VeriSign DNS in Trouble

hesiod writes "Over at CNet News, there is an article reporting that VeriSign may lose their ability to sell domains. Evidently, ICANN is miffed because VS's WHOIS database has incorrect information. Not exactly news to most of us, but they have been given 15 days to fix the errors, or risk losing the ability to sell domains."

Oh my ...

[RinkSpringer]

I wonder if this includes their right to sell SSL certificates too... it's probably an entirely different matter, but still... if they can't handle domains, why should they be able to handle SSL certificates?

Re:Oh my ...

[timeOday]

AFAIK, the "authority" behind a Verisign SSL certificates is... Verisign itself. So the question raised is not whether Verisign can continue to sign certificates, but whether anybody should trust Verisign's assurance that company X is legit.

Re:Oh my ...

[Matty_]

There is no governing body which says who can or can not issue SSL certificates. It pretty much comes down to whether the browsers are aware of the certificate authority.

Re:Oh my ...

[sideone]

bout time.. for what vs charges for a cert, i for one am glad; they are finally getting what is coming to them.

sideone ITBitch.com - Your reason for leaving work!

Re:Oh my ...

[kasperd]

whether anybody should trust Verisign's assurance

The answer to this question is mostly decided by browsers. Most browsers contains a default list of trusted certificate authorities. The user can change this list, but very few users does.

Re:Oh my ...

[Conare]

but whether anybody should trust Verisign's assurance that company X is legit
Good Question

Re:Oh my ...

this is so true! VeriSign should stop selling domais, cause they just do not know how to do it...

Re:Yeah

[blochsound]

Have they actually abused their power? Or is this just politics?

VeriSign business plan

1. Mess with WHOIS database
2. ?
3. Profit

Re:VeriSign business plan

[stratjakt]

Whoever modded that up as funny needs to be dragged out and beaten.

Those lame ass jokes haven't been funny in years.

Re:VeriSign business plan

Honestly, I know what you mean. It's a sickness.

Re:VeriSign business plan

[cyranose]

4. Pretend expired domains are not expired by filling in false owner information.
5. Profit more.

Re:VeriSign business plan

[strredwolf]

1. Mess w/WHOIS database
2. Spam 'em all
3. Profit

Re:VeriSign business plan

Well... sometimes they're funny, but not this time. That was just lame.

Of course, if they'd just prefixed it with "The obligatory...", everyone would be rolling in the aisles. Hmmmmm.

Re:VeriSign business plan

[mrobinso]

> 1. Mess with WHOIS database
> 2. ?

? = Spam, junkmail, bogus invoice-looking marketing material, extraneous and duplicitous billing, and popup ads.

> 3. Profit

Of course.

Verisign andgry at ICANN ...

[Hayzeus]

ICANN angry at Verisign. Who's gonna get all pissy next? Satan?

Re:Verisign andgry at ICANN ...

Well, if it makes you feel better, I thought it was funny.

Screw ICANN

[anthony_dipierro]

Pay for my P.O. Box and I'll update my contact information. I'm not giving people my home address.

Re:Screw ICANN

Say "Good Bye!" to your domain(s) then, skippy! I need to go and submit your domain to rfc-ignorant.org

Re:Screw ICANN

[anthony_dipierro]

Say "Good Bye!" to your domain(s) then, skippy!

I seriously doubt my domain name is going to get taken away just because I failed to change my address when I moved.

I need to go and submit your domain to rfc-ignorant.org

Go for it. You can add the fact that I block abuse@ and postmaster@ to your list of complaints.

Re:Screw ICANN

[Alrescha]

"Pay for my P.O. Box and I'll update my contact information. I'm not giving people my home address."

Why did you say this? Where does it say that a P.O. Box is problematic?

A.

Re:Screw ICANN

If they want to keep on selling domains they will. I am sure they will look in to in now that I have alerted ICANN about it. Enjoy! :)

Re:Screw ICANN

[Software]

He doesn't HAVE a PO box. According to Verisign's policies, he has to list an address. He can either list his home address (which he doesn't want to do) or get a PO box. He doesn't want to do either.

Re:Screw ICANN

[(startx)]

he's saying the only way he'll put in accurate info is if that info is a P.O. Box, which costs money. He doesn't want to list his home address for obvious reasons.

Re:Screw ICANN

[anthony_dipierro]

I don't use Verisign.

Re:Screw ICANN

[Alrescha]

"he's saying the only way he'll put in accurate info is if that info is a P.O. Box, which costs money. He doesn't want to list his home address for obvious reasons."

Thank you, I didn't twig to that. On the other hand, I must point out that if the poster doesn't already *have* a P.O. Box (or the equivalent) that game has already been lost.

A.

Who has had a P.O. Box all of his adult life.

Re:Screw ICANN

[anthony_dipierro]

On the other hand, I must point out that if the poster doesn't already *have* a P.O. Box (or the equivalent) that game has already been lost.

What game is that? Yes, it's possible to track down my address from my domain name, but it's sufficiently difficult to stop most people.

Re:Screw ICANN

[Alrescha]

"What game is that?"

Well, the previous poster claimed 'obvious reasons'. I interpreted that to mean 'wants to keep physical address more or less private'. You may or may not actually feel that way. I was also thinking more generally than just domain names. If you don't use a P.O. Box, your real address appears in far too many places to consider it private.

A.

-100 Offtopic

Re:Screw ICANN

sometimes reading IS rocket science....for some.

Re:Screw ICANN

[anthony_dipierro]

Well, the previous poster claimed 'obvious reasons'. I interpreted that to mean 'wants to keep physical address more or less private'.

Well, mainly I just don't want someone getting pissed at something I write on my website or on slashdot showing up at my doorstep. Yes, it's still possible, so maybe I'm just being overly paranoid.

