Neil Schemenauer's Web Log

According to the weather forecast, Hurricane Isabel will be here tomorrow afternoon. The eye of the storm will actually pass to the west of us as it heads north-west. I haven't yet found any estimates of the wind speeds for this area.

Hurricanes start losing their energy once they are over land but I haven't been able to find information on how fast that happens. Rainfall estimates also seem to vary. One report said between 2 and 5 inches while another said up to 12 inches.

My conservative estimates are 45 mph winds and 5 inches of rain. I've tied down anything in the yard with a relatively low density (e.g. our wooden picnic table). My fluid dynamics textbooks are at work so I used Bernoulli's equation to roughly estimate the wind pressure. If we get 60 mph winds, like they have predicted for southern Maryland, we are in for much more damage.

I'm probably overreacting but, given my limited hurricane experience, I feel it's better to error on the side of caution. I feel sorry for the people living nearer to the coast. Even though the storm has been downgraded to category 2 it's still going to cause a lot of damage.

I was going to start collecting DNS resolver patches that work around Verisign's stupidity but someone beat me to it.

A few more observations:

• Verisign is running a mail server on port 25 on 64.94.110.11. If you mistype an email address, Versign has the opportunity to log the message. That sounds like a lawsuite waiting to happen.
• The web page on that site has a cross-site scripting hole. I'm not sure what the security implications of that are. Perhaps it can be combined with other security flaws.
• Currently the HTTP server on 64.94.110.11 is not responding. I get a connection refused error if I try to connect to another port so I don't think the IP has been null-routed. My browser is still hanging. According to Verisign, this change was made to improve the user experience.
• Single letter .com and .net names reserved by IANA now resolve to Verisign.
• Verisign MTA is completely broken. It doesn't implement SMTP but instead just returns a fixed sequence of responses

   
  $ socket akdjflasdf.com 25
  220 snubby1-wcwest Snubby Mail Rejector Daemon v1.3 ready
  asdfsa
  250 OK
  asfdsda
  250 OK
  asdfs
  550 User domain does not exist.
  asdfsd
  250 OK
  asfdds
  221 snubby1-wcwest Snubby Mail Rejector Daemon v1.3 closing transmission channel
     

First against the wall when the revolution comes, right Andrew?

Verisign has added a wildcard A record to the .com and .net zones. Instead of returning NXDOMAIN, queries for non-existent .com and .net domains now return 64.94.110.11. I already knew Verisign was pure evil (they repeatedly lied to me, even when I confronted them with their lies), so this comes as no surprise.

People are already hacking around this brain damage; a patch exists for BIND and one is in the works for dnscache. The long term solution, I think, is to stop pointing resolvers at the Verisigns servers. ICANN is a joke. It's easy enough to setup alternative root servers. Longer term, we should look into getting rid of DNS in favour of a system based on a distributed hash table (e.g. Kademlia).