Slashdot Mirror

Hi my name is Shashi Bellamkonda and I work for Network Solutions. Aprreciate the opportunity to clarify. Here is a response on Circleid http://www.circleid.com/posts/81082_network_solutions_front_running/. Network Solutions is not front running. We've implemented a customer protection measure to help defend our customers against the actions of "front runners" or those persons who register domain names known to have been searched, for the purpose of monetizing them and then selling them at inflated prices either directly to the customer who searched for the domain or through aftermarket channels. The protection measure holds the searched domains at Network Solutions for up to 4 days so customers can take the time to decide whether registration of the domain name will help them build and protect their brand. Network Solutions is not registering these names at the end of the reservation period with the hope of selling them in the secondary market. Likewise, we're not placing any advertisements on these domains to monetize their traffic while they are in the reservation period.

"Whereas people _do_ intentionally leave access points open and there is no way for the general public to know if an AP was left open intentionally or not."

You could rename the SSID to OPEN2PUBLIC, BUT even then most people would wish to have some terms and conditions, or provide some info.

And that's where a "local-only" TLD[1] comes in useful. You could do http://here/ and possibly get information about the network you are using.

Forcibly redirecting people to show them some webpage first has many disadvantages.

But, I didn't have a spare USD100k to throw at ICANN to apply to get the TLD and then give it to the world for free. I did ask them to reserve it (even wrote to Esther Dyson, etc and got one or two replies), but they obviously thought stuff like .museum, .name, .biz and .info were more useful.

I think something like a .here tld would be more useful to the world (much like the RFC1918 IP addresses) but I'm biased...

Oh well.

[1] http://www.circleid.com/posts/top_level_domains_fo r_addressing_by_physical_context/
http://www.potaroo.net/ietf/idref/draft-yeoh-tldhe re/

Actually, it wasn't even new when folks started noticing it 2 years ago. It actually started as early as 2001, as documented in a history of name tasting posted by veteran domain professional Frank Schilling over at Circle ID. Changes in 2004 made it easier, which is when the huge volume kicked in. But the earlier activity established a precedent for the practice.

Given how many problems with IPv4 this new revision solves and that a thorough look was taken at the protocol in its entirety, of all things, I'm surprised *geeks* usually just try to find reasons to not like it. Sure, admins may need to retrain, and there'll be infrastructure costs, but since when did geeks stop looking at positive evolution as being bigger than these things?

There's also always a lot of FUD spread around this matter, and one can find it even in this topic, for example IPv6 increasing routing complexity. IPv6 uses hierarchical address ranges *and* is modularized so there's not just less complexity, but even less *traffic* to route unless using more advanced features of IPv6. After the transition, IPv6 is better for your routers.

NAT's also seem to be a common enough argument against IPv6 that someone should have written a damn "Why NAT's won't solve address space issues" FAQ to uninformed people already. There is something similar enough for that though.

Anyway, instead of just ranting, here's a document about some of the changes IPv6 makes. Maybe especially this part is educative to some.

Yes folks, there is a right and a wrong way to set up NTP. Having each of your individual clients poll stratum 2 or 3 (or Allah forbid a stratum 1 server) directly is like configuring each of your clients to poll the the Internet's DNS Root Servers directly. After all very few of the queries sent to the root servers are unnecessary or frivolous. A proper NTP design is essential for any entreprise-class network. I include in this ISPs. ISPs should provide their customers with a locally-available NTP service. It's extremely easy to do. Then they should block outbound NTP queries from their dynamically-assigned customers (allowing the statics out, like you normally would for exceptions to ACLs like when you block SMTP out (you do block outbound SMTP, don't you?)). I've long-since believed that NTP will someday become a point of attack. It's not that I find a fault in the program or protocol but the very fact that it's a protocol used to enhance security and improve auditing and certainly isn't out of the minds of hackers. NTP would be fairly easy to DoS if proper ACLs aren't in place.

The point of all this is that NTP is very easy to set up correctly and is even easier to set up wrong. I wish everyone would spend the extra 0.001% of effort to do it right.

"Microsoft never have had much to do with standards, other than to completely ignore them and create their own stuff regardless."

I am not so sure about that. They made a fine friggin mess of the SPF standard by introducing patents on several key parts of the standard while delaying and filibustering until the IETF working group (MARID) became defunct as a result. I am sure I could find other examples of MS strong-arming, delaying, and otherwise being a general pain in the ass to standards bodies.