If you don't use a P.O. Box, your real address appears in far too many places to consider it private.

Perhaps. At the moment I just moved 4 days ago, so pretty much no one who doesn't know me personally has my real address. And if I could lie completely about my address, instead of putting an old address, it would be pretty much impossible to figure out which "Anthony DiPierro" I happen to be. The phone number is real, but it's an efax number, so unless you have a subpeona, you're not going to get my identity from it.

Re:Screw ICANN

[raju1kabir]

He doesn't want to list his home address for obvious reasons.

What are those obvious reasons? I've listed my home address for all my domains for many years, and the only consequence of note is that I get about 1 ad for hosting services per month.

Use your office, your school, your parents' house, find a sympathetic non-profit to take your mail... take some responsibility or stay home and leave the internet alone.

Re:Screw ICANN

[13013dobbs]

I think someone thinks a bit *too* highly of themselves. ;)

Re:Screw ICANN

[anthony_dipierro]

What's your home address?

Re:Screw ICANN

[raju1kabir]

What's your home address?

If anything I do using my domain names annoys or intrigues you, I cheerfully encourage you to use whois to find out. Call before coming to my house and I'll even bake cookies.

Re:Screw ICANN

[anthony_dipierro]

What's wrong? You don't want every slashdotter knowing your address? Maybe you see why I feel the same way? Somehow I doubt it.

Re:Screw ICANN

[raju1kabir]

What's wrong? You don't want every slashdotter knowing your address? Maybe you see why I feel the same way? Somehow I doubt it.

You're quite correct; I do not follow your logic (or rather, I do, but I think it might be a bit simplistic).

The potential for mischief is very well controlled within the Slashdot milieux, and the site's purpose is limited to discussion. Both of these make anonymity appropriate and useful, with no significant drawbacks.

The same cannot be said for participation in the world at large. Sometimes anonymity is good, other times it is not. When it comes to interconnection with a shared resource, accountability is essential. That doesn't mean that people shouldn't have the means to send anonymous emails, or to use anonymizing proxies to surf the web. However, there is - as always - a need for balance.

Re:Screw ICANN

[bamf]

rfc-ignorant.org?

The wonderful people who decided to list *.uk because the UK domain registrar doesn't give addresses in their whois output.

All because this violates the "spirit" of RFC954.

Note that it doesn't actually violate the RFC, just the "spirit" of the RFC. Useless feckers.

Although to be fair, I don't want to actually deal with any sites stupid enough to want to reject my mail because of this.

Re:Screw ICANN

[aonaran]

...besides, RFC != law
RFC = Request for Comments
Yes, that's right RFC = proposal.

I think too many people in the industry forget that RFCs are proposals. It would be nice if the whole world followed the same basic set of rules for internet communication, which is what RFCs are born of, but the worst that can happen to you if you don't follow the suggestions in a given RFC is certain companies/individuals who would like you to will refuse to deal with you.

This may mean finding a new registrar, or ISP or whatever... it's the AUPs of your various service providers that you really need to worry about, THOSE are the real laws of the net.

Re:Screw ICANN

[anthony_dipierro]

What's wrong? You don't want every slashdotter knowing your address? Maybe you see why I feel the same way? Somehow I doubt it.

You're quite correct; I do not follow your logic (or rather, I do, but I think it might be a bit simplistic).

Yes, it is simplistic. You don't want every slashdotter knowing your address. I don't want every slashdotter knowing my address. That's my "obvious reason" for not wanting to put my address in my whois data.

You seem to instead focus on justifications. But justifications don't change my desire for anonymity. Yes, if I get forced to put up my address, I will. Actually more likely I'll go ahead and buy a P.O. Box. I was considering it anyway. Or maybe I'll buy from one of the many places that let me buy a domain name anonymously. Actually after reading this article I'm thinking about starting one.

The same cannot be said for participation in the world at large.

We're not talking about the world at large, we're talking about a domain name.

Sometimes anonymity is good, other times it is not. When it comes to interconnection with a shared resource, accountability is essential.

Again, we're not talking about interconnection with a shared resource, we're talking about a domain name.

That doesn't mean that people shouldn't have the means to send anonymous emails, or to use anonymizing proxies to surf the web. However, there is - as always - a need for balance.

Yep, and putting my address on the internet for any idiot to see just because I buy a domain name exceeds that balance.

The internet isn't the real world. It's about time people start realizing that.

Thank god.

There are so many better ways to get a domain name than going torough VS. I might also mention that VS customer service is 110% worthless.

17 out of 10.7M

[RebelTycoon]

that ain't bad... give them a break...

If the IRS was this accurate then taxes would be a lot less since all those slipping through the system would be caught...

Re:17 out of 10.7M

[KC7GR]

It's a lot more than that. I've lost count of how many spammer domains I've tried to trace, only to be stopped cold by bogus registration info that, despite such being clearly prohibited by NetSol's terms of service, they never do anything about.

I used to think ICANN wasn't good for anything more than demonstrating how political infighting and empire-building quickly take the place of serving the common interests (of the Internet's users). Now, though, I find myself actually amazed that they're doing something right.

The proof will be in the next whois lookup I do...

Calls?

[ackthpt]

My info is out of date, it's got an old address. Mysterious messages about updating account information have been left on my answering machine.

I wondered who that was... Anyone else get called by them?

Re:Calls?

[Neon+Spiral+Injector]

No, but I just registered a domain with godaddy.com last week, and got a post card from Versign today saying I can transfer domains to them for $15, and get a 1 year extension.

Funny I've been considering transfering my 3 domains from Verisign to Go Daddy for half that. That postcard sold me, I will now.

Re:Calls?

[drsoran]

No, but I just registered a domain with godaddy.com last week, and got a post card from Versign today saying I can transfer domains to them for $15, and get a 1 year extension.

