Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
The Internet The Almighty Buck Your Rights Online

Paul Vixie And David Maher On VeriSign Wildcarding 264

chromatic writes "The O'Reilly Network has just published an interview with Paul Vixie, chairman of the board of the Internet Software Consortium and a primary author of BIND. Topics include the recent VeriSign controversy, ISC's BIND patch in response, and other potential issues that might come to light in the near future." On a related note, dmehus writes with a link to the letter sent by David Maher, chairman of the Public Interest Registry -- the .org registrar, to ICANN President and CEO Paul Twomey. "The letter says that it supports ICANN's call for VeriSign to voluntarily suspend SiteFinder and the Internet Architecture Board preliminary position paper. It goes on to say that PIR will not be implementing any DNS wildcard to the .ORG zone. It urges ICANN to stand its ground, but also to implement a policy preventing registries from taking this kind of unilateral action in the future." The letter is in .doc format, but AbiWord and OpenOffice.org both open it fine.
This discussion has been archived. No new comments can be posted.

Paul Vixie And David Maher On VeriSign Wildcarding

Comments Filter:
  • by Anonymous Coward on Tuesday September 23, 2003 @09:43PM (#7040160)
    They sure break up the SCO stories.
  • To be honest (Score:2, Flamebait)

    I kind of like the Verisign redirect. I sometimes mistype URLs and the Verisign page usually has a link to the page I was looking for. It's a pretty nice system considering the alternatives.
    • Re:To be honest (Score:5, Insightful)

      by Desert Raven ( 52125 ) on Tuesday September 23, 2003 @09:52PM (#7040217)
      Gee, that's nice, but in the meantime, it aids spammers, since I can no longer tell if the sender's address is from a valid domain. With Verisign's corruption of the root servers, *all* .com and .net domains will now come back as being valid.

      You're telling me that if you get a "server not found" page, you're too stupid to figure out you misspelled something?

      This is an absolute abuse of Verisign's position. They are contracted to *maintain* the database, not warp it to their own *commercial* purposes. If this was actually a valid service, they would have had no trouble with proposing it to the Internet standards bodies before implementing it. Instead, they're defying those organizations. Worse yet, they've actually put me in the position of agreeing with ICANN.
      • Re:To be honest (Score:3, Informative)

        by Anonymous Coward
        Gee, that's nice, but in the meantime, it aids spammers, since I can no longer tell if the sender's address is from a valid domain. With Verisign's corruption of the root servers, *all* .com and .net domains will now come back as being valid.

        As has been said numerous times, this has nothing to do with the "root" servers, only the com and net TLD servers. ISC has already produced a very nice fix for Bind 9 so this doesn't really affect people using it anymore. Just designate the com and net zones as des

      • To be honest: I know next to nothing (ok, ok...nothing) about networking. I'm a copywriter for an ad agency who happens to enjoy reading slashdot. With that qualifier, and with the understanding that all domains resolving is causing havoc, would it be a decent compromise if a mis-spelled didn't resolve to verisigns little "are you sure you didn't mean..." page, but did in a few seconds? Would a few second of 404 be enough to fix the resolution problems occuring?

        Not that this solution means that VS is righ

        • Re:To be honest (Score:5, Informative)

          by Atzanteol ( 99067 ) on Tuesday September 23, 2003 @10:54PM (#7040520) Homepage
          The problem is that Verisign is doing their wildcarding at the DNS level. This effects the entire *internet*, not just the World Wide Web. So not only do you get directed to their site on your web-browser, but also if you lookup domains for telnet, ftp, ssh, smtp, etc. This causes problem for (among other things) spam filters, who check that your domain exists (well, now *all* .com domains exist) before delivering mail.

          Verisign is being extremely short-sighted. This whole deal reeks of a moronic manager who thught this would be a 'wonderful' idea.
      • Re:To be honest (Score:4, Insightful)

        by gothicpoet ( 694573 ) on Wednesday September 24, 2003 @03:23AM (#7041611) Homepage Journal
        This is an absolute abuse of Verisign's position. They are contracted to *maintain* the database, not warp it to their own *commercial* purposes. If this was actually a valid service, they would have had no trouble with proposing it to the Internet standards bodies before implementing it. Instead, they're defying those organizations. Worse yet, they've actually put me in the position of agreeing with ICANN.

        With those words (an absolute abuse) you just described most of what Verisign has done.

        Folks should remember, this is the company that was contracted to *maintain* the database until one day they decided that they *owned* the database... (errr... okay... if I get paid to clean all the cars at the dealership can I decide one day that I own them all and get away with it?)

        And yet somehow years after that magical acquisition of property rights they've still got the contracts. They've gotten away with all kinds of stuff and like a spoiled child they'll keep taking more until (if ever) someone takes away their privileges and sends them to time out.

        Gotta agree with you that there's no way that any benefits that stupid Sitefinder page provides make up for the abuse of position and random chaos it's caused.

    • Re:To be honest (Score:5, Insightful)

      by __aavhli5779 ( 690619 ) on Tuesday September 23, 2003 @09:56PM (#7040240) Journal
      Though you've been modded flaimbait, I'm assuming you were simply posting from the perspective of a strictly web user, who could presumably be helped (emphasis on presumably) by being redirected to SiteFinder and pointed to the proper site.