You're right : there is confusion and translation errors here.

China is not setting up a new TLD. They are just adding domains under the well known .cn domain, like .mil.cn for their military stuff. They also added domains like ".com.cn", but with chineese characters for the ".com" part. And they continue using the currend TLD servers, controlled by ICANN.

Thanks Technorati for helping me find more informed bloggers. Read it yourself:

• China's alt. root? Panic over confusion
• China's New Domain Names: Lost in Translation
• China's New Domain Names: Lost in Translation / comment

I didn't bother to listen to the podcast, but luckily this is Slashdot so no one will hold it against me.

Geoff Huston's "IPv6: Extinction, Evolution or Revolution?" is probably the most insightful thing I've ever read about IPv6 deployment, although the conclusion is pretty negative.

But assuming that IPv6 is worth deploying, Microsoft is way ahead in getting computers IPv6-enabled. Their work on Teredo should make life a lot easier for P2P developers.

I agree with you re the agenda of the piece. I love Kieran's writing in the Register, but was disappointed to see it presented on CircleID, since he's always so hyperbolic. http://www.circleid.com/posts/2005_the_year_the_us _government_undermined_the_internet/ Regarding ICANN and US Gov't, not so sure. After all their existence is controlled by the Dept. of Commerce. Really hard to suggest that doesn't allow for a lot of influence. Now, I happen to believe the vast majority of the time that influence is benign, and the government/ICANN does a far better job than the UN ever could or would. But then again I'm American, and we invented the Internet.

. One of the fundamental stumbling blocks to the continued evolution of Internet Governance is the insistence of the United States Government (USG) that it retain its historically exclusive role in connection with authorizing changes to the Root A server, particularly with respect to country code top-level domains (ccTLDs).

Vint Cerf (Co-Father of the Internet) wrote a deposition to Congress to speak out against the plan supported by Bellsouth. The text is posted here:
http://www.circleid.com/posts/vint_cerf_speaking_o ut_on_internet_neutrality/

Vint was not able to testify before Congress since he and Bob Kahn were busy that day recieving the Presidential Medal of Freedom at the White House for their (DARPANET,TCP/IP,Internet) pioneering efforts. This link was widely distributed to the North American IPv6 Task Force and IPv6 Forum where I believe the majority of engineers strongly support Vint's Views.

Vint Cerf (Father of the Internet) sent a deposition to the US Congress on this legislation. See:

http://www.circleid.com/posts/vint_cerf_speaking_o ut_on_internet_neutrality/

Vint couldn't attend in person since he was recieving the Presidential Medal of Freedom that day for his DARPANET/Internet pioneering efforts.
This link was widely disseminated in the North American IPv6 Task Force and IPv6 Forum where I believe most members strongly support Vint's views.

CFIT appears to be much less of "fuckweasels" to me.

Every nation should be represented in a fair and democratic Internet administration, not just the people we like.

If other nations do set up their own root servers, the Internet will be fractured and cease to be the useful network it is today.

You can't deny other nations a voice and still expect them to participate on your terms,

The fastest way to create client DNS software that handles multiple root servers is to give control of . to the UN. The people who care about the smooth functioning of the net would go mildly bananas, and multiroot dns would be fully implemented and deployed in 2 years. (Pro: http://public-root.com/, con: http://www.circleid.com/posts/putting_multiple_roo t_nameserver_issue_to_rest/; and naturally I think Vixie's more likely to be right about the naiive implementation, but I also suspect that the UN jerking around with DNS entries would be enough to motivate the right people (including the inestimable Mr. Vixie, I would hope) to get the work done.)

it's an international resource that only has the value it has because it is singular.

And again, its singularity is the result of a simplifying assumption in the design, as a result of being sheltered under the hands-off protection of that nasty US government. But simplifying assumptions can be discarded, the software can become more complex, if the political situation demands it.

Cheers,

Flumph

Or you will see a migration from ICANN to alternative roots.
http://www.circleid.com/article/1219_0_1_0_C/
http://www.circleid.com/article/1224_0_1_0_C/
http://www.circleid.com/article/1227_0_1_0_C/

Explanations and viewpoints.

Or you will see a migration from ICANN to alternative roots.
http://www.circleid.com/article/1219_0_1_0_C/
http://www.circleid.com/article/1224_0_1_0_C/
http://www.circleid.com/article/1227_0_1_0_C/

Explanations and viewpoints.

