Slashdot Log In
Paul Vixie And David Maher On VeriSign Wildcarding
Posted by
timothy
on Tue Sep 23, 2003 09:43 PM
from the ain't-fair-fellas dept.
from the ain't-fair-fellas dept.
chromatic writes "The O'Reilly Network has just published an interview with Paul Vixie, chairman of the board of the Internet Software Consortium and a primary author of BIND. Topics include the recent VeriSign controversy, ISC's BIND patch in response, and other potential issues that might come to light in the near future." On a related note, dmehus writes with a link to the letter sent by David Maher, chairman of the Public Interest Registry -- the .org registrar, to ICANN President and CEO Paul Twomey. "The letter says that it supports ICANN's call for VeriSign to voluntarily suspend SiteFinder and the Internet Architecture Board preliminary position paper. It goes on to say that PIR will not be implementing any DNS wildcard to the .ORG zone. It urges ICANN to stand its ground, but also to implement a policy preventing registries from taking this kind of unilateral action in the future." The letter is in .doc format, but AbiWord and OpenOffice.org both open it fine.
This discussion has been archived.
No new comments can be posted.
Paul Vixie And David Maher On VeriSign Wildcarding
|
Log In/Create an Account
| Top
| 264 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Know what's great about these Verisign stories? (Score:5, Funny)
Re:Been there, done that (Score:5, Funny)
Re:Know what's great about these Verisign stories? (Score:5, Insightful)
(Last Journal: Wednesday December 05, @07:41PM)
That's one I won't be reading...
To be honest (Score:2, Flamebait)
(Last Journal: Friday December 24 2004, @08:49PM)
Re:To be honest (Score:5, Informative)
(http://slashdot.org/~gmack/journal)
You don't get to in this case.
Also all the world is not http... the protocol level is the worst possible place to do this.
Re:To be honest (Score:5, Insightful)
You're telling me that if you get a "server not found" page, you're too stupid to figure out you misspelled something?
This is an absolute abuse of Verisign's position. They are contracted to *maintain* the database, not warp it to their own *commercial* purposes. If this was actually a valid service, they would have had no trouble with proposing it to the Internet standards bodies before implementing it. Instead, they're defying those organizations. Worse yet, they've actually put me in the position of agreeing with ICANN.
Re:To be honest (Score:5, Informative)
(http://www.edespot.com/~amackenz/)
Verisign is being extremely short-sighted. This whole deal reeks of a moronic manager who thught this would be a 'wonderful' idea.
Re:To be honest (Score:4, Interesting)
(http://www.vems.co.nz/)
Re:The Executive Team (Score:5, Informative)
Re:To be honest (Score:4, Insightful)
(http://www.designby.com/ | Last Journal: Wednesday October 22 2003, @05:12AM)
With those words (an absolute abuse) you just described most of what Verisign has done.
Folks should remember, this is the company that was contracted to *maintain* the database until one day they decided that they *owned* the database... (errr... okay... if I get paid to clean all the cars at the dealership can I decide one day that I own them all and get away with it?)
And yet somehow years after that magical acquisition of property rights they've still got the contracts. They've gotten away with all kinds of stuff and like a spoiled child they'll keep taking more until (if ever) someone takes away their privileges and sends them to time out.
Gotta agree with you that there's no way that any benefits that stupid Sitefinder page provides make up for the abuse of position and random chaos it's caused.
Re:To be honest (Score:5, Insightful)
(Last Journal: Saturday November 29 2003, @03:51AM)
I think the main thing that has admins screaming, however, is that SiteFinder breaks so many other services just to provide a questionable service for web surfers. Sure, surfers may benefit, but email admins, DNS admins, and many others are banging their heads against the wall because of the problems Verisign's divergence from accepted protocol has caused them.
Just a thought.
Re:To be honest (Score:5, Interesting)
(Posted anonymously to avoid a rampaging mob outside my house)
I'm a professional spammer. Well, that's a harsh term. I run bulk-email servers. I trust my clients that their entire list has double opted-in when they say so. Most are quite legitimate mailing lists; some are probably not.