      I think the main thing that has admins screaming, however, is that SiteFinder breaks so many other services just to provide a questionable service for web surfers. Sure, surfers may benefit, but email admins, DNS admins, and many others are banging their heads against the wall because of the problems Verisign's divergence from accepted protocol has caused them.

      Just a thought.
      • Re:To be honest (Score:5, Interesting)

        by Anonymous Coward on Tuesday September 23, 2003 @10:43PM (#7040476)

        (Posted anonymously to avoid a rampaging mob outside my house)

        I'm a professional spammer. Well, that's a harsh term. I run bulk-email servers. I trust my clients that their entire list has double opted-in when they say so. Most are quite legitimate mailing lists; some are probably not.

        This new bug is a godsend, but not for the reason a lot of people are saying. I don't fake "from" addresses, so I don't get any added anonymity from a wildcard.

        What I do get is the ability to send my emails that have bad domains in them to a nominally but not effectively existant box at Verisign. I no longer get bad domain bounces to worry about.

        • Re:To be honest (Score:2, Insightful)

          by Anonymous Coward
          I believe this to be one of the motivating factors at play here.

          Verisign can essentially force spammers to take wild shots in the dark. Now, instead of being able to scan for dead email addresses and domains, they have to mark all addresses on their list as current. They simply couldn't know whether an email address was taken offline because any bad address goes to the big Verisign server in the sky.

          So this makes the spammers' work more expensive through higher fees from people like yourself who are act
          • It's an A record, not an MX record. Pretty easy to scan for only domains that have MX entries. I'd be quite irritated if mailservers dropped support for delivering to @ A records, but most spammers don't care.

            Besides, sitefinder is a pretty obvious address. Even if you wanted to keep addresses @ A records, you could just filter out a single IP.
        • Re:To be honest (Score:3, Informative)

          by Anonymous Coward
          You're just trollin'.

          VeriSign's mail server is called the Snubby Mail Rejector Daemon v1.5

          v1.3 wasn't fully SMTP compliant: See here. [ietf.org]

          v1.5 now responds a little more properly: See here. [ietf.org]

          It rejects them anyway.
    • Re:To be honest (Score:5, Insightful)

      by LostCluster ( 625375 ) on Tuesday September 23, 2003 @10:49PM (#7040503)
      But, do you really like that it's Versign doing this for you? Assuming you use IE, MSN already provided this service to you. Verisign has just exploited the DNS system to make their service come up in situations where MSN's used to come up. Other browser developers could have designed their own responses to the "NXDOMAIN" signal, but now Verisign has stopped returning "NXDOMAIN" and instead returns a redirect to their own site... That's what really rubs people the wrong way. Instead of returning the error code that people thought they could depend on, they're returning a redirect to a service you didn't ask for. Yeah, it's a pretty good service on its merits if they tried to sell it to you... but instead they're forcing it on some people who were happy with MSN's service or happy with the traditional error...
      • Verisign has just exploited the DNS system to make their service come up in situations where MSN's used to come up.

        Odd that we haven't heard from MSFT on this one. Perhaps their lawyers are still niggling the words of their complaint, but I have to believe that MSFT will come after Verisign.

        Of course, then we get into a "who do we hate more" conundrum, but they're always entertaining.
    • Re:To be honest (Score:3, Insightful)

      by mlk ( 18543 )
      Then use client side software, why should EVERYONE suffer for YOUR tastes.
    • Re:To be honest (Score:3, Interesting)

      by 0x0d0a ( 568518 )
      Fine -- it may be convenient for you, but the way they implement it is the wrong way from a technical standpoint (though the only way they'd be able to impose their own page). The technically correct approach is to have your browser query a website (sitefinder, if you want) if the DNS resolution fails. The approach they're using breaks valid systems Internet-wide.
    • Such behaviour may be useful in some instances but it should not be rooted deep down in the DNS systems.

      Your user agent (ie your browser) is what should be doing this for you if you so desire.
    • "I kind of like the Verisign redirect. I sometimes mistype URLs and the Verisign page usually has a link to the page I was looking for. It's a pretty nice system considering the alternatives."

      It's not everyday you see a +5 Flamebait.
    • Please read this comment [slashdot.org]. You've just given Verisign and a whole bunch of other companies license to use any intellectual property you've ever created.
  • legalities (Score:5, Insightful)

    by micronix1 ( 590179 ) on Tuesday September 23, 2003 @09:46PM (#7040169)
    legally, is veri allowed to redirect requests to their own domain? if not, who has the rights to unused domain names?
    • Re:legalities (Score:4, Informative)

      by the uNF cola ( 657200 ) on Tuesday September 23, 2003 @09:55PM (#7040232)
      register.com lost a suit similar to what you are talking about.

      when you buy a domain from rcom, your page automagically defaults to a page. This page is pretty much an advertisement for rcom and such. it drives revenue towards rcom.

      many MANY people thought this was crooked, so there was a civil suit.. which rcom lost.