Or you will see a migration from ICANN to alternative roots.
http://www.circleid.com/article/1219_0_1_0_C/
http://www.circleid.com/article/1224_0_1_0_C/
http://www.circleid.com/article/1227_0_1_0_C/

Explanations and viewpoints.

That appears to be what the EU is doing, with the backing of even people like Paul Vixie. Ok, the EU hasn't mandated all of their ISPs to switch over, but that may well be done voluntarily anyway.

Once this alternate root has been set up and is being used and running well, it would be easy for everyone to switch over to it on a whim if ICANN every does anything really bad, thus reducing the chances that ICANN will do anything really bad. The US government has been known to do really stupid things all too often, but I think this reduces the chances that they will try and force ICANN to do something really bad.

Note that one of the key reasons why Paul Vixie supports OSRN is because they are *NOT* going to go around creating new TLDs and such that aren't supported by ICANN. This alternate DNS root is going to look *EXACTLY* the same as the ICANN root. Or, at least, it will until ICANN does something really stupid.

"IT is ultimately those who provide the infrastructure who will decide what needs to be organized and by whom. This isn't a government issue.. it's an ISP issue."

Except, of course, that the government currently has its finger in the pie. The US Dept of Commerce authorizes or denies changes to the DNS proposed by ICANN.

US Dept of Commerce announced in July that it would not relinquish this control:
http://www.circleid.com/article/1130_0_1_0_C/

Like any major infrastructure in the US, the government will always ensure that it has the final authority on what is and isn't allowed.

The problem, in this case, is that US Government control affects the infrastructure for other countries as well.

Correct. Spam is far worse than it was a few years ago.

It is right that China wanted their own IPvX version that was non-compatible with the normal IPv4/IPv6 standards. They called it IPv6 at one point but since that means something else to the rest of the world they eventually started calling it IPv9. Then someone realized it all was a bad idea (apparently) and nobody has mentioned it in a year or so (they may have a staff of a hundred working full-time on it secretly for all I know, but I *think* it's dead). More here: http://www.circleid.com/article/646_0_1_0_C/

This article proposes the reservation of a special use TLD to allow a more convenient addressing of devices by general physical location or context.

Introduction

As wireless networking and devices become more common there may be a need for a convenient way to address hosts by physical location or context, especially when the users themselves are using mobile or wearable devices.

A step towards this could be by reserving a special public use TLD (.here in the examples). Then this TLD can be independently hosted at various locations, so that each resulting .here domain falls under the context of that particular location. For a similar concept see RFC1918.

Example Usage of .here TLD

As an example a user could obtain a list of registered devices in each particular room or building by visiting https://all.here/ or perhaps just https://here/. Other forms could include https://who.here/ and https://what.here/

Say if the user wishes to control an air conditioner in a room, the user could visit https://airconditioner.here/ for the control page. The user could also "bookmark" popular settings such as https://airconditioner.here/settemp?celsius=25 and use it from room to room (assuming the air conditioners accept the same parameters).

Users of wearable devices could also address and access each other in a similar manner after registering with the location - e.g. https://lyeoh.here/sendobjectform or https://somebody.here/getobject?id=12345

Registration with an area could be done with DHCP [RFC2131] and dynamic DNS.

Various Considerations

Users could get the wrong address depending on how the default domain search is implemented - e.g. xxxx.here first, then xxxx.mydomain.com or vice versa. Also, it should be assumed that parties controlling the physical location could attempt to spoof or subvert communications.

Specifying .here. does not guarantee locality. Users may inadvertently or intentionally access devices at a different physical location.

Third parties could reserve a similar TLD (e.g. .her.) in order to catch typographical errors or unsuspecting users. As .her. and .he. may well become future TLDs, perhaps a less vulnerable name than .here should be used instead. A less elegant alternative is to also reserve the typos, but the Gere's (e.g. Richard) of the world may protest.

The .here TLD has already been reserved by a member of the ORSC. So to avoid conflict another TLD may have to be chosen, giving due consideration to the various alternative root zones. It seems that .local or .loc could be used but at risk of confusion with .localhost [RFC2606].

References

[RFC2606] D. Eastlake and A. Panitz, "Reserved Top Level DNS Names", RFC2606, June 1999.

[RFC2131] R. Droms, "Dynamic Host Configuration Protocol", March 1997.