Funny I've been considering transfering my 3 domains from Verisign to Go Daddy for half that. That postcard sold me, I will now.

Everyone using Verisign should take this opportunity to switch! The only reason anyone would use Verisign as their registrar anymore is laziness. We've all been bitching and moaning about how much Network Solutions sucked since before they even started charging for domains but we have a choice now. I would recommend GoDaddy as well. $8.95/year for a domain name and they have a decent web interface for administration. I can register a domain for 4 years for what Network Solutions was charging for 1 year! :-) Talk about rape.

Surprised?

[VisualStim]

Ok, everyone who has a domain registered through VeriSign, please rasie you hand ... for shame ... you are all sentenced to 100 MetaModerations a day for a month. Now get to it!

Re:Surprised?

[gmhowell]

Blah, blah, blah. They were the only game in town first time. Second time was inertia. This time, so long Verisign.

Re:Surprised?

[Sabalon]

Who here had their boss decide to register two domains before anyone else took them (not that they would want them) and decide instead of talking to the local DNS person, register them with Verisign and decide to use the halfpricehosting.com Verisign partner.

What a pain in the ass to get them moved to us.

How significant...

[nairnr]

Will there be a more in depth search of the records? It seems to me that 17 records is not a lot for a major site. The address look perfectly legit - They happen to be some of the addresses I give for online forms :-)

I think the real question now is does Verisign drop the domains that don't have legit info to satisfy this complaint. It is a good resource for tracking down abusers and other complaints. I have used it a number of times to track down contact info of providers of people who have attempted to crack my system...

Re:How significant...

17 addresses of many. The ones mentinoed were just the ones complained about. I didn't know where to complain to about improper registrations. Besides even one would be enough if they can't take care of the problem in a reasonable amount of time (which they haven't)

Maybe they should change their name

to VarySign?

PR Stooging

[alexmogil]

"Out of 10.3 million records, they pulled out 17 of these that have inaccurate data on it," said VeriSign spokesman Brian O'Shaughnessy. "That doesn't diminish the fact that VeriSign sees this as an important issue, but 17 names out of 10.3 million would hardly be considered a pattern."

I'm sorry, but my rebuttal is: "HAHAHAHAHAHAHAHAHAHAHAH!"

Only Seventeen?! I'd wager 15% of the domains on there are pointed to the phone number 123-456-7890 at the address of 123 Main Street. I'd call that the beginning of a pattern. Buncha jerks.

Re:PR Stooging

[H1r0Pr0tag0n1st]

I would say that a bigger issue than this, and the real reason that Verisign should lose the ability to sell domains, is thier incredibly un-ethical marketing practices. You know the Renew with verisign spam even though you didnt enroll with then in the first place...

Re:PR Stooging

[kiwimate]

I would say that a bigger issue than this, and the real reason that Verisign should lose the ability to sell domains, is thier incredibly un-ethical marketing practices. You know the Renew with verisign spam even though you didnt enroll with then in the first place...

Only problem is that if such a rule was enforced across the board there'd be hardly any registrars left anymore. Verisign, abominable as they may be, are most certainly not the only culprits of this practise in the registrar world.

Re:PR Stooging

[Suppafly]

"Out of 10.3 million records, they pulled out 17 of these that have inaccurate data on it,"

Yeh, but it was probably the first 17.. and I believe the problem isn't people giving them incorrect information, but rather them failing to update peoples information on request.

Re:PR Stooging

[Fulcrum+of+Evil]

Verisign, abominable as they may be, are most certainly not the only culprits of this practise in the registrar world.

They are, however, so legendary for their horrid service and incompetence that they had to change their name.

Re:PR Stooging

[Brendan+Byrd]

If this was the case, why could have ICANN just piled on these massive amounts of cases? I'm sure it wouldn't be that hard to do the following commands:

cat WHOIS-Database | grep -AB 10 "123-456-7890"
cat WHOIS-Database | grep -AB 10 "123 Main Street"
cat WHOIS-Database | grep -AB 10 "555-555-5555"
cat WHOIS-Database | grep -AB 10 "-555-"

Re:Yeah

[javahacker]

They didn't abuse their power, at least that's not what has them in trouble with ICANN. They aren't doing their job, part of which is maintaining a connection between the domain name and the domain name's owner.

The abuse of their position and power is an entirely different matter, although it also is a way they are not doing their job properly. Because they haven't tracked the ownership of some domains properly, they are unable to transfer them to another domain registrar. Convenient for them because they get to keep charging the domain owner, but bad because they are getting called out by ICANN on it. Of course there is the matter of the pot (ICANN) calling the kettle black.

This isn't entirely Verisign's fault

[wowbagger]

True, bogus WHOIS data makes it very hard to track down spamm^H^H^H^H^Htroublemakers on the 'Net, but is this really Verisign's fault?

If I register floobydust.com, and I fill in a contact email that becomes invalid three days after I go live, is that Verisign's fault? What should they do, spam everybody in their WHOIS and purge the bounces?

I can think of lots of reasons to yank Verislime's ability to sell domains, but I'm not sure this is one of them.

Re:This isn't entirely Verisign's fault

[garyevesson]

Given Verisign's attempt to invoice me for a domain that is not registered with them, I'd be happy with any excuse to prevent them from selling domain names ever again.

I no longer use them - for certificates or domain name registrations. I transferred everything elsewhere.

Re:This isn't entirely Verisign's fault

[G27+Radio]

On the other hand as customers we shouldn't have to repeatedly ask them to fix inaccuracies and be ignored until we threaten to switch all our domains to another registrar. I ditched VS over a year ago due to some sleezy crap they pulled with a couple of my personal domains when I tried to transfer. Unfortunately I still have to deal with them for customers that didn't know better when they registered either.