      I couldn't see a case like this wouldn't run the same, since both the rcom parked-page service and this have search links and nifo that drive revnue to their respective companies...
      • Re:legalities (Score:4, Insightful)

        by strags ( 209606 ) on Wednesday September 24, 2003 @12:20AM (#7040976)
        I think you're overstating things a bit here. The register.com "coming soon" page was a convenience, nothing more - the moment you set valid DNS server addresses, your domain information is updated.

        This lawsuit was fairly frivolous if you ask me. It was covered on Slashdot a while back here [slashdot.org].

        This is nothing like the Verisign case - what they are doing is abusing a monopoly position, and in doing so, causing havoc with a number of internet-based pieces of software, most notably spam filters.

    • Re:legalities (Score:4, Informative)

      by the uNF cola ( 657200 ) on Tuesday September 23, 2003 @10:04PM (#7040289)
      a second note:

      if i register abacadaba.com, and abacadaba.com becomes the biggest thing next to yahoo and slashdot combined with sex.com... everyone would want to go to abacadaba.com, or so i hope.

      all mispellings on my idea, and my trademark if ihave it trademarked, will go to versign. they'd effectively be making money off of me via a transitive property.. sorta. people want to see my site which makes money, verisign takes all mispellings of my site.. people make verisign money!

      whoa.. i think i just proved step 2 :\
      • by orthogonal ( 588627 ) on Tuesday September 23, 2003 @11:01PM (#7040558) Journal
        the biggest thing next to yahoo and slashdot combined with sex.com

        Please, please, please never suggest slashdot combined with sex.com again.

        The vision that flashed in my head when I read it made me what to flush my eyes with acid while destroying my occipital lobe with a baseball bat.

        And I don't think I'll be able to keep down food for a week.
    • I believe that Verisign's use of a wildcard to map all DNS requests for *.com to their web site violates the relevant RFC's.

      Going through all of the DNS RFC's, all of them assume or require that when a name is not found, the DNS server return an error.

      Going through them in historical order: RFC 811 specifies that if the name is not found, a 'NAMNFD' code is returned. RFC 1034 also talks about sending "a name error indicating that the name does not exist" and "A name error (NE). This happens when the refer
      • Re:legalities (Score:4, Informative)

        by laird ( 2705 ) <lairdp@gm a i l.com> on Tuesday September 23, 2003 @11:39PM (#7040730) Journal
        plain old text mangles my post a bit, so here it is again. Sorry I didn't catch it in preview...

        I believe that Verisign's use of a wildcard to map all DNS requests for *.com to their web site violates the relevant RFC's.

        Going through all of the DNS RFC's, all of them assume or require that when a name is not found, the DNS server return an error.

        Going through them in historical order: RFC 811 specifies that if the name is not found, a 'NAMNFD' code is returned. RFC 1034 also talks about sending "a name error indicating that the name does not exist" and "A name error (NE). This happens when the referenced name does not exist. For example, a user may have mistyped a host name." It also discusses caching name errors for efficiency, which of course only makes sense if the authoritative DNS servers actually issue name errors (which Verisign is now not doing). RFC 1035 specifies that if "the domain name referenced in the query does not exist" that a "Name Error" be returned.

        There is a wildcard mechanism in RFC 1034, but it's defined to apply to '"*.<anydomain>", where <anydomain> is any domain name' which makes it pretty clear to me that it's not intended to apply to domains. To emphasise this, all of the examples of DNS wildcards are of the form *.X.COM or *.A.X.COM.
  • by Anonymous Coward on Tuesday September 23, 2003 @09:46PM (#7040171)
    How many times have you meant to go to goatse.cx and missed a letter, like goats.cx. This sort of site would help out users quite a bit. It could also offer other helpful suggestions, such as dogse.cx and pigse.cx.
  • by ksuMacGyver ( 562019 ) on Tuesday September 23, 2003 @09:46PM (#7040176) Homepage
    Get your Patched BIND for Slackware here: [dropline.net]

    The more ISPs that use this, the more uncommon the SiteFinder 'service' becomes---the less users expect it.

    Remember when popups where not expected? After using mozilla for a while I simply cannot stand them now!
    ---
  • by Saint Aardvark ( 159009 ) * on Tuesday September 23, 2003 @09:52PM (#7040211) Homepage Journal
    From Vixie:

    Some people suggest that administration of the DNS is a public trust, and that VeriSign is merely the caretaker of this system, not its owner. And now VeriSign has abused that trust. That may be true. Before a few days ago it didn't matter whether VeriSign was the owner or a caretaker. Now it matters a lot. VeriSign kicked a sleeping dog. It's a bizarre thing to do. Was it really VeriSign's decision to make, unilaterally? Did it need permission to make this decision? If so, what entity has the authority to grant such permission?

    If you think about this from a social point of view, not just technical, this is absolutely fascinating (rather than just irratating/punch-provoking): here's an ability, that was theoretically possible all along, to have this big effect on something lots and lots of people use. No one made use of it before. Now someone has, and it's

    1. (presumably) made a bunch of money for those who did it, and
    2. pissed off a lot of -- but not all -- people.

    Who's responsible? Who gets to say "No, you can't do that", or "Yes, you can"?

    I know what I think is the right answer, and it's what (probably) the rest of you think. But the final answer isn't up to you and me, or at least not you and me alone. Watching that process of who-gets-to-decide is going to be at least as interesting and precedent-setting as what the final decision ends up being.