[RFC1918] Y. Rekhter, B. Moskowitz, D. Karrenberg, G. J. de Groot, E. Lear, "Address Allocation for Private Internets", February 1996.

If more and more major ISP's block port 25 outbound for their 'consumer grade' service, there will be less and less zombie spam from those networks. As more web and mailhosts come to grips with this (most already have, to be honest), they will ensure that they support MSA (RFC 2476), and those users that need to travel between connectivity providers will be setup to use it (only once, as it will also work when on onces 'home' network, no need to switch back and forth).

Mail that servers send to other servers, will still go via port 25, and in addition to other spam control measures, server admins wont have to deal with as many zombied wincrap boxes on $cableco or $telco/dsl networks.

Spammers can't use MSA to deliver mail to recipients, as 1. it requires authentication, and 2. it should be setup to only accept mail for outbound relay from authenticated users. Yes, there will be some cases of spammers hijacking MS email software, and using its saved passwords to send mail as that user through that users mail server, but that will be far easier to track down and squelch than the current situation of spam coming randomly from all over.

More comprehensive info at:

http://www.circleid.com/article/1039_0_1_0_C/

.here

You know about 192.168.x.x, 10.x.x.x, 172.16.x.x and 172.17.x.x private IPs?

I've been trying to get ICANN to officially reserve a TLD for _free_ _private_ use.

e.g. *.here

Then everyone who owns a network gets to define names in .here. like airconditioner.here. what.here who.here where.here or just plain here.

IMO that'll be more useful than stupid stuff like info and biz. Which are just Yet Another .Com. TLD.

Then it'll be easier to have defacto standards for accessing stuff in various _locations_ e.g. go to a cafe with a controllable jukebox, http://jukebox.here/ and you'd be able to select songs.

http://here/ and you could learn more about the free wireless access you are using and the terms and conditions (sure you can do part of that by nocatauth but then people have to remember your URL or how to return to it after they clicked OK to browse), whereas http://here/ is simpler.

See internet-draft:
http://www.watersprings.org/pub/id/draft-yeoh-tldh ere-01.txt

Alternate: http://www.circleid.com/print/540_0_1_0/

On the matter of artificial scarcity in the DNS, you may find my "Cornucopia" idea interesting. It's in the category of crazy ideas that ought to be considered, even if only to break people out of an established mindset. (Also at my site.) The basic premiss of the idea: "What if every domain name you wanted was available?"

Actually, you don't have to abandon SMTP at all. The protocol has already undergone a fairly major revision with the change to ESMTP and there are very few servers left that are still SMTP only. Technically, it wouldn't be very hard to bolt a much more robust mail transfer mechanism onto SMTP in the same manner we use to deliniate SMTP and ESMTP - the mail server banner and client "HELO/EHLO". For instance you could change the ESMTP banner to include the string "ESMTP v2" instead of just "ESMTP" and compliant servers could sign on with "ALLO", while older clients can still resort to "EHLO" or even "HELO" while the deployment is underway.

Simple, huh? Unfortunately not, because politically, it would probably be a complete nightmare to actually do anything like this. The whole idea would almost certainly break apart under the weight of competing agendas from the various parties involved. I think the whole MARID fiasco proved that beyond any doubt.

RTFA. Interesting reading on what may hinder adoption of DomainKeys for some.

an interview with the creator of SPF that compares it with DomainKeys

Yakov Shafranovich, the former co-chair of the Anti Spam Research Group (ASRG), has written an excellent dissection of the history of Sender ID, published on the CircleID website. Part 1 Part 2

Yakov Shafranovich, the former co-chair of the Anti Spam Research Group (ASRG), has written an excellent dissection of the history of Sender ID, published on the CircleID website. Part 1 Part 2

Two articles on the history of Sender-ID:
http://www.circleid.com/article/730_0_1_0_C/
http://www.circleid.com/article/732_0_1_0_C/

Two articles on the history of Sender-ID:
http://www.circleid.com/article/730_0_1_0_C/
http://www.circleid.com/article/732_0_1_0_C/

Explains some stuff behind the scenes:

http://www.circleid.com/article/730_0_1_0_C/
http://www.circleid.com/article/732_0_1_0_C/

Explains some stuff behind the scenes:

http://www.circleid.com/article/730_0_1_0_C/
http://www.circleid.com/article/732_0_1_0_C/