This new bug is a godsend, but not for the reason a lot of people are saying. I don't fake "from" addresses, so I don't get any added anonymity from a wildcard.
What I do get is the ability to send my emails that have bad domains in them to a nominally but not effectively existant box at Verisign. I no longer get bad domain bounces to worry about.
Re:To be honest (Score:5, Insightful)
legalities (Score:5, Insightful)
Re:legalities (Score:4, Informative)
when you buy a domain from rcom, your page automagically defaults to a page. This page is pretty much an advertisement for rcom and such. it drives revenue towards rcom.
many MANY people thought this was crooked, so there was a civil suit.. which rcom lost.
I couldn't see a case like this wouldn't run the same, since both the rcom parked-page service and this have search links and nifo that drive revnue to their respective companies...
Re:legalities (Score:4, Insightful)
This lawsuit was fairly frivolous if you ask me. It was covered on Slashdot a while back here [slashdot.org].
This is nothing like the Verisign case - what they are doing is abusing a monopoly position, and in doing so, causing havoc with a number of internet-based pieces of software, most notably spam filters.
Re:legalities (Score:4, Informative)
if i register abacadaba.com, and abacadaba.com becomes the biggest thing next to yahoo and slashdot combined with sex.com... everyone would want to go to abacadaba.com, or so i hope.
all mispellings on my idea, and my trademark if ihave it trademarked, will go to versign. they'd effectively be making money off of me via a transitive property.. sorta. people want to see my site which makes money, verisign takes all mispellings of my site.. people make verisign money!
whoa.. i think i just proved step 2
Re:legalities (Score:4, Funny)
(Last Journal: Sunday April 16 2006, @10:03PM)
Please, please, please never suggest slashdot combined with sex.com again.
The vision that flashed in my head when I read it made me what to flush my eyes with acid while destroying my occipital lobe with a baseball bat.
And I don't think I'll be able to keep down food for a week.
Re:legalities (Score:4, Informative)
(Last Journal: Monday April 07 2003, @07:39AM)
I believe that Verisign's use of a wildcard to map all DNS requests for *.com to their web site violates the relevant RFC's.
Going through all of the DNS RFC's, all of them assume or require that when a name is not found, the DNS server return an error.
Going through them in historical order: RFC 811 specifies that if the name is not found, a 'NAMNFD' code is returned. RFC 1034 also talks about sending "a name error indicating that the name does not exist" and "A name error (NE). This happens when the referenced name does not exist. For example, a user may have mistyped a host name." It also discusses caching name errors for efficiency, which of course only makes sense if the authoritative DNS servers actually issue name errors (which Verisign is now not doing). RFC 1035 specifies that if "the domain name referenced in the query does not exist" that a "Name Error" be returned.
There is a wildcard mechanism in RFC 1034, but it's defined to apply to '"*.<anydomain>", where <anydomain> is any domain name' which makes it pretty clear to me that it's not intended to apply to domains. To emphasise this, all of the examples of DNS wildcards are of the form *.X.COM or *.A.X.COM.
I think Christmas Islands needs to follow Verisign (Score:5, Funny)
Get your Patched BIND for Slackware (Score:5, Informative)
(http://www.cis.ksu.edu/~harmon/)
The more ISPs that use this, the more uncommon the SiteFinder 'service' becomes---the less users expect it.
Remember when popups where not expected? After using mozilla for a while I simply cannot stand them now!
---
Re:Get your Patched BIND for Slackware (Score:5, Informative)
(http://slashdot.org/~gmack/journal)
Re:Get your Patched BIND for Slackware (Score:4, Informative)
Or if you're running BIND 9.2.3rc3 just add: options { root-delegation-only exclude { "cc"; "de"; "lv"; "museum"; "org"; "us"; }; }; This SHOULD be the default behavior for TLDs IMHO and I'm glad they're introducing the exclude list behavior.