Re:This isn't entirely Verisign's fault

[kiltedtaco]

"The last temptation is the greatest treason, doing the right thing for the wrong reason" -- T.S. Elliot

Re:This isn't entirely Verisign's fault

[emc]

Your Registrant should be FORCED to be the name/entity listed on the Credit Card that was used to purchase the domain, and should NOT be alterable.

Re:This isn't entirely Verisign's fault

[emc]

sorry, it should read -
The Registrant Field...

too anxious

Re:This isn't entirely Verisign's fault

[mindstrm]

No... they should not do that.

But when they are contacted and informed that the contact information for a domain that THEY ISSUED is not valid, then they MUST do something about it.
It is their JOB to maintain that information.
ie: Try to contact the domain holder, decide if the registration was fake or not, then axe the domain.

Re:This isn't entirely Verisign's fault

[magicalyak]

I disagree, what are you paying them for. Or more appropriately, what are they receiveing money for. Real names and addresses should go in the database, otherwise, why have it at all? I don't think Spamming everyone in the database is the solution, but confirmation of the addresses would be. What is the cost to register a domian now? Can't they at least verify by a phone call? A phone call to verify would take less than a minute or maybe two(~12/minute) plus pay someone minumum wage to make the calls (I'm guessing this is near 7/hour now). I do not accept any reason why this can't be done without the use of SPAM. If I gave a fake phone number, I'd pull my domain name. Seriously, what are you paying for to register the domain? Maybe I'm bitching but I've had enough of fake email addresses and phone numbers of spammers.

Re:This isn't entirely Verisign's fault

[delta407]

I can think of lots of reasons to yank Verislime's ability to sell domains, but I'm not sure this is one of them.

...so? Are you complaining? Any reason to hurt NSI/Verisign is a good one in my book.

Re:This isn't entirely Verisign's fault

[Drakin]

Not all of use use credit cards to register domains. My first doman was registered prior to my having a credit card, and was paid by money order.

Although, now, it all goes on my credit card... and all goes through godaddy now. simpler, cheaper, and less headaches if I want to change anything.

Re:This isn't entirely Verisign's fault

[Col.+Klink+(retired)]

> [data changes after validation], is that Verisign's fault?

No, but if one registers with an address like "Yellow Brick Road, Kansas" (yorkstreethardware.com), or "000 Blank St., No city, XX 00000" (dundjerski.com), or a phone number like 650-555-1212 (sunnyside.com) or 000-000-0000 (jaxx.net), one could argue that the domain should have never been issued.

Re:This isn't entirely Verisign's fault

[astroboy]

If I register floobydust.com, and I fill in a contact email that becomes invalid three days after I go live, is that Verisign's fault?

Right, except that according to the article:

One customer who registered a domain name using the fictitious name of "Toto" with the fake address of "Yellow Brick Road" in "Oz, Kansas." [...]

ICANN said VeriSign's violations include ignoring repeated requests to correct customer information for Dundjerski.com, in which the administrative contact was, "OOO Blank St., No City, XX 0000" with a phone number of "123-123-1234."

which is a little bit more obvious than an email address change.

Re:This isn't entirely Verisign's fault

[Trekologer]

Actually, yes it is. The information contained about the domain contained in the WHOIS database is very important and the registrar should make sure that the information is valid.

Here's what I think that should be done to make sure that the information is correct... Build in a clause to the registration agreement that the registrar will verify the information periodically and if any of it changes, the registrant is required to supply the changed. Then, the registrar verifies the information by sending an email to the contact addresses that must be replied to within a certain timeframe. If the email bounces or there is no reply, the domain gets suspended (out of the DNS database until the problem is rectified). Start off with checking the address frequently and then less frequently as the address seems to become more perminant.

Re:This isn't entirely Verisign's fault

[tschild]

[...] Then, the registrar verifies the information by sending an email to the contact addresses that must be replied to within a certain timeframe. If the email bounces or there is no reply, the domain gets suspended (out of the DNS database until the problem is rectified). [...]

Fine for avoiding outdated addresses, but it would mean a lot of corporations dropping off the Net every now and then. There have been all those instances of domains put on hold because its owner did no manage to pay a yearly bill in time...

is april 1?

[squarefish]

ok, this and adobe story are just too good to be true.

One record in question..

[molo]

One of the records in question is that for dundjerski.com, in which there is false information for the Administrative Contact:

Dundjerski, Marina (MDE220)
Marina Dundjerski
000 Blank St.
No city, XX 00000
US
123-123-1234

However, on the same record, the "Registrant" field lists an address for the same name as above. If this is the worst that they can come up with, I hardly consider this a big deal.

-molo

That can't be right!

[burgburgburg]

Verisign losing the ability to sell domains would be helpful. There must be some sort of mistake here.

Oh, wait. I know: They'll take it away from Verisign and give it to Microsoft. Okay. That makes sense. Then you'd need a Passport ID to buy a domain.

How convenient

[gmhowell]

Verisign has given me about 15 days to renew my registration of domain.

Not gonna happen.

Hello gandi.net

About time!!

[vonkraken]

I have been trying for 2 weeks now to get my information updated for my 1 (that's single folks) domain. I have gone the through the forms and the calls, but still no love. If it takes the threat of their removal from the Domain Name business, so be it, at least they will get on the ball and get things moving.

OAO,

VonKraken

We are always fixing this one...

[nutznboltz]

# whois Dundjerski.com

Whois Server Version 1.3

[...]