    • by GigsVT ( 208848 ) on Tuesday September 23, 2003 @10:13PM (#7040334) Journal
      It's a question of the duties of a provider of infrastructure.

      There's a certain relationship between a consumer of infrastructure and a provider of it. The consumer must trust the infrastructure to do what it is supposed to do, and nothing more.

      This is no different from ISPs randomly redirecting users to their own branded search engine when you type in "www.google.com", or an ISP's employee intercepting passwords and using them to steal money.

      Infrastructure providers inherently have a lot of control over the services they provide. There is a duty there to provide the service as expected, without changing the content that is carried.

      Verisign's position as a chartered monopoly makes this duty even more important, because consumers have no choice to use an alternative.

      I'm not sure what you mean by "No one's made use of it before"... No one else could make use of it (in .com and .net), Verisign is, as I said, a monopoly.

      Other CCTLDs have used wildcards before, but no one much cares about some island that is abusing the CC system to make extra money.
      • by Saint Aardvark ( 159009 ) * on Tuesday September 23, 2003 @10:33PM (#7040435) Homepage Journal
        I'm not sure what you mean by "No one's made use of it before"... No one else could make use of it (in .com and .net), Verisign is, as I said, a monopoly.

        Bad choice of words: As you mentioned, I understand that other TLD registrars have made use of this before. Amended sentence: no one in this position of power (.com and .net being what they are) has made use of this before.

        This:

        This is no different from ISPs randomly redirecting users to their own branded search engine when you type in "www.google.com", or an ISP's employee intercepting passwords and using them to steal money.

        and this from the comment below:

        I do....I, and all the other sysadmins out there, decide whether SiteFinder works or not.

        are exactly what I'm talking about when I say that this debate is fascinating. In all honesty, I'd give a lot to sit down w/whoever at Verisign and ask them these same questions -- not necessarily to provoke the answer that I feel is right, but just to see how separate groups of intelligent people come to utterly different answers about these questions.

    • by Anonymous Coward on Tuesday September 23, 2003 @10:22PM (#7040383)
      Who's responsible? Who gets to say "No, you can't do that", or "Yes, you can"?

      I do. I run the DNS servers at an ISP, and I am planning to apply the ISC patch that restricts delegation from root servers (as soon as the bugs are shaken out of it -- give it a week or two.) I, and all the other sysadmins out there, decide whether SiteFinder works or not.

    • Well, besides de facto power of all the DNS operators out there, if the ICANN says "thou art not root anymore", won't that more or less effectively make it so? I mean, I'm not saying I think ICANN is the greatest body to be doing this, since they aren't terrible responsive to the needs of the citizenry of the Internet, but doesn't it mostly seem odd that Verisign has such a sack on them that they think they can just pull this and get away with it?

      I guess if you look at the way Verisign has tried to build

    • by TheLink ( 130905 ) on Tuesday September 23, 2003 @11:51PM (#7040815) Journal
      Actually we have a voice.

      How about we give verisign what it wants - traffic to nonexistent domains.

      People with webpages should start having 1x1 img links to nonexistent domains. Should be one pixel by one pixel, in case the image from verisign is not desirable.

      e.g. img src=http://www.asdasdnrerwtc.com/ height=1 width=1

      That way verisign gets traffic for every page.

      You can even make a "broken ribbon" logo with a fancy table and lots of 1x1 images and coloured 1x1 image. There's a small chance it could get subverted and show the wrong image.
  • by __aavhli5779 ( 690619 ) on Tuesday September 23, 2003 @09:53PM (#7040221) Journal
    PV: I hope but I don't think so. I've heard that the patch works well, but VeriSign could bypass the patch. It could make synthesized responses look more like delegations. I don't think it will do that. VeriSign's spokesperson, Brian O'Shaughnessy, suggested that if people don't want this, they're free to block it. It's really meant to be a service for the supposedly inconvenienced web surfers. VeriSign maintains that its search page is
    more useful than 404 error messages. If VeriSign bypassed the patch, it would have to escalate things and retract these statements about how folks were free to block the wildcard.


    Though I agree with everything he said (and thought he did so quite eloquently), it's a bit disheartening to see the chairman of the ISC refer to NXDOMAIN as a 404.
  • I think we should all go there at once.

    We can say that we were all on our way to the grocery, made a wrong turn, and ended up at his house.

    Then we can demand to buy groceries.
    I'm sure he won't mind. Everyones ends up at his site for that reason, right?
  • by Anonymous Coward on Tuesday September 23, 2003 @09:54PM (#7040225)
    Dr. Paul Twomey
    President & CEO
    ICANN
    4676 Admiralty Way
    Suite 330
    Marina del Rey, CA 90292

    September 22, 2003

    Dear Paul,

    Public Interest Registry (PIR), the operator of the registry of the .ORG domain, supports ICANN's call for the voluntary suspension of VeriSign's deployment of a DNS wildcard service. We believe that ICANN (and the entire Internet community) should take steps to prevent all registries from unilaterally implementing changes to DNS that redirect requests for invalid domain names to any other site. PIR will not offer any service that makes such a change in the DNS.