DNS tweaker for Windows (Score:4, Interesting)
(http://swapped.cc/)
Yours truly put together quick utility - dnsfix [cipherica.com], which monitors inbound DNS responses and tweaks result codes from 'success' to 'no-name' for those referencing specific IPs. In other words, it can be used to transparently negate the effect of VeriSign's SiteFinder "service" and restore DNS behaviour expected by (currently broken) spam filters and alike.
Now this is interesting (Score:5, Interesting)
(http://www.saintaardvarkthecarpeted.com/blog | Last Journal: Monday March 05 2007, @11:58PM)
Some people suggest that administration of the DNS is a public trust, and that VeriSign is merely the caretaker of this system, not its owner. And now VeriSign has abused that trust. That may be true. Before a few days ago it didn't matter whether VeriSign was the owner or a caretaker. Now it matters a lot. VeriSign kicked a sleeping dog. It's a bizarre thing to do. Was it really VeriSign's decision to make, unilaterally? Did it need permission to make this decision? If so, what entity has the authority to grant such permission?
If you think about this from a social point of view, not just technical, this is absolutely fascinating (rather than just irratating/punch-provoking): here's an ability, that was theoretically possible all along, to have this big effect on something lots and lots of people use. No one made use of it before. Now someone has, and it's
Who's responsible? Who gets to say "No, you can't do that", or "Yes, you can"?
I know what I think is the right answer, and it's what (probably) the rest of you think. But the final answer isn't up to you and me, or at least not you and me alone. Watching that process of who-gets-to-decide is going to be at least as interesting and precedent-setting as what the final decision ends up being.
Re:Now this is interesting (Score:5, Insightful)
(Last Journal: Saturday June 30, @01:22AM)
There's a certain relationship between a consumer of infrastructure and a provider of it. The consumer must trust the infrastructure to do what it is supposed to do, and nothing more.
This is no different from ISPs randomly redirecting users to their own branded search engine when you type in "www.google.com", or an ISP's employee intercepting passwords and using them to steal money.
Infrastructure providers inherently have a lot of control over the services they provide. There is a duty there to provide the service as expected, without changing the content that is carried.
Verisign's position as a chartered monopoly makes this duty even more important, because consumers have no choice to use an alternative.
I'm not sure what you mean by "No one's made use of it before"... No one else could make use of it (in
Other CCTLDs have used wildcards before, but no one much cares about some island that is abusing the CC system to make extra money.
Re:Now this is interesting (Score:5, Interesting)
(http://www.saintaardvarkthecarpeted.com/blog | Last Journal: Monday March 05 2007, @11:58PM)
Bad choice of words: As you mentioned, I understand that other TLD registrars have made use of this before. Amended sentence: no one in this position of power (.com and .net being what they are) has made use of this before.
This:
This is no different from ISPs randomly redirecting users to their own branded search engine when you type in "www.google.com", or an ISP's employee intercepting passwords and using them to steal money.
and this from the comment below:
I do....I, and all the other sysadmins out there, decide whether SiteFinder works or not.
are exactly what I'm talking about when I say that this debate is fascinating. In all honesty, I'd give a lot to sit down w/whoever at Verisign and ask them these same questions -- not necessarily to provoke the answer that I feel is right, but just to see how separate groups of intelligent people come to utterly different answers about these questions.
Re:Now this is interesting (Score:5, Insightful)
I do. I run the DNS servers at an ISP, and I am planning to apply the ISC patch that restricts delegation from root servers (as soon as the bugs are shaken out of it -- give it a week or two.) I, and all the other sysadmins out there, decide whether SiteFinder works or not.
Re:Now this is interesting (Score:4, Interesting)
(Last Journal: Saturday January 06 2007, @01:13AM)
How about we give verisign what it wants - traffic to nonexistent domains.
People with webpages should start having 1x1 img links to nonexistent domains. Should be one pixel by one pixel, in case the image from verisign is not desirable.
e.g. img src=http://www.asdasdnrerwtc.com/ height=1 width=1
That way verisign gets traffic for every page.
You can even make a "broken ribbon" logo with a fancy table and lots of 1x1 images and coloured 1x1 image. There's a small chance it could get subverted and show the wrong image.