Administrative Contact:
Dundjerski, Marina (MDE220) marina10@EARTHLINK.NET
Marina Dundjerski
000 Blank St.
No city, XX 00000
US
123-123-1234

# date ; whois Dundjerski.com | grep updated
Wed Sep 4 18:12:24 EDT 2002
Database last updated on 4-Sep-2002 18:12:24 EDT.
# date ; whois Dundjerski.com | grep updated
Wed Sep 4 18:12:25 EDT 2002
Database last updated on 4-Sep-2002 18:12:25 EDT.
# date ; whois Dundjerski.com | grep updated
Wed Sep 4 18:12:26 EDT 2002
Database last updated on 4-Sep-2002 18:12:27 EDT.

Re:We are always fixing this one...

[Neon+Spiral+Injector]

You don't want the date that the database was updated, you want the date the domain information was updated:

Updated Date: 15-jan-2002

17 records

Does this mean a total of 17 records out of the 10M were bogus: not bad at all. Or does it mean 17 randomly picked records were all bogus: very, very bad.

The letter to verisign!

[joeldg]

http://www.icann.org/correspondence/touton-letter- to-beckwith-03sep02.htm I was howling laughing reading this letter to Verisign

Re:The letter to verisign!

[DoomHaven]

On 21 February 2001, ICANN's Chief Registrar Liaison, Dan Halloran, sent you an e-mail pointing out that the contact details for yorkstreethardware.com were inaccurate. According to VeriSign's Whois data, the domain was registered to "Toto", residing at "the yellow brick road" in "Oz, KS 06750".

Thanks, if only for that quote! I had a good laugh over that one.

Is it just me...

Or did all you /.er's got too frenzied up about this article that you /.'d /. ??

SSL operations seperate from DNS operations

[sjanich]

The DNS operations are a completely different thing from the issuing of SSl certifications. So, there is no fear in that going away.