    PIR also supports the Internet Architecture Board (IAB) statement on the same subject as set forth at:
    http://www.iab.org/documents/docs/2003-09-20- dns-w ildcards.html

    DNS is a critical piece of Internet infrastructure. Internet services such as the WWW and Email rely on DNS to function, and there should be no interference with the established protocols until there is complete assurance of no negative impact on the DNS.

    In another context, the Internet Architecture Board (IAB) has commented:

    "At the core of all of the IAB's concerns is the architectural principle that the DNS is a lookup service which must behave in an interoperable, predictable way at all levels of the DNS hierarchy. Furthermore, as a lookup service it is such a fundamental part of the Internet's infrastructure that converting it to an application-based search service ... is not

    Page 2

    appropriate even in the case where the query presented would not normally map to a registered domain."

    The architectural principle referred to by the IAB is clearly violated by the changes proposed for the .COM and .NET domains.

    On Monday, September 15, VeriSign changed the behavior of the .COM and .NET TLDs by adjusting servers to respond to requests for non-existent domains with a reference to the VeriSign Site Finder web site, (in other words, "wildcarding"). To a requesting user, it appears that non-existent domains are valid, because they are directed to the Site Finder. There is no difference between the responses for valid domains versus invalid domains from VeriSign's TLD servers.

    Because the VeriSign Site Finder server makes it appear that a non-existent domain exists, the service introduces significant problems to critical Internet infrastructure. Many other important Internet protocols rely heavily on proper DNS behavior. The impact of VeriSign's Site Finder is unclear with respect to security of the DNS. Site Finder unilaterally precludes the use of a prevalent type of anti-spam mail filter that uses DNS to validate the domain of legitimate eMails.

    Because VeriSign's servers are authoritative for the .COM and .NET TLDs, the most prevalent of the TLDs, Internet users have little protection against the imposition of this flawed system. VeriSign implemented the Site Finder system with little advance notice or public commentary by the Internet community. We believe such unilateral behavior in changing a critical resource necessary for the world's information systems is inconsistent with the responsibilities of registries under their contracts with ICANN, particularly because of the necessity of DNS for other Internet resources to function properly.

    We are informed that other domain registries may be exploring services similar to the VeriSign Site Finder. (As noted above, PIR will
    Page 3

    not be one of them.) If this is the case, our comments concerning Site Finder apply with equal force to those other services. We believe that any such efforts to alter the TLD DNS systems, of which the VeriSign Site Finder appears to be the most prominent example, adversely affect the Internet infrastructure and the entire Internet community.

    Therefore,
  • by Saint Aardvark ( 159009 ) * on Tuesday September 23, 2003 @09:55PM (#7040231) Homepage Journal
    $ strings letter-to-ICANN-re-SiteFinder-030921.doc | fmt | less
  • by lightspawn ( 155347 ) on Tuesday September 23, 2003 @10:10PM (#7040322) Homepage
    But I didn't care because I don't celebrate Christmas.

    Then they came for .museum
    but I didn't care because I haven't been in one in ages.

    Then they came for .a bunch of small countries
    But I didn't care because I've never heard of them.

    Then they came for .com and .net,
    and nobody cared because it's common business practice.

    Note: according to a posting I just looked up, at least 11 TLDs (.cc, .cx, .io, .mp, .museum, .nu, .ph, .td, .tk, .tv, .ws) pulled the same stunt. I probably got the relative times wrong too.
    • by Anonymous Coward
      Yup - and the best part is to see Vixie being incredibly careful to always point out that TLDs that have always used wildcards should be exempt from the ban. He's got his pet zone, .museum, to take care of - and it definitely uses a wildcard. A bit of hypocrisy is refreshing now and then.
      • by Zocalo ( 252965 ) on Wednesday September 24, 2003 @04:23AM (#7041778) Homepage
        Yes, museum uses a wildcard, so what? Firstly the intention to wildcard was right up there and stated in the original proposal for the domain, before it was even approved by ICANN. Unlike Verisign's contract with ICANN, in which they are explicitly instructed to return NXDOMAIN on their .COM and .NET domains (.ORG too, but that is now moot), MuseDoma had approval to do this.

        Why? Well firstly, .musuem is a highly restricted domain, and secondly it's all to do with how museums operate. If I go to the London Science Museum and start asking for paleontology information, they will redirect me across to the National History Museum. The wildcarding is just a virtual way of helping people find what they are looking for, which makes sense.

        ".com" on the otherhand, is a largely unregulated free for all of firstcome first served registrations and lawsuits, trying to apply a structure to that is insane. A good analogy I saw from another poster here on Slashdot was the difference between the alt.* and comp.sci.* heirarchies on Usenet. Do *you* want to try being a moderator on .alt?

  • .org, .us, .do .it (Score:5, Interesting)

    by krray ( 605395 ) * on Tuesday September 23, 2003 @10:14PM (#7040339)
    Whatever. Why aren't more people just ditching their precious .COM names. Think UPS.com or Amazon.com couldn't get away with switching? Sure they could...

    For those in the .US take a look at NIC.US [nic.us] which can point you to all the various registrars. Heck, it's cheaper -- typically $15/yr.

    The only thing Verisign will understand is people speaking with their dollars. And yes, I personally have switched my domains over to .US -- of course I'll handle the .COM traffic until they expire in a year or two. In the mean time everything going out says .US as of yesterday.