Entirely a nitpick, but... (Score:3, Informative)
(Last Journal: Saturday November 29 2003, @03:51AM)
Though I agree with everything he said (and thought he did so quite eloquently), it's a bit disheartening to see the chairman of the ISC refer to NXDOMAIN as a 404.
Anybody know Verisign's CEO's home address? (Score:5, Funny)
(http://rustyp.freeshell.org/ | Last Journal: Tuesday April 29 2003, @09:22AM)
We can say that we were all on our way to the grocery, made a wrong turn, and ended up at his house.
Then we can demand to buy groceries.
I'm sure he won't mind. Everyones ends up at his site for that reason, right?
Re:Anybody know Verisign's CEO's home address? (Score:5, Funny)
(http://rustyp.freeshell.org/ | Last Journal: Tuesday April 29 2003, @09:22AM)
Try some of these:
Clean, to the point. [idontappre...search.com]
A little better [verisignsc...monkey.net]
the best I've got. [mayverisig...allrot.com]
Can't do that here... (Score:4, Funny)
.ORG Letter in plain text for MS Haters (Score:5, Informative)
President & CEO
ICANN
4676 Admiralty Way
Suite 330
Marina del Rey, CA 90292
September 22, 2003
Dear Paul,
Public Interest Registry (PIR), the operator of the registry of the
PIR also supports the Internet Architecture Board (IAB) statement on the same subject as set forth at:
http://www.iab.org/documents/docs/2003-09-20- dns-w ildcards.html
DNS is a critical piece of Internet infrastructure. Internet services such as the WWW and Email rely on DNS to function, and there should be no interference with the established protocols until there is complete assurance of no negative impact on the DNS.
In another context, the Internet Architecture Board (IAB) has commented:
"At the core of all of the IAB's concerns is the architectural principle that the DNS is a lookup service which must behave in an interoperable, predictable way at all levels of the DNS hierarchy. Furthermore, as a lookup service it is such a fundamental part of the Internet's infrastructure that converting it to an application-based search service
Page 2
appropriate even in the case where the query presented would not normally map to a registered domain."
The architectural principle referred to by the IAB is clearly violated by the changes proposed for the
On Monday, September 15, VeriSign changed the behavior of the
Because the VeriSign Site Finder server makes it appear that a non-existent domain exists, the service introduces significant problems to critical Internet infrastructure. Many other important Internet protocols rely heavily on proper DNS behavior. The impact of VeriSign's Site Finder is unclear with respect to security of the DNS. Site Finder unilaterally precludes the use of a prevalent type of anti-spam mail filter that uses DNS to validate the domain of legitimate eMails.
Because VeriSign's servers are authoritative for the
We are informed that other domain registries may be exploring services similar to the VeriSign Site Finder. (As noted above, PIR will
Page 3
not be one of them.) If this is the case, our comments concerning Site Finder apply with equal force to those other services. We believe that any such efforts to alter the TLD DNS systems, of which the VeriSign Site Finder appears to be the most prominent example, adversely affect the Internet infrastructure and the entire Internet community.
Therefore,
Oh, and for those of you who like plain text: (Score:3, Informative)
(http://www.saintaardvarkthecarpeted.com/blog | Last Journal: Monday March 05 2007, @11:58PM)
Word (Score:1, Funny)
Yep, it's obvious that this is slashdot.
First they came for .cx (Score:5, Funny)
(http://domain.broken...registrar.joker.com/)
Then they came for
but I didn't care because I haven't been in one in ages.
Then they came for
But I didn't care because I've never heard of them.
Then they came for
and nobody cared because it's common business practice.
Note: according to a posting I just looked up, at least 11 TLDs (.cc,
Re:First they came for .cx (Score:4, Informative)
(http://www.zocalo.uk.com/)
Why? Well firstly, .musuem is a highly restricted domain, and secondly it's all to do with how museums operate. If I go to the London Science Museum and start asking for paleontology information, they will redirect me across to the National History Museum. The wildcarding is just a virtual way of helping people find what they are looking for, which makes sense.