A few good articles on sender-ID controversy:

http://www.eweek.com/print_article/0,1761,a=134028 ,00.asp
http://www.circleid.com/article/730_0_1_0_C/
http://www.eweek.com/article2/0,1759,1639880,00.as p
http://www.newsforge.com/article.pl?sid=04/09/01/1 555212
http://trends.newsforge.com/14/04/08/26/1326244.sh tml?tid=137

Also, here are the opinions of Eben Moglen of FSF and Larry Rosen of OSI:
http://www.imc.org/ietf-mxcomp/mail-archive/msg036 78.html

So we have the Addressing Spam Channel of the leading Intelligence Hub for The Internet's Core Infrastructure & Policies interviewing the lead developer of the lead antispam solution, and half the comments under the interview are from a spamming all-caps shill who repeats his identical message over and over.

So we have the Addressing Spam Channel of the leading Intelligence Hub for The Internet's Core Infrastructure & Policies interviewing the lead developer of the lead antispam solution, and half the comments under the interview are from a spamming all-caps shill who repeats his identical message over and over.

So we have the Addressing Spam Channel of the leading Intelligence Hub for The Internet's Core Infrastructure & Policies interviewing the lead developer of the lead antispam solution, and half the comments under the interview are from a spamming all-caps shill who repeats his identical message over and over.

Depends what you mean by legitimate. Various search engines, including Google, have gotten into hot water over serving up paid sponsor links to competitors of a given trademarked search term. Dunno if any actually reached the legal arena, the search engines normally cease and desist. And let us not forget the brouhaha over MicroSoft's Smart Tags.

I fail to see how SiteFinder is any less of a trademark infringer than the prolific typosquatter John Zuccarini, who not only has lost repeatedly (admittedly not all of these are typosquats, or losses) under ICANN's UDRP, where he was found to have domain names confusingly similar to a trademark, he's been fined almost $2m, had further monetary damages found against him, and been arrested.

Generally, the usage needs to be within the same industry or product category. It is unlikely that people will confuse SiteFinder with your site.

Most of Zuccarini's 5000 + names don't point to competitors, yet he is repeatedly ruled to be illegitimate by both the courts and UDRP arbitration. Let's take an example given by John Berryhill. If I register a typosquattingly similar variant of a search engine and put up a rival search site, do you think the courts or the UDRP will find that legitimate? If not, what makes VeriSign any more legitimate for doing the same thing, or any more immune? Then again, with faux domains they don't have to agree to a clickwrap that binds them to the UDRP. Hmmm.

Privacy Alert: Watch Out For FOISA

WHOIS bill (pdf)

No, but Verisign does operate the A root server, which gets replicated to all the other root servers.

Nope, not at all. A-root is just another server, it is not involved in distribution of the root zone to the other servers. See my recent article on this topic, which CircleID picked up.

Paul Vixie

There are a lot of good reasons for everyone to upgrade. There is a good article over at CommsWorld about this. Basically the main reason for upgrading is innovation. Once everyone can attach a public IP address to all of their devices, there will be a lot of cool stuff that will come out.

(Note: the article was originally linked to from CircleID)

How much fact and reasoning does it take?

Read: http://www.circleid.com/article/298_0_1_0_C/

I don't know about the cookie, but here's the info on that bug: Omniture Bug

This is a good time to look at Bob Frankston's dotDNS proposal for a layer of reliable but meaningless domain names. dotDNS lookups can be made self-verifiable using public-key signatures, but without the costly chain of trust required by DNSSEC methods. The validity of a dotDNS binding can be verified easily by the querier, without relying at all on the server that provided the putative binding.

dotDNS does not solve the whole problem, since any layer that translates from humanly meaningful names to dotDNS names is still vulnerable to hijacking. But the reliable and verifiable name bindings in dotDNS will make it *much* easier to switch name-resolution services when we are dissatisfied with their policies.

dotDNS is a cheap and immediately deployable positive step toward fixing the DNS mess, requiring no approval by any central agency. It's time for a visionary sponsor to step forward and just do it.

Be careful when browsing; if you're accepting cookies, they're tracking you! That's why they get called VeriSlime. I got my wife to do a cool slimy logo for them. http://www.seebs.net/log/archives/000065.html

John Zuccarini arrested just a couple of weeks ago for typosquatting! Yes he was pointing miss-typed domains to porn but what about miss-spelt words that are close to trademarks!? Wonder if some thought has been put into this. Hmm... Check this out for what may be ahead for VeriSign...