    Sure, business cards and letter head still say .COM, but they surely won't on the next order. Maybe a year.
    • Someone give this person some Karma. My personal site lives on .com.au (as does my company). My subdomain redirect is a .org. I'm about to post something to our corporate group BBS that will recommend that we stay away from getting a .com at least until Verisign's latest stunt is resolved.
  • by lightspawn ( 155347 ) on Tuesday September 23, 2003 @10:14PM (#7040344) Homepage
    getting their ISP to upgrade DNS servers to counter this threat?

    I'd appreciate any suggestions.
  • by Anthony ( 4077 ) on Tuesday September 23, 2003 @10:15PM (#7040349) Homepage Journal
    This started about 1995 when people begain to conflate the Web with the Internet.
  • by SEE ( 7681 ) on Tuesday September 23, 2003 @10:18PM (#7040361) Homepage
    Not quite on-topic, and a repost, but . . .

    1. The Department of Commerce [mailto]; VeriSign's contract to operate .com and .org was originally with them.
    2. The Federal Communications Commission [fcc.gov], which oversees telecommunications.
    3. The Senate Commerce Committee's Subcommittee on Communications [senate.gov]; contact the committee itself [senate.gov], the chairman [senate.gov], the ranking member [senate.gov], and any of the other members you'd like.
    4. The House Subcommittee on Telecommunications and the Internet [house.gov], including the committee itself [house.gov], the chairman [house.gov], the vice-chairman [house.gov], and the ranking member [house.gov].

    By email, phone, fax, telegram, or letter (or better, several of these), let them know what you think. These are the people who can give Verisign reasons to change their behavior.

  • by GeorgeK ( 642310 ) on Tuesday September 23, 2003 @10:18PM (#7040364) Homepage

    It's now here [whois.sc] having been Slashdotted last time....on a better server this time, though (we hope!), so be gentle....

    It's good to see that PIR is taking the high road. If .com/net are ever redelegated, I'd much rather they run it, than someone who would be looking for every opportunity to squeeze out nickels and dimes ($100 million/yr!) from the internet community, via abuse of their monopoly. Or, perhaps a corporation with a solid reputation (maybe IBM?) would step up, to replace Verisign.

  • bootleg patches? (Score:3, Interesting)

    by krokodil ( 110356 ) on Tuesday September 23, 2003 @10:19PM (#7040365) Homepage
    It is good interview but expression "bootleg patches" was someting I disliked. It does not fits well with free/open source spirit. It assumes that there are (in marketing terms) "offical" or "authorized" patches and everything else is "bootleg". It kind makes me feel my next patch to some open source product could be considered "bootleg" which makes me feel it is unwanted.

  • Take back the roots (Score:5, Interesting)

    by Skapare ( 16644 ) on Tuesday September 23, 2003 @10:48PM (#7040494) Homepage

    Why not just take back the roots? The only reason Verisign can do what they do is because the GTLD servers they control are delegated to by the root servers (not sure who controls those anymore, but it can't be good). And those root servers are configured in the hint file of name servers all over the internet. So who controls those? We (who have our own name servers) do.

    It's a little harder, but not a lot harder, to just run your own root zone. The biggest thing is to gather up all the NS records and associated A records for each TLD. That's a small list (relatively speaking), so it could be done via a few hundred dig commands to the root servers. Or it can be downloaded. Now once you have that data, you replace the .com and .net zones with your own. Of course that begs the question, replace it with what?

    If enough people with enough server/network power get together, they can make their own independent "realm" of domain name space, starting with a replacement root zone (as has been done in the past to add new TLDs), and a replacement for both .com and .net.

    I can just hear the complaints now (and I've heard them before): "But this will fragment the internet". My answer is: Yes!!!! yes it will! all the better. Imagine being in a whole different name space realm away from spammers and evil corporations. And maybe you can meet me in the .mp3 TLD.

    • Take back the roots! (Score:3, Informative)

      by Nonesuch ( 90847 )
      I agree, take back the roots. I notice that the .ORG zone removed the Verisign nameservers earlier this month. Any connection to SiteFinder?

      Skapare writes:

      Why not just take back the roots? The only reason Verisign can do what they do is because the GTLD servers they control are delegated to by the root servers (not sure who controls those anymore, but it can't be good). And those root servers are configured in the hint file of name servers all over the internet. So who controls those? We (who have ou

  • by Skapare ( 16644 ) on Tuesday September 23, 2003 @10:59PM (#7040550) Homepage

    Verisign can break Vixie's patch. All they have to do is set up a separate name server which pretends to be a .com and .net server, with the very same wildcarded A-record. Now just put in wildcarded NS-records in the actual .com and .net zones in the real GTLD servers (in place of the existing wildcarded A-record). There, now it really looks like a real delegation to a different name server, just like real domains have. The new delegated wildcard server gets the query next, due to the delegation (that looks like a delegation, hence fools the patch), and due to its wildcard (and it doesn't need any other data from the .com or .net zones, since it doesn't get delegated to for real domains), it will answer with an A record of Verisign's choosing. If Verisign wants to keep doing what they are doing, they can defeat this patch by that method.

