Originally Posted by stimpy
No, I never said that. I said that Verizon doesn't block email from respectable sites. Yours doesn't fall into that category for reasons you have made clear in this thread.
Stimpy,
The basis for your entire argument that my nameservers are insecure (and therefore not respectable) is that they don't run DNSSEC and as such are open to spoofing. Well, your arguments about DNS being insecure do have some merit and I decided to do something about it.
I
have been playing with DNSSEC today for the first time (it's pretty neat) as I've been able to get BIND 9.3.0 to compile. It's been a very interesting experience, thank you very much for making me get round to it at last.
To check that my installation was working (I'm not running signed zones yet btw so am still insecure by your standards) I was able to query the SOA for a zone I know to be secured with DNSSEC, nlnetlabs.nl
I get the following results;
Code:
espresso:~$ dig @open.nlnetlabs.nl +dnssec +multiline nlnetlabs.nl soa
; <<>> DiG 9.3.0 <<>> @open.nlnetlabs.nl +dnssec +multiline nlnetlabs.nl soa
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1911
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 12
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;nlnetlabs.nl. IN SOA
;; ANSWER SECTION:
nlnetlabs.nl. 86400 IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl.
(
2005012601 ; serial
28800 ; refresh (8 hours)
7200 ; retry (2 hours)
604800 ; expire (1 week)
18000 ; minimum (5 hours)
)
nlnetlabs.nl. 86400 IN RRSIG SOA 5 2 86400 20050225122215 (
20050126122215 43791 nlnetlabs.nl.
efYLLxlIX7vQXb8RpTv1MG4flMbQpJ0K8u+rrm2mwp8V
H00EbrCEundqZQs8KgZO6+fYNyU7OdX7ta+D9pW4ObZ+
Mgh4ofsixCFFX0RhH7TG+/UqOxWnh8s8t2VHqdgJdfmB
mZCBj1SHFtAafARpKjALmymD1W3XX5u80f8UdX8= )
;; AUTHORITY SECTION:
nlnetlabs.nl. 86400 IN NS open.nlnetlabs.nl.
nlnetlabs.nl. 86400 IN NS omval.tednet.nl.
nlnetlabs.nl. 86400 IN NS bureau.sidn.nl.
nlnetlabs.nl. 86400 IN RRSIG NS 5 2 86400 20050225122215 (
20050126122215 43791 nlnetlabs.nl.
D7Xa/CGAhecaqJA032bydh0fjIk//4esQIA10RtVSZQC
wGdm0xw48qXyk9obOc+y05stDgHWC6WjawqH7J64clh5
/jzFyOSS1u6k1fftiaEHgW/tPmKclkqKofoH0FjWYxCQ
zWgoYqePcOdqBZjDJQN04t8V6CKUwRxOT4Ajn8Q= )
;; ADDITIONAL SECTION:
open.nlnetlabs.nl. 86400 IN A 213.154.224.1
open.nlnetlabs.nl. 86400 IN AAAA 2001:7b8:206:1:211:2fff:fed7:7378
open.nlnetlabs.nl. 86400 IN AAAA 2001:7b8:206:1::53
omval.tednet.nl. 28800 IN A 213.154.224.17
bureau.sidn.nl. 86400 IN A 193.176.144.162
bureau.sidn.nl. 86400 IN AAAA 2001:610:ff:1::2
bureau.sidn.nl. 86400 IN AAAA 2001:610:118:0:290:27ff:fe9c:2386
nlnetlabs.nl. 86400 IN DNSKEY 257 3 5 (
AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7Fh
LSnm26n6iG9NLby97Ji453aWZY3M5/xJBSOS2vWtco2t
8C0+xeO1bc/d6ZTy32DHchpW6rDH1vp86Ll+ha0tmwyy
9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1UBYtEIQ==
) ; key id = 43791
nlnetlabs.nl. 86400 IN RRSIG DNSKEY 5 2 86400 20050225122215 (
20050126122215 43791 nlnetlabs.nl.
Kf5yARNNgqEpAd4y8X79J+hTankG3bvhT+IRUxqUuzbL
kREVEeg6c24hHFRLPxVHDlP+MNWOL1r+aUuHWEvG94Bb
0pu3D0eOKh/zN3V4eLzUlHyuBiHR5IDLg3sfh0Y17+0E
+eD+LFtE4+UZJ1yrS2JpmKTgIF5yasVxd9hKAbA= )
open.nlnetlabs.nl. 86400 IN RRSIG A 5 3 86400 20050225122215 (
20050126122215 43791 nlnetlabs.nl.
jxCGi6r1jsDqbE1MhMpmec8E8CsUA+P1NN94UqPUZBIT
TT+w8MTP+4Z88aEVjPi5Zig127uRi0owKqDYJGcTKUbo
U/jboYWM3qwI7JuOxgy+uxK8JhnQxBRFDjWk388rUKNd
1IYNvncwoovfuH5fVSDoT0fYRFxN3fiBGCx9xzs= )
open.nlnetlabs.nl. 86400 IN RRSIG AAAA 5 3 86400 20050225122215 (
20050126122215 43791 nlnetlabs.nl.
qqH3KwOyPY7iPv7621NaoiK4gkYjzgeOOwzKMzN0t6TY
kYdF8hixkQXSxqPXrDP/akIXVw4/5l2TAlSU5rLK1rsP
J0iyZMP2cE3VsVmJbobAE/eAx5lDID7Q41eUyw9lNzoY
W+D26vspwj2n5FSo+zUxHn/8XNVbLcutXB1ZwVQ= )
;; Query time: 332 msec
;; SERVER: 213.154.224.1#53(open.nlnetlabs.nl)
;; WHEN: Thu Jan 27 23:56:06 2005
;; MSG SIZE rcvd: 1326
This correctly returns the digital signatures which reassures me that my ability to check whether a server is running DNSSEC might be OK.
I then went on a rambling and meandering tour of the internet looking at some other nameservers which run primary DNS for the following zones. Here are the abridged results (please feel free to verify these results for accuracy)
- microsoft.com - does not run DNSSEC - INSECURE
- decus.org - does not run DNSSEC - INSECURE
- isc.org - does not run DNSSEC - INSECURE
- ascend.com - does not run DNSSEC - INSECURE
- checkpoint.com - does not run DNSSEC - INSECURE
- ipverse.com - does not run DNSSEC - INSECURE
- cisco.com - does not run DNSSEC - INSECURE
- navy.mil - does not run DNSSEC - INSECURE
- gte.net - does not run DNSSEC - INSECURE
- whitehouse.gov - does not run DNSSEC - INSECURE
- sun.com - does not run DNSSEC - INSECURE
- tsa.gov - does not run DNSSEC - INSECURE
- ual.com - does not run DNSSEC - INSECURE
- dhs.gov - does not run DNSSEC - INSECURE
- strixsystems.com - does not run DNSSEC - INSECURE
- verizon.net - does not run DNSSEC - INSECURE
It's possible that Verizon.net may still be letting through some email from these rogue DNS operators so perhaps as one of their customers you could contact them and ask them to block all email from these domains as it's almost certainly spam. Until such time as all these sources are blocked it might be a good idea to set your email client to delete all email from these domains automatically and certainly don't believe anything you might happen to read in email from these sources.
I'd love to contact them myself but as you know I'm already considered to be subhuman and therefore blocked. Things were
so much easier when I only had an ARPAnet email address to worry about!
Sarah