".com" on the otherhand, is a largely unregulated free for all of firstcome first served registrations and lawsuits, trying to apply a structure to that is insane. A good analogy I saw from another poster here on Slashdot was the difference between the alt.* and comp.sci.* heirarchies on Usenet. Do *you* want to try being a moderator on .alt?
.org, .us, .do .it (Score:5, Interesting)
For those in the
The only thing Verisign will understand is people speaking with their dollars. And yes, I personally have switched my domains over to
Sure, business cards and letter head still say
Did anybody have any luck (Score:5, Interesting)
(http://domain.broken...registrar.joker.com/)
I'd appreciate any suggestions.
The root of the problem (Score:4, Insightful)
(http://adavid.com.au/ | Last Journal: Tuesday July 10, @10:09PM)
Verisign Troubles? Contact these people: (Score:5, Informative)
(http://jargon-file.org/)
By email, phone, fax, telegram, or letter (or better, several of these), let them know what you think. These are the people who can give Verisign reasons to change their behavior.
Stop Verisign DNS Abuse Petition (Score:5, Informative)
(http://www.kirikos.com/)
It's now here [whois.sc] having been Slashdotted last time....on a better server this time, though (we hope!), so be gentle....
It's good to see that PIR is taking the high road. If .com/net are ever redelegated, I'd much rather they run it, than someone who would be looking for every opportunity to squeeze out nickels and dimes ($100 million/yr!) from the internet community, via abuse of their monopoly. Or, perhaps a corporation with a solid reputation (maybe IBM?) would step up, to replace Verisign.
bootleg patches? (Score:3, Interesting)
(http://www.crocodile.org/)
As I said on IRC... (Score:1)
One day back in junior high, I was in a lab full of old Macs. Netscape suffered a lag attack and decided I wanted to go to 'hoo.com', not 'yahoo.com'. Hilarity ensued.
I think that particular site is defunct, though.
Take back the roots (Score:5, Interesting)
(http://linuxhomepage.com/)
Why not just take back the roots? The only reason Verisign can do what they do is because the GTLD servers they control are delegated to by the root servers (not sure who controls those anymore, but it can't be good). And those root servers are configured in the hint file of name servers all over the internet. So who controls those? We (who have our own name servers) do.
It's a little harder, but not a lot harder, to just run your own root zone. The biggest thing is to gather up all the NS records and associated A records for each TLD. That's a small list (relatively speaking), so it could be done via a few hundred dig commands to the root servers. Or it can be downloaded. Now once you have that data, you replace the .com and .net zones with your own. Of course that begs the question, replace it with what?
If enough people with enough server/network power get together, they can make their own independent "realm" of domain name space, starting with a replacement root zone (as has been done in the past to add new TLDs), and a replacement for both .com and .net.
I can just hear the complaints now (and I've heard them before): "But this will fragment the internet". My answer is: Yes!!!! yes it will! all the better. Imagine being in a whole different name space realm away from spammers and evil corporations. And maybe you can meet me in the .mp3 TLD.
how come i get this? (Score:1)
Host not found.
$ host www.slshdt.org
Host not found.
I thought i should get verizon's ip? Anybody explain this? Or is there some way to get around this thing.
Verisign can break Vixie's patch - here's how (Score:4, Informative)
(http://linuxhomepage.com/)
Verisign can break Vixie's patch. All they have to do is set up a separate name server which pretends to be a .com and .net server, with the very same wildcarded A-record. Now just put in wildcarded NS-records in the actual .com and .net zones in the real GTLD servers (in place of the existing wildcarded A-record). There, now it really looks like a real delegation to a different name server, just like real domains have. The new delegated wildcard server gets the query next, due to the delegation (that looks like a delegation, hence fools the patch), and due to its wildcard (and it doesn't need any other data from the .com or .net zones, since it doesn't get delegated to for real domains), it will answer with an A record of Verisign's choosing. If Verisign wants to keep doing what they are doing, they can defeat this patch by that method.
