (192.55.83.30) Got authoritative answer |___ E.GTLD-SERVERS.NET [com] (192.12.94.30) Got authoritative answer |___ K.GTLD-SERVERS.NET [com] (192.52.178.30) Got authoritative answer |___ J.GTLD-SERVERS.NET [com] (192.48.79.30) Got authoritative answer |___ F.GTLD-SERVERS.NET [com] (192.35.51.30) Got authoritative answer |___ L.GTLD-SERVERS.NET [com] (192.41.162.30) Got authoritative answer |___ D.GTLD-SERVERS.NET [com] (192.31.80.30) Got authoritative answer |___ B.GTLD-SERVERS.NET [com] (192.33.14.30) Got authoritative answer |___ I.GTLD-SERVERS.NET [com] (192.43.172.30) Got authoritative answer |___ C.GTLD-SERVERS.NET [com] (192.26.92.30) Got authoritative answer |___ H.GTLD-SERVERS.NET [com] (192.54.112.30) Got authoritative answer |___ G.GTLD-SERVERS.NET [com] (192.42.93.30) Got authoritative answer ___ A.GTLD-SERVERS.NET [com] (192.5.6.30) Got authoritative answer

A.GTLD-SERVERS.NET (192.5.6.30) www.notarealdomain.com -> 64.94.110.11 G.GTLD-SERVERS.NET (192.42.93.30) www.notarealdomain.com -> 64.94.110.11 H.GTLD-SERVERS.NET (192.54.112.30) www.notarealdomain.com -> 64.94.110.11 C.GTLD-SERVERS.NET (192.26.92.30) www.notarealdomain.com -> 64.94.110.11 I.GTLD-SERVERS.NET (192.43.172.30) www.notarealdomain.com -> 64.94.110.11 B.GTLD-SERVERS.NET (192.33.14.30) www.notarealdomain.com -> 64.94.110.11 D.GTLD-SERVERS.NET (192.31.80.30) www.notarealdomain.com -> 64.94.110.11 L.GTLD-SERVERS.NET (192.41.162.30) www.notarealdomain.com -> 64.94.110.11 F.GTLD-SERVERS.NET (192.35.51.30) www.notarealdomain.com -> 64.94.110.11 J.GTLD-SERVERS.NET (192.48.79.30) www.notarealdomain.com -> 64.94.110.11 K.GTLD-SERVERS.NET (192.52.178.30) www.notarealdomain.com -> 64.94.110.11 E.GTLD-SERVERS.NET (192.12.94.30) www.notarealdomain.com -> 64.94.110.11 M.GTLD-SERVERS.NET (192.55.83.30) www.notarealdomain.com -> 64.94.110.11

But nothing at 64.94.110.11 answers except the mail rejector:

[root@blues root]# nmap -P0 -sS 64.94.110.11

Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on sitefinder-idn.verisign.com (64.94.110.11): (The 1593 ports scanned but not shown below are in state: closed) Port State Service 23/tcp filtered telnet 25/tcp open smtp 79/tcp filtered finger 80/tcp filtered http 135/tcp filtered loc-srv 161/tcp filtered snmp 162/tcp filtered snmptrap 514/tcp filtered shell

Nmap run completed -- 1 IP address (1 host up) scanned in 8 seconds [root@blues root]# telnet 64.94.110.11 25 Trying 64.94.110.11... Connected to sitefinder-idn.verisign.com. Escape character is '^]'. 220 snubby2-wceast Snubby Mail Rejector Daemon v1.3 ready

I’ve heard tell that ISPs are filtering this IP, although I haven’t seen that yet… besides, that would result in timeouts, rather than a nearly immediate reject.

I give them another couple of days, and we will be rid of this. Even more, I hope this provokes an investigation into VeriSign’s business practices.