    Then we'll have to make DNS servers filter out specific delegations (as opposed to filtering out non-delegation records where there should be only delegations). Verisign could rotate those delegations daily and fool efforts to block it.

    • You idiot!

      Don't give them any ideas. I'm convinced marketing thought up the last one, and the techs who implemented it were probably resentful, and did it as simply as possible.

      Now everyone... just lower your weapons, slowly.... slowly...
  • I keep hearing that the Verisign wildcard BS is causing problems with spam filtering because now all *.com domains appear to be valid.

    Why can't we work around this by instead of checking if the address is valid, check if the address comes back to Verisign's server???

  • Now, I understand that what VeriSign has done is wrong in several ways, but to play devil's advocate, I want to ask you guys a question:

    What if rather than sitefinder, it redirected you to google? The "feature" they are trying to convince us they provide is basically spell checking the URL you type. "salshdot.org? Oh... you meant slashdot, here let me take you there."

    What if this had been done in a more acceptable way, where profit leeching wasn't a suspected motive? Would we still complain?

    And btw, the
    • I'd not use google any more.

      It is not the person, it is the act.

      You not seeing a down side is neither here nor there, if you want this functionality, install software on your local machine to do so.
    • by achurch ( 201270 ) on Tuesday September 23, 2003 @11:40PM (#7040738) Homepage

      Whether it's SiteFinder, Google, or even Slashdot, the issue is not so much (or at least not only) the fact that a website comes up instead of a 404. It's the fact that practically everything automated breaks because this "service" is oriented toward humans. Consider:

      • "Automatic domain completion" in browsers, where you can type "slashdot" and get it completed to "http://slashdot.org/" if slashdot.{com,net} don't exist. This will fail to work because DNS will no longer return NXDOMAIN for nonexistent domains. (Admittedly, with everyone and his brother registering .com domains this is something of a straw man...)
      • Spam filters. Many server admins have installed a filter that denies mail with a From: address in a nonexistent domain. With Verisign answering every .com/.net query with an A record, these filters have become essentially useless.

      I'm sure there are others, but the point is that what's good for human users is not good for computers, and it should be the client, i.e. the thing interacting directly with the human user, that interprets the computer responses and makes them easier to use for humans. (There wouldn't be nearly as much uproar over this if Verisign had, say, made a deal with Microsoft to redirect all NXDOMAIN queries to SiteFinder; in that case it would be an Internet Explorer, i.e. client issue, and DNS itself would be unharmed.)

      • by laird ( 2705 )
        The thing that bothers me is that new Verisign has configured the DNS system to lie to everyone because it's profitable for them to do so. DNS' responsibility is simple: allow applications to look up names. If the name is registered it should return the appropriate IP address. If the name is not registered it should return an error. While Verisign has delusions of power, their job (in this situation) is simply to operate the DNS database, which they've just failed on a massive scale. The contract should be
  • A quart of kerosene can spoil a tanker-truck full of milk:

    #!/usr/bin/perl

    srand();

    my @alpha = (a..z);
    my @prefix= qw( www web1 web2 ftp mail dns ns1 ns2 ns3 dns1 dns2 dns3 );
    my @suffix = qw ( com net );
    $|=1;
    while(1) {
    my $length = int(rand(16)+1);
    my $n = "";
    for (0..$length) {
    $n.=$alpha[int(rand(26))];
    }
    my $p = $prefix[int(rand($#prefix))];
    my $s = $suffix[int(rand($#suffix))];
    $l = `nslookup $p.$n.$s`;
    print $l;
    sleep int(rand(5))+1;
    }

    enough crap in their database, it won't be good for mark
    • You'll just hammer your ISP's DNS resolver, killing it's cache; or whomever your nameserver peers with.

      Instead, hit the IP addresses of sitefinder and sitefinder-idn.verisign.com directly with bogus HTTP requests instead. I can't be sure, but I'll bet they don't record the requests at the DNS server, but at the webserver because the logs are probably easier to process with existing web analysis tools.

      (Does anyone know if you can directly ask a root server about a domain? I didn't think mere mortals could)
      • by Nonesuch ( 90847 ) on Wednesday September 24, 2003 @12:13AM (#7040940) Homepage Journal
        My guess is that Verisign does log the requests received, but does not normally go to the effort to correlate the DNS requests with hits to SiteFinder, and that if you want to mess with their marketing data, you would want to send bogus requests to the SiteFinder HTTP, not just bogus DNS queries.
        Does anyone know if you can directly ask a root server about a domain? I didn't think mere mortals could
        Yes you can.

        Any host can make non-recursive requests to the root servers.

        Technically, if a query for whatever.com arrives at a root server, it should only return the list of NS records for .COM, and if a query for whatever.com arrives at an authoritative server for .COM (many roots are also .COM servers), it should only return the registered NS records for whatever.com.

        In fact, that is exactly the problem -- the Verisign roots should return only NS or NXDOMAIN records, but for names in .COM .or .NET, they instead "synthesize" an A record, pointing to sitefinder, with a 15 minute TTL (cache lifetime).

        The various hacks either ignore the specific A record, or ignore records from root servers other than NS. The latter is a cleaner approach, IMHO.