Then we'll have to make DNS servers filter out specific delegations (as opposed to filtering out non-delegation records where there should be only delegations). Verisign could rotate those delegations daily and fool efforts to block it.
Question about spam filtering problems (Score:2)
(Last Journal: Wednesday October 22 2003, @03:09AM)
Why can't we work around this by instead of checking if the address is valid, check if the address comes back to Verisign's server???
What if it was Google rather than sitefinder? (Score:2)
What if rather than sitefinder, it redirected you to google? The "feature" they are trying to convince us they provide is basically spell checking the URL you type. "salshdot.org? Oh... you meant slashdot, here let me take you there."
What if this had been done in a more acceptable way, where profit leeching wasn't a suspected motive? Would we still complain?
And btw, the only downside I can personally think of with the concept in general is that you can no longer tell a site is down or exists just by pinging it, because you get the "spell checker" site's reply rather than nothing.
Feedback?
It's the same issue (Score:5, Insightful)
(http://achurch.org/index-e.html)
Whether it's SiteFinder, Google, or even Slashdot, the issue is not so much (or at least not only) the fact that a website comes up instead of a 404. It's the fact that practically everything automated breaks because this "service" is oriented toward humans. Consider:
I'm sure there are others, but the point is that what's good for human users is not good for computers, and it should be the client, i.e. the thing interacting directly with the human user, that interprets the computer responses and makes them easier to use for humans. (There wouldn't be nearly as much uproar over this if Verisign had, say, made a deal with Microsoft to redirect all NXDOMAIN queries to SiteFinder; in that case it would be an Internet Explorer, i.e. client issue, and DNS itself would be unharmed.)
Kerosene (Score:2)
(http://www.wdogsystems.com/ | Last Journal: Thursday October 06 2005, @10:10AM)
#!/usr/bin/perl
srand();
my @alpha = (a..z);
my @prefix= qw( www web1 web2 ftp mail dns ns1 ns2 ns3 dns1 dns2 dns3 );
my @suffix = qw ( com net );
$|=1;
while(1) {
my $length = int(rand(16)+1);
my $n = "";
for (0..$length) {
$n.=$alpha[int(rand(26))];
}
my $p = $prefix[int(rand($#prefix))];
my $s = $suffix[int(rand($#suffix))];
$l = `nslookup $p.$n.$s`;
print $l;
sleep int(rand(5))+1;
}
enough crap in their database, it won't be good for marketing data anymore.
Query the Verisign roots for bogus .COM names (Score:4, Informative)
(http://nonesuch-security.blogspot.com/ | Last Journal: Friday September 14 2001, @12:46PM)
Any host can make non-recursive requests to the root servers.
Technically, if a query for whatever.com arrives at a root server, it should only return the list of NS records for .COM, and if a query for whatever.com arrives at an authoritative server for .COM (many roots are also .COM servers), it should only return the registered NS records for whatever.com.
In fact, that is exactly the problem -- the Verisign roots should return only NS or NXDOMAIN records, but for names in .COM .or .NET, they instead "synthesize" an A record, pointing to sitefinder, with a 15 minute TTL (cache lifetime).
The various hacks either ignore the specific A record, or ignore records from root servers other than NS. The latter is a cleaner approach, IMHO.
Trademark Infringement (Score:4, Interesting)
(http://www.traxel.com/)
If your ISP hasn't fixed this yet, go to http://ibm-asdf-hardware.com [ibm-asdf-hardware.com]
Do you think IBM might be a little bit pissed off about their trademark being used to point to someone else's computer hardware site? Do you think they might, I dunno, sue?
How about all these other blatant trademark infringements:
http://ibm-asda-hardware.com
htt
http://ibm-asdc-hardwar
http://ibm-asdd-hardware.com
http://ibm-as
http://ibm-asdg-hardware.com
htt
http://ibm-asdi-hardwar
http://ibm-asdj-hardware.com
As I see it, Verisign is facing a not-quite-infinite number of trademark infringement lawsuits. And, of course, if Verisign switches to point to IBM, I'm sure hardware.com would be delighted to fire their own volley of lawyers.
