Mailing List Message #13648
From: Bill Cole <>
Subject: Re: Verisign's new wildcard records and "Verify Return Paths"
Date: Tue, 16 Sep 2003 14:35:15 -0400
To: SIMS Discussions <>
At 2:18 PM -0400 9/16/03, Neil Herber  imposed structure on a stream of electrons, yielding:
It is rumored that on or about 9/16/03 12:51 PM -0500, Michael Croft wrote as follows:
My wife just asked me if this was going to kill backup MX servers, because
all .com and .net domains will resolve.  While this won't be a problem for
us, since we're a .org, I couldn't answer one way or the other.

So, if a MX points a domain that resolves, but (hopefully!) doesn't respond
to SMTP queries, do MTAs correctly fall back to the next higher MX record?

Surely if a domain doesn't exist, it won't HAVE an MX record or backup. Even if it did it would be pointing to non-existent servers. Unless VeriSign is very stupid or malicious ...

Verisign has a wildcard A record at the tail of the com and net master zones. This means that any unregistered domain name under com or net resolves to the same single IP address at Verisign. Any correct mail server will fall back to using an A record if a domain lacks an MX. Verisign also has a dummy SMTP daemon on that address that ignores what it is told and simply gives the same 250,250, 550 series of responses to all attempted mail submissions.

I am unaware of anyone who does not represent Verisign who thinks this is a good idea. I believe it borders on criminal behavior and that it should be the last straw to get ICANN to yank the Verisign contract to run the com and net registries.

As far as SIMS goes, I really wish it had Verify Return Paths treat DNS results that resolve to locally blacklisted addresses as bogus. This is more than just a problem with the latest Verislime trick, since some spammers have taken to making their domains resolve to addresses in various bogus ranges.

Bill Cole                        

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster