Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
The Internet Your Rights Online

ICANN Asks VeriSign To Stop DNS Wildcarding 221

MrClever writes "In this article over at the Sydney Morning Herald (AU), it looks as though ICANN may actually be doing something about the VeriSign changes to .com and .net TLD's. Apparently, while they have been noticably quiet, they have been reviewing community reaction and analysed data from a technical perspective. Here's hoping ICANN pull the plug on VeriSign's TLD administration rights!" And TALlama writes "RSS.com.com (dear $DIETY, will it ever stop?) is reporting that ICANN has asked VeriSign 'to voluntarily suspend the service' of wildcarding DNS, 'pending further study.' Calling it a 'service' is a little bit of a misnomer. If I punch people in the face, can I call that a service, too?"
This discussion has been archived. No new comments can be posted.

ICANN Asks VeriSign To Stop DNS Wildcarding

Comments Filter:
  • by Anonymous Coward on Monday September 22, 2003 @04:46AM (#7022955)
    Posters Ask Slashdot To Stop Dupe Posting
  • by DrSkwid ( 118965 ) on Monday September 22, 2003 @04:48AM (#7022960) Journal
  • A service? (Score:5, Funny)

    by Steffen ( 84872 ) on Monday September 22, 2003 @04:50AM (#7022965)
    "If I punch people in the face, can I call that a service, too?"

    Yes, because so many people need what you are selling.

  • by millwall ( 622730 ) on Monday September 22, 2003 @04:55AM (#7022981)

    (ICANN) has asked VeriSign to voluntarily suspend changes it made to domain name service zones that have resulted in most mistyped .com and .net domain names being redirected to its own site.

    I predict the most common misspelling of VeriSign.com will be VerySued.com
  • 404 (Score:5, Informative)

    by Anonymous Coward on Monday September 22, 2003 @04:59AM (#7023002)
    ICANN said it is investigating complaints over the wilcard service and asked VeriSign to pull it pending further study. The service effectively replaces the common "404 page not found error" that until now has been the default for absent Web addresses.

    404? A HTTP response from a DNS request? Please get your facts straight com.com...
    • AC #2, I think you missed his point. He was pointing out that an HTTP 404 error is part of the HTTP protocol not the DNS protocol. A correct DNS response would be something equivelant to "Host not found."
    • They said "effectively", and they're right.

      It "effectively" does other things too, but that's the effect that most people are going to notice.
  • finally... (Score:1, Informative)

    by Anonymous Coward
    The wildcard "service" is certainly causing problems for many admins. It's glad to know ICANN is doing something about it. Anyway, I personally think VeriSign will still stop this "service" anyway without ICANN intefering because of public pressure.
    • Re:finally... (Score:4, Interesting)

      by Nightlily ( 140378 ) on Monday September 22, 2003 @05:22AM (#7023054) Homepage Journal
      Honestly I don't think VeriSign will stop this "service" because of public pressure alone. I used to have my domains registered at VeriSign but I was tired of never being able to get a password for the web administrative interface.

      VeriSign is a great service if you're not planning on making any changes to your domain information. A few years ago I needed to update my name. VeriSign "offered" (the free version was in small print and out of the way) the service to have my name change rushed for over $100.

      I suspect ICANN is stepping in due to public pressure, not VeriSign.
  • by AndroidCat ( 229562 ) on Monday September 22, 2003 @05:25AM (#7023063) Homepage
    After all, when Verisign pays no attention to ICANN's asking them to stop, ICANN will ask them again--maybe even notorized! That'll sure bring Verisign to their knees, oh yeah.

    Wake me up when it escalates to wrist-slapping.

    • Re:A dup is okay... (Score:5, Interesting)

      by mustrum_ridcully ( 311862 ) on Monday September 22, 2003 @06:33AM (#7023213)
      Well if more companies behaved like this maybe the world would be a better place (well not for lawyers admittedly).

      I've lost count the number of times i've seen people in /. write "why didn't they just ask x to stop y". Well now somebody has.

      What if SCO just asked for its code not to be used instead of sending the lawyers in?

      Or Apple records asked Apple computers to stop selling music?

      etc...

  • by FlukeMeister ( 20692 ) on Monday September 22, 2003 @05:35AM (#7023085) Homepage

    The IAB has issued a set of guidelines for the us of DNS wildcards [iab.org].

    Essentially, they say it's a very bad idea, but you can do it with the informed consent of all delegates in your zone.