A 404 error message? (Score:3, Redundant)
(http://linuxhomepage.com/)
What? How the hell do you get an HTTP 404 error message if there's no server to even connect to?
Mr. Vixie is surprisingly neutral (Score:3, Insightful)
He seemed reserved, while calmly pointing out, part by part, what is wrong with Verisign's actions. More of this is called for from the important people in the Internet technical and business community - the way community coverage has been heading, and the way comments are worded on Slashdot and other sites, is leading to resentment, anger, name-calling, and joking about Verisign and their policies, creating a situation in which the community is less likely to be taken seriously by Verisign, Microsoft, AOL, etc. Mr. Vixie also mentions that there are smart people at Verisign, reminding us that the Sitefinder "service" is the brainchild of but a handful of people, maybe even just one or two. It reminds me that as engineers, we still have to work with the other guy at a certain level.. becoming enemies doesn't help anything.
Mr. Vixie is saying that perhaps ICANN should "do something about it". This whole situation should be approached by attorneys general, from the both the branding/business practices angle mentioned by Mr. Vixie, and also from the consumer rights angle (much like telemarketers). Right now the average consumer can get effectively get rid of telemarketers, thanks to recent laws, with a single verbal or written request, but the Sitefinder service can only be circumvented using DNS tools by an engineer or technician "in charge" of the DNS servers. The web-browsing consumer has no way around this by themselves.
Doublespeak? (Score:2, Insightful)
(http://dsv.su.se/~oscar-ja/)
What the flip is ICANN doing? (Score:2, Insightful)
(Last Journal: Saturday August 28 2004, @12:14AM)
In the past, ICANN has always made a song and dance about the crucial need for DNS stability, yet now, in the face of a unilateral move that causes great instability, they meekly ask Verisign to please stop. If ICANN are too spineless to act, then the Department of Commerce needs to step in. Despite the contractual complexities (see Karl Auerbach's blog [cavebear.com]), Verisign have committed a fundamental breach of trust, and the DoC should reallocate responsibility for .net and .com as soon as practically possible.
Terms of Use (Score:2, Interesting)
Couldn't they be sued for not providing some way for users to discontinue use of their service? It's like the shrink wrapped EULA, except on a way more annoying scale.
We're all going to have to call their tech support to ask them how to discontinue use of the service because we do not agree with their terms of use.
It appears site finder has already been suspended. (Score:2)
(http://slashdot.org/)
Host www..com not found.
www..net
Host www..net not found.
www..org
Host www..org not found.
Did we win?
Other ISP.. What are you doing? (Score:1)
(http://coherentnetworksolutions.com/)
As a member of the BOD of a non-profit ISP Ive called on our board to send Verisign a letter requesting the suspension of the service and to star talking to the main stream press. What is everyone else doing?
If they want to wildcard their names... (Score:3, Funny)
(http://sharpy.xox.pl/ | Last Journal: Wednesday September 14 2005, @02:12PM)
Domain squatting during registration hiatus (Score:2, Interesting)
(http://geeklondon.com/)
After reading this story [theregister.co.uk] about Russell Lewis's (Verisign GM) memo to staff, I registered "bookstre.com" and pointed it to Google via the Easily.co.uk redirector.
Now, until the DNS entry propagated, and in the 15 minute window before the non-existant domain timed out, I was still seeing the SiteFinder "domain". Obviously it's a contrived example, but I think it illustrates an important point:
I paid good money for this domain
Who said Verisign could use it ?
Legitimate domain registrations are still going to suffer from this decision, so I suspect this would be a legitimate set of grounds for a class action against Verisign.
Bind 8.x backport of ISC patch? (Score:2)
(http://www.chathamhouse.org)
So far, all I've got is unofficial patches, which will not be run on production systems.
random junk (Score:2)
(Last Journal: Thursday December 08 2005, @04:33PM)
the sitefinder-type thing...
http://RandomJunk8347458475.cc
Also, as Verisign so helpfully pointed out in their
letter the other day many TLDs wildcard. ICANN should *ask* them to stop too.