  • by Bob9113 ( 14996 ) on Tuesday September 23, 2003 @11:08PM (#7040584) Homepage
    Here's a fun solution:

    If your ISP hasn't fixed this yet, go to http://ibm-asdf-hardware.com [ibm-asdf-hardware.com]

    Do you think IBM might be a little bit pissed off about their trademark being used to point to someone else's computer hardware site? Do you think they might, I dunno, sue?

    How about all these other blatant trademark infringements:
    http://ibm-asda-hardware.com
    http ://ibm-asdb-hardware.com
    http://ibm-asdc-hardware .com
    http://ibm-asdd-hardware.com
    http://ibm-asd e-hardware.com
    http://ibm-asdg-hardware.com
    http ://ibm-asdh-hardware.com
    http://ibm-asdi-hardware .com
    http://ibm-asdj-hardware.com

    As I see it, Verisign is facing a not-quite-infinite number of trademark infringement lawsuits. And, of course, if Verisign switches to point to IBM, I'm sure hardware.com would be delighted to fire their own volley of lawyers.
  • by Skapare ( 16644 ) on Tuesday September 23, 2003 @11:10PM (#7040597) Homepage
    PV: I hope but I don't think so. I've heard that the patch works well, but VeriSign could bypass the patch. It could make synthesized responses look more like delegations. I don't think it will do that. VeriSign's spokesperson, Brian O'Shaughnessy, suggested that if people don't want this, they're free to block it. It's really meant to be a service for the supposedly inconvenienced web surfers. VeriSign maintains that its search page is more useful than 404 error messages. If VeriSign bypassed the patch, it would have to escalate things and retract these statements about how folks were free to block the wildcard.

    What? How the hell do you get an HTTP 404 error message if there's no server to even connect to?

  • by morelife ( 213920 ) <f00fbugNO@SPAMpostREMOVETHISman.at> on Tuesday September 23, 2003 @11:25PM (#7040671)
    I am surprised that Paul Vixie did not seem to exhibit much emotion regarding the Sitefinder situation - for someone who's been at the core of what we now know as the DNS for so many years (you would think it's like his own child:).

    He seemed reserved, while calmly pointing out, part by part, what is wrong with Verisign's actions. More of this is called for from the important people in the Internet technical and business community - the way community coverage has been heading, and the way comments are worded on Slashdot and other sites, is leading to resentment, anger, name-calling, and joking about Verisign and their policies, creating a situation in which the community is less likely to be taken seriously by Verisign, Microsoft, AOL, etc. Mr. Vixie also mentions that there are smart people at Verisign, reminding us that the Sitefinder "service" is the brainchild of but a handful of people, maybe even just one or two. It reminds me that as engineers, we still have to work with the other guy at a certain level.. becoming enemies doesn't help anything.

    Mr. Vixie is saying that perhaps ICANN should "do something about it". This whole situation should be approached by attorneys general, from the both the branding/business practices angle mentioned by Mr. Vixie, and also from the consumer rights angle (much like telemarketers). Right now the average consumer can get effectively get rid of telemarketers, thanks to recent laws, with a single verbal or written request, but the Sitefinder service can only be circumvented using DNS tools by an engineer or technician "in charge" of the DNS servers. The web-browsing consumer has no way around this by themselves.

  • Doublespeak? (Score:2, Insightful)

    Am I the only one who finds it ironic that Verisign's slogan is "The Value of Trust"? They sure don't seem to be aware of just that, the value of the trust we have given them.
  • In the past, ICANN has always made a song and dance about the crucial need for DNS stability, yet now, in the face of a unilateral move that causes great instability, they meekly ask Verisign to please stop. If ICANN are too spineless to act, then the Department of Commerce needs to step in. Despite the contractual complexities (see Karl Auerbach's blog [cavebear.com]), Verisign have committed a fundamental breach of trust, and the DoC should reallocate responsibility for .net and .com as soon as practically possible.

  • Terms of Use (Score:2, Interesting)

    by Joystickit ( 529613 )
    If you read the Terms of Use [verisign.com] you can see that

    # Sole Remedy.
    YOUR USE OF THE VERISIGN SERVICES IS AT YOUR OWN RISK. IF YOU ARE DISSATISFIED WITH ANY OF THE MATERIALS, RESULTS OR OTHER CONTENTS OF THE VERISIGN SERVICES OR WITH THESE TERMS AND CONDITIONS, OUR PRIVACY STATEMENT, OR OTHER POLICIES, YOUR SOLE REMEDY IS TO DISCONTINUE USE OF THE VERISIGN SERVICES OR OUR SITE.

    Couldn't they be sued for not providing some way for users to discontinue use of their service? It's like the shrink wrapped EULA, exce

  • www..com
    Host www..com not found.

    www..net
    Host www..net not found.

    www..org
    Host www..org not found.

    Did we win?

  • by SharpFang ( 651121 ) on Wednesday September 24, 2003 @01:26AM (#7041203) Homepage Journal
    ...let them do it. Just charge them for all names registered. Assuming they wildcard the name with 26 letters plus "-", say, 20 chars deep, charge them 27^20 registered domain names. Even with a good discount, say, $0.01/domain name it will still be more than there is money on Earth :)

Trap full -- please empty.

Working...