  • Well lets hope for once ICANN actually does something rather than just letting people get away with it. Of course ICANN isn't that well respected but more so that Verisign

    Rus
  • Tis Done (Score:3, Informative)

    by Anonymous Coward on Monday September 22, 2003 @05:54AM (#7023116)
    Unregistered domains [verisignre...better.com] now return a plain, comforting error page instead of SiteFinder. Which is nice.
  • .nu? (Score:5, Informative)

    by admbws ( 600017 ) on Monday September 22, 2003 @06:06AM (#7023139) Homepage Journal
    NuNames [nunames.nu], the provider of domain names for the island of Niue [cia.gov], has been doing this [somelongno...tdomain.nu] for a long time. Is ICANN ask them to stop too?
    • Re:.nu? (Score:5, Insightful)

      by Microlith ( 54737 ) on Monday September 22, 2003 @06:38AM (#7023228)
      Unlike other TLDs, namely several country codes, .com and .net have a number of resellers.

      TLDs with a monopoly really can't be told what to do, because there's no one competing with them in the first place.

      With VeriSign doing this on .com and .net, they're unfairly leveraging their position to the exclusion of other registrars. They are in effect conveying the message that they run the web.
      • On the upside, the new bind patches will allow us to block the other TLDs from pulling this crap.

        When this all settles down I'll update all of my nameservers with a complete list of tlds who do this and block them all.
    • Re:.nu? (Score:4, Interesting)

      by bluGill ( 862 ) on Monday September 22, 2003 @08:08AM (#7023711)

      Well, they shouldn't but .nu belongs to Niue, and so long as the proxy for the people (goverment) doesn't mind I don't have a problem with that they do. If I lived on Niue I would have a problem with it, but I belive in letter other people do stupid things. However .com and .net belong to the internet as a whole, and that means everyone needs to agree with what happens there. (Note, everyone in the wolrd, .us belongs to the USA, and those in other countries shouldn't be concerned about the stupid things .us is doing, while those in the US should)

      This is the way I live my life: Don't harm anyone but yourself and I'll leave you alone. I won't agree with what you do, and speak against it, but so long as it doesn't harm others I don't care.

      I have no clue how the goverment of Niue is overall, having never heard of them before. If they are "Evil", I might help those in the country to change things, but that is a completely different story and has nothing to do with domain naming.

  • by Anonymous Coward on Monday September 22, 2003 @06:09AM (#7023145)
    If we all add this command:

    iptables -I INPUT -j REJECT 69.94.0.0/15

    maybe that will get Verisign's attention ;p

    Afterall theres nothing they can do about people blackholing them for a good long while until they say they are sorry. As a penalty they should lower the prices of their domain registration, to something competitive.

    • by gmack ( 197796 ) <<gmack> <at> <innerfire.net>> on Monday September 22, 2003 @08:26AM (#7023856) Homepage Journal
      You need to think about what that will do to other service since all the world is not http. With this change smtp will now attempt to retransmit until it times out instead of hitting verisign's fake mail server that will reject the message immediatly. The average timeout is 5 days.. that's 5 days of added load to your mail server for every email to a mistyped domain.

      I suggest Installing the new version of bind instead.

  • Huh? (Score:2, Interesting)

    by batkins ( 602341 )
    I'm still not having this problem. If I browse to http://notarealaddressatall2323.com, my browser just says "Looking up host" and then eventually returns an error.

    I've never actually seen this happen. Is it possible that my provider (Earthlink) has blocked this in their own DNS servers?
  • Oops. (Score:3, Funny)

    by Amorpheus_MMS ( 653095 ) <amorpheus @ g m a i l . com> on Monday September 22, 2003 @06:17AM (#7023169)
    >dear $DIETY, will it ever stop?

    File not found. Bad command or deity.
    • >dear $DIETY, will it ever stop?

      Name "main::DIETY" used only once: possible typo at ./universe.pl line 3.
      Use of uninitialized value in concatenation (.) or string at ./universe.pl line 3.
  • that is, if i did a page that generated infinitely random addresses(like, 1000 at one go, then link back to itself) would the bots follow the addresses to there every time?

    i'm not saying that somebody with a popular page should do this.. but :)
  • What's the big deal? (Score:2, Interesting)

    by kasper37 ( 90457 )
    At first I was kind of pissed about what they did, but what is it really hurting? Anything that relies on a dns failure could easily be changed to accept a failure or a response involving that ip.

    Although I know they will never release any stats on the kind of hits they are getting to that ip, it would be an interesting study. I would be interested to find out what the most misspelled domain is.
    • by Anonymous Coward on Monday September 22, 2003 @06:51AM (#7023264)
      The point of standards is that you can rely on them. The internet standards are decided on a lengthy consensus process, and at this point the basic protocols of the internet are only changed very slowly and for very good technical reasons. Thus, once you have implemented a service or component based on a standard protocol such as DNS, you can be happy and count on not needing to maintain the component any more. It would set a horrendous precedent if internet infrastructure could be changed at will for marketing reasons, with no repercussions. Suddenly *every* piece of software relying on internet would need a maintenance team ready to change them at a moment's notice. This costs a lot of money, especially for services that are ready, done and just work.
    • What if my application already does different things depending on whether the service is misconfigured (DNS error) or just not responding (connection refused)? The Verisign move has merged different failures into one.
    • by TCM ( 130219 )
      Right, why have standards. At the next opportunity just change every piece of installed software to adapt to your marketing brainfart of the week.

      Why the fuck was this even modded up?

      Retard mods.
    • At first I was kind of pissed about what they did, but what is it really hurting?

      For web pages, I couldn't care less. If I mistype a URL and get a search page instead of an error page, it's no big deal.

      The problem is that this change doesn't just affect web pages. It affects every program that does a DNS lookup - which is almost everything.

      This is not acceptable. If I mistype an address when sending mail, I want to get an immediate error back. I don't want a Verisign server to receive the message

  • by OpenYourEyes ( 563714 ) on Monday September 22, 2003 @06:37AM (#7023223)

    Of course you can sell your Punch in the Face services. Such services have traditionally gone under names such as

    • Boxer
    • Body Guard
    • Actor

    Now, this analogy actually does continue. You, as a sysadmin or someone writing a script that uses DNS, might not really like this service. Just like someone who is trying to take celebrity photographs might not like the Punch-in-the-Face service. But the fact is that this service is provided. And that there are a LOT of people who not only don't see this as a problem - but like it. Or at least think they do.

    That is why Verisign thinks they can get away with this - the average person sees a benefit here and sees no drawbacks. The average person watching a boxing match also just sees the benefits and not the drawbacks. Until it is made clear why this isn't as good as it appears, nobody will care. Chances are, nobody will care anyway.

  • Kick Ass (Score:2, Funny)

    by brunes69 ( 86786 )

    "If I punch people in the face, can I call that a service, too?"

    Some people already offer this service. [xmission.com]. Looks like you have some competition.

  • Terms Of Use (Score:3, Interesting)

    by BiggerIsBetter ( 682164 ) on Monday September 22, 2003 @07:10AM (#7023343)
    Have any of you read the "terms of use"? http://sitefinder.verisign.com/terms.jsp [verisign.com] What a load of bollocks - do they seriously want us to believe that being redirected without our control to some bogus directory site is a legally binding agreement?! Go fsck yourselves Verisign!
    • Re:Terms Of Use (Score:2, Informative)

      I emailed VeriSign about that issue, and here is what I got back:

      Dear Ryan,

      Thank you for contacting VeriSign Customer Service. Unfortunately there
      is not a way to opt out of the Sitefinder service. The terms and
      conditions apply to the web site navigation and the search
      functionality, not to the Sitefinder service itself.

      Please learn more about Sitefinder by visiting our FAQ's, we have also
      provided some technical issues to be aware of:

      http://www.verisign.com/nds/naming/sitefinder/f a q. html ...

      It went
    • At any time VeriSign may modify or terminate these terms of use, its websites and the VeriSign Services and may at any time discontinue your use of the VeriSign Services without any notice to you, and without liability to you, any other user or any third party. Please review these Terms of Use from time to time so that you will be aware of any changes. Your continued use of the VeriSign Services constitutes your agreement to all such terms, conditions, and notices.

      Trust me, I won't sue! (BTW - is it act
  • People who grew up on a farm will understand what I mean.
  • by TequilaMonster ( 321655 ) on Monday September 22, 2003 @07:33AM (#7023457)
    Hi,

    There's a petition available. Now I don't know exactly how effective it will be, but signing is more effective than not.

    http://www.whois.sc/verisign-dns/ [whois.sc].

    rgds

    Alan
  • by dpbsmith ( 263124 ) on Monday September 22, 2003 @07:42AM (#7023496) Homepage
    ...and hang tough.

    After all, the IAB says here [iab.org] that "We must emphasize that, technically, this was a legitimate use of wildcard records that did not in any way violate the DNS specifications themselves."

    If the decision-makers at Verisign cared about good engineering practice, they wouldn't have done what they did.

    They probably regard their own actions as just "sharp business practice" and are probably patting themselves on the back for having found a loophole in the DNS specification that they can use for their own profit.

    I don't think jawboning from ICANN, the IAB, or anyone else will have much effect. I don't see how anyone short of the Feds can stop them.

    I mean, they have contracts with their SiteFinder advertisers. There's money at stake here.
  • by snowtigger ( 204757 ) on Monday September 22, 2003 @07:47AM (#7023517) Homepage
    There is an available patch for BIND 8:

    This page [achurch.org] provides a patch to BIND 8 to ignore the wildcard A record Verisign is now returning for unregistered .com/.net domains. It was cooked up over 10 minutes of pure anger and has not been properly tested; it would be better to be able to specify which IPs to ignore in the configuration file. Suggestions or improved patches are very much welcomed. (Note that this patch causes SERVFAIL results; NXDOMAIN would be better, but I'm not that well versed in the BIND code.)