Bind has their option to prevent wildcarding from certain domains. Maybe they
could ship it pre configured block all wildcarding domains. Or can you simply
say block all wildcarding no matter what the TLD.
Since BIND is prevalent it could take an end run around the existing
Block it yourself if your ISP won't (Score:1)
On a Linksys BEFSX41, for example, just put "sitefinder.verisign.com" in the "Blocked URL Contents" section of the router's "Firewall" configuration page.
If you mistype a URL (I use the term loosly) Mozilla will put up an alert box: "The document contains no data". Internet Explorer brings up a "The page cannot be displayed" page.
Caveats: (1) many routers don't have this "firewall" feature; (2) this works only for clients downstream from the router. It won't help your ISP bounce spam from "loser@verisignisdoingbadthingstotheinternet.com"
Design flaw with DNS (Score:2)
(http://slashdot.org/~wowbagger/journal/87552 | Last Journal: Monday September 03, @08:07PM)
For any given suffix
So if you are looking up bar.com, there is only one dataset that contains information on
Now, what if a server for a given domain, in addition to having a parent had siblings? For example, if you were looking up narf.com, then the queries might look like this:
my machine - Hey root, where's narf.com?
Root - I don't know, but verisign.com should - ask him.
My machine - Hey verisign.com, where's narf.com?
Verisign.com - I don't know, maybe alternic.com does.
My machine - Hey alternic.com, where's narf.com?
alternic.com - narf.com is at 192.168.0.1
In other words, for every zone record there would be a new configuration possible - a list of zero or more siblings. On a negative result, the sibling records would be returned, and the quering name server would consult them. As a result, you could allow joker.com, register.com, verisign.com et. al. to have just their records on their servers, with cross links to the other servers.
Yes, this would increase the number of queries a name server might have to do to resolve a domain, especially in the negative case (domain does not exist). However, just as a name server can and will cache the servers for
Under this system, a failure of verisign's server would not black out
Extending this to the root servers would allow for things like Alternic to be added - the root servers could say "I don't recognize
Yes, it would be possible for Joker.com and Register.com to create records for VerisignEngineersAreWeenies.com, and for those records to disagree. Yes, the set of owners of servers for the
But were this idea implemented, it would prevent anybody from pulling the kind of unilateral crap that Verisign has.
Hold the phone... (Score:2)
COST OF THE VERISIGN SERVICES.
The Verisign Service(s) are provided to you free of charge.
Hey folks, we're getting this service for free. Looks like we don't have a leg to stand on.
The more I look at this.. (Score:1)
I think, though of course the devil is in the details, it's time that Verisign learned that it's power comes from us, only because we allow it.
How we do that is another story.
Network Solutions' latest response... (Score:2)
Yet still my emails to VeriSign somehow end up at Network Solution's feet. At this point their responses aren't nearly so "helpful" [slashdot.org] with regard to volunteering opinions about the permissibility of VeriSign's decision to .com and .net into upheaval.
Verisign is doing a phone survey right now (Score:2, Interesting)
(http://www.nocturnal.org/)
Problem's to deal with. (Score:1)
Perhaps Microsoft and others will get mad (Score:2)
In addition ISPs in non-English countries sometimes catch requests for unknown domains and put up a web page in the appropriate language - this is now also broken.
ISC BIND 8 hack opens door to OpenNIC (Score:2)
(http://slashdot.org/~nutznboltz/journal/ | Last Journal: Monday September 26 2005, @08:31PM)
zone "com" { type forward; forward first; forwarders { 204.152.184.76; }; };
to make a BIND 8 server use the ISC public recursive servers for
zone "geek" { type forward; forward first; forwarders { 208.181.60.45; }; };
to add the
http://www.opennic.geek/ [opennic.geek] now works for me while I'm using normal DNS for other TLDs.
Re:Year 2039: Grandpa, what's a 404 error? (Score:3, Informative)
(Last Journal: Thursday December 08 2005, @04:33PM)