The text of the letter

[ICANN Logo] Letter from Louis Touton to Bruce Beckwith Regarding Breach of VeriSign Registrar's Accreditation Agreement (Whois Data Accuracy) 3 September 2002 3 September 2002 Via FedEx, Fax, and E-mail Bruce Beckwith Network Solutions, Inc. Registrar 505 Huntmar Park Drive Herndon, VA 20170 Tel: 1-703-742-4817 Re: Notice of Breach of ICANN Registrar Accreditation Agreement Dear Bruce: This letter is a formal notice of seventeen instances of breaches of sections 3.3 and 3.7.8 of the Registrar Accreditation Agreement (RAA) that Network Solutions, Inc. Registrar (VeriSign Registrar) signed in May 2001. Under section 5.3.4 of the RAA, VeriSign Registrar has fifteen working days to cure the breaches described in this letter. If the breaches are not cured in that period, then ICANN may give notice of termination of the RAA, after which VeriSign Registrar may initiate arbitration to determine the appropriateness of termination. Under section 3.3 of the RAA, each ICANN-accredited registrar has agreed to provide free public Whois service giving information about the registrations it sponsors in the registry. Among other elements, the information must include: * The name and postal address of the Registered Name Holder; * The name, postal address, e-mail address, voice telephone number, and (where available) fax number of the technical contact for the Registered Name; and * The name, postal address, e-mail address, voice telephone number, and (where available) fax number of the administrative contact for the Registered Name. Section 3.7.8 of the RAA sets forth the obligations of ICANN-Accredited Registrars regarding the accuracy of Whois data. It provides as follows: 3.7.8 Registrar shall abide by any specifications or policies established according to Section 4 requiring reasonable and commercially practicable (a) verification, at the time of registration, of contact information associated with a Registered Name sponsored by Registrar or (b) periodic re-verification of such information. Registrar shall, upon notification by any person of an inaccuracy in the contact information associated with a Registered Name sponsored by Registrar, take reasonable steps to investigate that claimed inaccuracy. In the event Registrar learns of inaccurate contact information associated with a Registered Name it sponsors, it shall take reasonable steps to correct that inaccuracy. This notice of breach concerns VeriSign Registrar's obligations under section 3.3, under which VeriSign agreed to provide specified Whois information for each sponsored domain name. It also concerns the second and third sentences of section 3.7.8 quoted above. In summary, in those sentences VeriSign Registrar agreed to take reasonable steps to investigate and correct its Whois data in response to any reported inaccuracy. Despite these promises, VeriSign Registrar appears frequently to publish incomplete Whois data, and to routinely ignore reports of inaccurate and incomplete contact data in its Whois database. The following are seventeen examples of VeriSign's failure to comply with its contractual obligations: 1. yorkstreethardware.com: On 21 February 2001, ICANN's Chief Registrar Liaison, Dan Halloran, sent you an e-mail pointing out that the contact details for yorkstreethardware.com were inaccurate. According to VeriSign's Whois data, the domain was registered to "Toto", residing at "the yellow brick road" in "Oz, KS 06750". (We also noted that you might want to consider whether the registrant's provision of that obviously false data constituted "willful provision of inaccurate or unreliable information," which is a breach of VeriSign's service agreement and a basis for cancellation of the registration.) On 21 May 2001, we sent you a follow-up note regarding the still-inaccurate data for this domain. Included was a link to a story in that day's NY Times in which the registrant admitted that she had registered the name with false data as a test "to see how easy it is." We asked you, some three months after the initial report, if you had indeed been able to confirm that the domain had been registered to "Toto", and if not if you could please "re-initiate the process of investigating and correcting the inaccuracy." It is now more than eighteen months after we notified you of the inaccuracy, and the domain is still registered to Toto at the yellow brick road, Oz, KS 06750. We have not even received any explanation of what specific steps VeriSign Registrar has taken to investigate and correct this situation. 2. kokorouta.net: On 15 June 2001, we forwarded a report to you indicating that VeriSign Registrar's Whois shows an apparently invalid e-mail address for the administrative contact for kokorouta.net: "no.valid.email@worldnic.com". It has been more than fifteen months since we sent the report, but the invalid e-mail address is still included in your Whois data today. And once again, we have no indication of the specific steps VeriSign Registrar took to resolve the inaccurate information. 3. dundjerski.com: On 24 January 2002, I wrote to VeriSign (Miriam Sapiro, Roger Cochetti, and Phil Sbarbaro) regarding the Whois data for dundjerski.com. A story in that morning's Los Angeles Times reported that the registrant of that domain had been told by a VeriSign representative that she could not have her personal information removed from the Whois database, but that she was given the following advice by VeriSign: "But they did tell me to just make up an address and put it in there. So that's what I did." My 24 January message to VeriSign noted that VeriSign's Whois database indicated that the mailing address for the administrative contact was "000 Blank St., No city, XX 00000" with a phone number of "123-123-1234". In that message I "strongly urge[d] VeriSign to take prompt and decisive actions to ensure that its Registrar business operates in a more responsible manner than reflected in the article, and to publicly reaffirm its commitment to accurate Whois data." You replied over a month later, on 5 March 2002, stating that VeriSign takes the subject of Whois accuracy "extremely seriously." You indicated that VeriSign was sending the registrant a letter requesting verification, and that "if no reply or update is received shortly, the domain will be deleted, in accordance with our existing procedures and contractual requirements." It has been almost six months since you wrote that, but the administrative contact address is still "000 Blank St., No city, XX 00000", and the phone number is still "123-123-1234". 4. internic-backbone.org: On 6 March 2002, we sent you a report concerning inaccurate contact data for internic-backbone.org. The data for that registration had what appeared to be an incomplete mailing address, and the telephone number for the contacts was listed only as "Restricted." We sent you reminders concerning this reported inaccuracy on 14 May 2002 and 18 June 2002. When the data still had not been corrected on 22 August 2002, we sent you (and your attorneys) a "final informal request" asking you to provide information about the status of your investigation. We finally did receive a status report on 27 August 2002, but it indicated (by copy of a letter to the registrant) that VeriSign Registrar had not even begun to take action to correct this data until 26 August 2002, nearly six months after you received the initial report. 5. sunnyside.com: On 24 April 2002, we sent you a report concerning the false telephone number for the administrative contact for sunnyside.com: "650-555-1212". We sent you a follow-up inquiry about the same problem on 14 May 2002. You wrote back on 16 May 2002 and told us to "feel assured that it is being addressed in as an expeditious manner as possible." It is now more than three months later, and the data still has not been corrected. 6. jaxx.net: On 7 May 2002, we sent you an e-mail requesting that you investigate and correct the whois data for jaxx.net. We pointed out that the administrative contact's telephone number was listed as "000-000-0000". It has been over three months since that notification, yet the false telephone number listing has not been corrected in VeriSign Registrar's Whois data, nor has VeriSign advised us what specific steps have been taken to investigate and correct the inaccuracies. 7. visosite.com: On 15 May 2002, we forwarded to you a report concerning inaccurate data for visosite.com. The report indicated that the mailing address for the registrant and contacts was inaccurate (the report included a link demonstrating that there is no "Walker Way" in Orangeburg, NY) and that the telephone number for the administrative contact was not functioning. Although over three months have passed since VeriSign Registrar received this report, it has not corrected the false data, nor has it advised us what steps have been taken to investigate and correct the situation. 8. fufus.com: On 18 May 2002, we directed to you a report concerning an invalid e-mail address in the Whois data for fufus.com: "no.valid.email@worldnic.com". On 27 May 2002, we sent you another note on this issue, including a copy of a message from a VeriSign Customer Service Representative who declined to investigate the inaccuracy - stating that "It is up to the current registrant to keep the domain information current." We asked you to carefully review this. It has been over three months, and the false data is still being published in VeriSign's Whois service. VeriSign has not stated what steps it has taken, nor given any explanation as to why its representative stated that it would not fulfill the promise it made in its registrar accreditation agreement to investigate and correct false data. 9. digeronimo.com: On 21 May 2002, we sent you a note concerning an invalid e-mail address in the Whois data for digeronimo.com: "no.valid.email@WORLDNIC.NET". Over three months have passed since that notification, yet VeriSign has not corrected the false data. Nor has VeriSign advised us what specific steps it has taken to investigate and correct the false data. 10. kasparatisco.com: On 23 May 2002, we forwarded to you a report concerning inaccurate contact details for kasparatisco.com. The report indicated that the information listed for the administrative contact was invalid - the law firm that answers at the telephone number listed for the administrative contact has never heard of the administrative contact, Sally Jocks. Although over three months have passed, this invalid data still had not been corrected as of the time of the sending of this letter. Nor have we been advised of the specific steps (if any) taken by VeriSign to investigate and correct this false data. 11. nsi-direct.com: On 13 June 2002, we sent you an e-mail asking VeriSign Registrar to correct inaccurate Whois data in the record for nsi-direct.com. The administrative contact e-mail address for that registration is still listed as "no.valid.email@WORLDNIC.NET". We sent a test message to that address last week - it bounced back with an indication that the address was not valid. Over two months after the initial report, the invalid data is still being reported in VeriSign's Whois service. 12. city-guide.com: On 18 June 2002, we forwarded to you an e-mail we had received that indicated that the telephone number for the contacts for city-guide.com ("813-562-5354") was disconnected. More than two months later, the telephone number has still not been updated VeriSign Registrar's Whois listings. Calling the listed number results in a message that "your call cannot be completed as dialed." 13. aboutsrichinmoy.com: On 10 July 2002, we sent you an e-mail reporting an inaccuracy in the Whois data for aboutsrichinmoy.com. As of today's date, over six weeks later, the registrant mailing address for that name is still listed as "1 xxx, NY, NY, 11432". We have not received any indication of the specific steps that VeriSign Registrar has taken to investigate and correct this clearly false data. 14. stepup.net: On 17 July 2002, we sent you a message indicating that VeriSign Registrar's Whois database was completely missing any data for stepup.net. As of today, the registry still reports that VeriSign Registrar sponsors this domain, but VeriSign Registrar's Whois server still reports no match. Your server still returns only the cryptic message "Domain not found locally, but Registry points back to local DB. Local Whois DB must be out of date." 15 and 16. animerica.com and japanh.com: On 19 July 2002, we sent you a report indicating that the contact details for animerica.com and japanh.com were inaccurate. The administrative contact telephone number for animerica.com was listed as all three's: "333-333-3333". The administrative contact telephone number for japanh.com was listed as all one's: "111-111-1111". The fax number was all two's: "222-222-2222". Each of these numbers (and also the phone number for the technical contact that they share) is inoperative. This data still had not been corrected as of the time this letter was being prepared - over one month later. 17. namezero.com: On 29 July 2002, we notified you that VeriSign Registrar's Whois data for namezero.com (a domain sponsored in the registry by VeriSign Registrar) was inaccurate. The phone number is listed as "111-111-1111".) We asked you to investigate and correct this inaccurate information pursuant to RAA 3.7.8. It has been over thirty days and the data still has not been corrected. As noted above, section 5.3.4 of the Registrar Accreditation Agreement agreed in May 2001 between VeriSign and ICANN provides that notice of termination of VeriSign Registrar's accreditation may be given if these breaches are not cured within fifteen working days. The pattern of neglect demonstrated by the above circumstances is troubling. In its May 2001 accreditation agreement (as well as in that agreement's predecessor), VeriSign agreed to publish complete Whois data, to undertake reasonable efforts to investigate every notification of Whois data inaccuracy it receives from any person, and to correct any inaccuracies found. The above recitation demonstrates that VeriSign Registrar has repeatedly taken what appears to be a cavalier attitude toward the promises it made. As outlined in ICANN's recent "Registrar Advisory Concerning Whois Data Accuracy" http://www.icann.org/announcements/advisory-10may0 2.htm, registrars have a vital role in maintaining the accuracy of Whois data. We believe that advisory gives valuable guidance to registrars how they can act responsibly toward the public as well as complying with their contractual obligations. VeriSign Registrar's conduct has fallen far short of both its responsibilities to the public and its agreements. We therefore provide this formal notice of breach of VeriSign Registrar's accreditation agreement with ICANN. ICANN's goal in this matter is to promote accuracy of Whois data, which requires cooperative efforts by VeriSign Registrar in meeting its obligations. We hope that VeriSign Registrar will act promptly to cure the breaches outlined in this letter, and will become more responsive and cooperative in dealing with data inaccuracies as they are discovered. Please feel free to contact me if you have any questions. Best regards, Louis Touton Vice-President and General Counsel ICANN cc: W.G. Champion Mitchell, Executive Vice President and General Manager, VeriSign Mass Markets Division (by e-mail) Bobby Turnage, Esq., VeriSign, Inc. (by FedEx, fax, and e-mail) Phil Sbarbaro, Esq., VeriSign, Inc. (by e-mail) Stuart Lynn, President and CEO, ICANN (by e-mail) Comments concerning the layout, construction and functionality of this site should be sent to webmaster@icann.org. Page Updated 16-April-2001 ©2002 The Internet Corporation for Assigned Names and Numbers. All rights reserved.