    This patch was made against BIND 8.4.1.
  • ..simply spellcheck their submissions before publication? Ispell catches $DIETY fine.
  • A Service? (Score:3, Funny)

    by Woy ( 606550 ) on Monday September 22, 2003 @08:05AM (#7023686)
    If I punch people in the face, can I call that a service, too?

    If you punch the verisign ppl in the face, you can bill me.

  • by WogboTheFrogGod ( 303677 ) on Monday September 22, 2003 @08:44AM (#7024029)
    Once Verisign quits doing it, I revert to the damned MSN page every time there's a type-o.

    Why isn't anyone bitching about MS?
    • Why isn't anyone bitching about MS?

      Probably because this is a feature of IE, not a change to the way the net works.

      To get rid of it:

      1. In Internet Explorer, go to the "Tools" menu and select "Internet Options..."
      2. Click on the "Advanced" tab
      3. Scroll down to the section "Search from the Address Bar"
      4. Select the radio button labelled "Do not search from the Address Bar"
      5. Click the "OK" button to dismiss the dialog
      6. Test using a URL like http://www.dsafgwadbee.co.uk [dsafgwadbee.co.uk], as this will avoid the Verisign thing (w
      • To get rid of it:

        1. In Internet Explorer, go to the "Tools" menu and select "Internet Options..."
        2. Click on the "Advanced" tab
        3. Scroll down to the section "Search from the Address Bar"
        4. Select the radio button labelled "Do not search from the Address Bar"
        5. Click the "OK" button to dismiss the dialog
        6. Test using a URL like http://www.dsafgwadbee.co.uk [dsafgwadbee.co.uk], as this will avoid the Verisign thing (which only applies to .com and .net TLDs)
        7. You should now get a

        • See, wasn't that easier?

          "Considerably easier", I type into Safari on my Mac :-)

          OTOH, sometimes you're stuck in a workplace where they require use of IE, and (as long as they haven't disabled access to Internet Options), you can at least get rid of the MSN page.

    • by kindbud ( 90044 ) on Monday September 22, 2003 @11:17AM (#7025387) Homepage
      Because MS didn't foobar DNS to do it. They did it in the application, which is where this sort of service belongs. If you don't like the way IE does this, you can turn it off, or use a different browser. Can't turn off VRSN's fuckup.

    • Once Verisign quits doing it, I revert to the damned MSN page every time there's a type-o.

      Why isn't anyone bitching about MS?


      First off, people do bitch about that behavior of IE.

      Second off, that is a feature of Internet Explorer, the application. It does not violate any RFCs, nor does it adversely affect any critical Internet infrastructure. It's not a part of Windows' TCP stack or anything silly like that. Also, you can turn it off or even redirect it to any other site you want.

      It's not the same ballp
    • Once Verisign quits doing it, I revert to the damned MSN page every time there's a type-o.

      Why isn't anyone bitching about MS?


      Probably because alot of us haven't noticed it because we either A) don't use IE, or B) type well enough to not have that problem, or C) Don't even come close to Windows.

      that'd pretty much explain that. Oh yes, and the obvious part: The MS IE page is clientside... it doesn't change the Internet, it just gives you the illusion.
  • Verisign Hack (Score:3, Interesting)

    by cybrangl ( 621520 ) on Monday September 22, 2003 @09:16AM (#7024305)
    So, what happens when Verisigns gets its website hacked again? I would think that this would be a prime target for anyone who wnats to get attention. It's just a matter of time.....
  • Those who think you can not make a buck hitting people have not watched the old 80's and 90's televangelists 'heal' people by hitting them in the head. And to complete the financial transaction, these 'healed' people give the evangelist money for the priviledge of being hit while up on stage!

    Then there is always the bouncer at your local bar. He provides a service that frequently involves punching people.
  • Verisign is providing a "service" to Internet users in much the same way.
  • Check out Alexa [alexa.com] and their graph about VeriSign's jump [alexa.com]... 1,920% jump in a day (also look at their rating, lol).

    These guys have always been sneaky. Remember when they sent out the "nameless" re-register postcards? I guess scum never changes....
  • They filed suit against Verisign accusing Verisign of misuse of their registry position with their Site Finder service.
    Link to the press release is here [godaddy.com]
  • by Chacham ( 981 ) *
    If I punch people in the face, can I call that a service, too?

    Of course. Hit them in the nose and let blood. They should be thankful!

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...