Send Verisign back where they came from:

The other side of the River Styx.

New slashdot advertising

Did you see it? About 10 large ads on the front page for MSVS.Net. And thats not all, slashdot is offically fucked up for life. Thank you Johnkatz.

i'm forgetting again

[gsfprez]

what law is it breaking to have incorrect data?

in fact, i have incorrect data because i and my wife were being stalked - and the WHOIS database is where he thought i lived. He went looking for us at the old address.

and what's the worst part of all - to have ANY level of security from a whois search that could give sickos and perverts your address is by getting a P.O. Box.. from the USPS!

Imagine, the key to internet privacy is the Postal Service. Now that's just great.

Re:i'm forgetting again

[anthony_dipierro]

what law is it breaking to have incorrect data?

None yet, but if ICANN gets their way they'll buy this law.

Re:i'm forgetting again

[jdreed1024]

what law is it breaking to have incorrect data?

There is no such law. But what's your point? If Ashcroft or someone from the justice dept were pursuing them, and there was no law, then you'd have a point.

They did, however, sign a contact with ICANN, in which they agreed to have up to date data. They chose to take a big shit on that contract. That's why ICANN is pissed.

Personally, I'd love to see Verisign out of business. Someone stole my identity two years ago and bought $1000 worth of services from Verisign. Verisign took a YEAR to remove the domains, claiming they needed to verify with the registrant before they could be cancelled. (Thieves have more rights than I do, apparently). They still refuse to remove the bogus whois information that the thief supplied using my correct name and address, but a fake phone number and e-mail. They claim I can't remove it, because I told them I didn't enter it in the first place. They also don't answer the phone anywhere but the sales department.

They're a bunch of lying, thieving, ignorant wankers, who deserve to have the book thrown at them. Not that it'll happen, since ICANN will probably give up at the last minute (c.f. United States v. Microsoft).

Re:i'm forgetting again

[anthony_dipierro]

Someone stole my identity two years ago and bought $1000 worth of services from Verisign.

Wow. What did it feel like to not have an identity?

They claim I can't remove it, because I told them I didn't enter it in the first place.

Sounds like a legitimate reason to me.

Re:i'm forgetting again

[Fulcrum+of+Evil]

They claim I can't remove it, because I told them I didn't enter it in the first place.

Sounds like a legitimate reason to me.

Sounds actionable to me (IANAL). Something about accomplice to fraud.

Re:i'm forgetting again

[starburst]

A PO Box will not shield you from stalkers. The counter workers frequently give out information gathered in the application process for a PO Box.

Here is what you must give the fine workers to get your PO Box:

http://pe.usps.gov/text/dmm/d910.htm#Rbr39715

2.2Verification

An application for post office box service may not be approved until the applicant's identity and current permanent physical address where he or she resides or conducts business is verified. Verification criteria are as follows:

a. At the time of application, applicants must present two items of valid identification; one item must contain a photograph of the applicant. Social Security cards or credit cards and birth certificates are unacceptable as identification. The following are acceptable identification:

(1) Valid driver's license or state non-driver's identification card.

(2) Armed forces, government, university, or recognized corporate identification card.

(3) Passport, alien registration card, or certificate of naturalization.

(4) Current lease, mortgage, or deed of trust.

(5) Voter or vehicle registration card.

(6) Home or vehicle insurance policy.

b. The identification presented must be current. It must contain sufficient information to confirm that the applicant is who he or she claims to be and must be traceable to the bearer.

Re:i'm forgetting again

[anthony_dipierro]

Sounds actionable to me (IANAL). Something about accomplice to fraud.

I don't see how. If anyone was defrauded, it was Network Solutions. You can't be an accomplice to a crime committed against yourself.

I'm sure if you had gotten an injunction NetSol would have gladly removed the information. Until then it's not their place to get involved. Innocent until proven guilty in a court of law, and all that nonsense.

Re:i'm forgetting again

[mosch]

I fully agree, there's no reason to have valid contact data for your domains, as long as you pay your bill. There are numerous reasons why a person would not want to be listed, and those should be honored.

All my domains are registered with false contact information, with the exception of the email addresses, which are tagged, but valid. Can anybody tell me why this is a problem?

None of my phones are listed in a phone book, why should my whois data be forced to be any less private?

Re:i'm forgetting again

[stephanruby]

and what's the worst part of all - to have ANY level of security from a whois search that could give sickos and perverts your address is by getting a P.O. Box.. from the USPS

If your stalker can prove to the post office that you're using your PO box for business purposes, the post office is *obligated* by law to releaseyour personal address. You're probably better off using the more expensive "Mailbox, etc."

You better forget about voting too. Your voting registration is public information.

Re:i'm forgetting again

Ashcroft can go take a flying leap. So can anyone else who wants valid physical address info in WHOIS registration records. As far as I'm concerned, anyone should be able to register a domain pseudonymously if that's what they want to do. Some people, such as myself, run their servers out of their homes, and want the equivalent of an unlisted number. Sure, I find it really annoying sometimes that tracking down a spammer's home address is made more difficult because their multi-level viagra mortgage penis enlargement web server's whois records are bogus, but I'm not willing to give up my own obscurity on my WHOIS registration info to make ICANN or Verisign happy. I can still track down spammer shits by following the money.

Verisign contacted me and told me to correct my whois info. I did absolutely nothing. They did absolutely nothing either because, well, what are they supposed to do? Shut me off? I haven't done anything to deserve being shut off, unless you count using "123 Use Email Please" as my street address. They continued to badger me until I finally just changed registrars.

I can be reliably contacted via the email address in my WHOIS record, as required by RFC and by etiquette in the event that one of my servers starts barfing, and if I couldn't, then I'd be all for being summarily disconnected. As to ICANN's requiring street addresses however, my feeling is that ICANN can go fuck themselves. They don't own the Internet. We, the people of the planet Earth, comprise the Internet. I'd be happy to see Verisign and ICANN both crumble to bits.

Cheers!

Re:i'm forgetting again

[Jammer@CMH]

I'll try to explain.

A domain was registered, with this guy listed as the contact but with incorrect email. He can prove that he is himself, he has all sorts of documentation to demonstrate that he is the fellow of the listed name who lives at the listed address. If the domain is indeed registered by him, he should be able to remove it. If it is not registered by him, but is registered by someone else using his name and address, then I believe that Network Solutions is assisting that unnamed other person in perpetrating a fraud if Network Solutions refuses to remove the listing after the individual with the name and address appearing in the registration appears (with piles of identification) and demands the removal of the listing.

If I post an advertisement in the paper announcing (say) your bankrupcy, giving your name and address as contact information and printing them in the add, and the newspaper refuses to pull it even after you demonstrate that you are the person referred to in the add and are not at all bankrupt, then I'd think that the paper is an accomplice to my fraud.

Of course, I'm not a lawyer. YMMV.

Re:i'm forgetting again

[dmuth]

in fact, i have incorrect data because i and my wife were being stalked - and the WHOIS database is where he thought i lived. He went looking for us at the old address.

One problem with this is that when have you bogus contact information, it makes it look like you may have something to hide, seeing as how spammers employ similar tactics with their domain registration.

My suggestion would be to get a Mailboxes, Etc. dropbox and list that in your domain contact. That way, people who need to legitimately reach you via postal mail can, while stalkers will not find you.

Re:i'm forgetting again

[user2048]

Something similar happened to me. Somebody charged $500 of VeriSign services to my Discover card. I called to complain. They wouldn't even talk about removing the charge unless I faxed all sorts of info to them. And they wouldn't tell me what services they were charging me for (I did manage to get the phone rep to say it involved some domain involving "graphics" and a Yahoo email address.

I let Discover handle it. They gave me an immediate temporary credit, and a few months later the credit became permanent.

While I was waiting for the matter to be resolved, I got a (postal) mail notice about renewing another set of domains I had nothing to do with (all containing the string "sony").

this isnt about bad whois data

[leto]

It is about
- Getting rid of Verisign in the .org deal
- Getting rid of Verisign before they get the 3
year on .net and 5 year on .com names
- Getting rid of a company that is going bankrupt
and is highly fraudulent (snapnames, bogus
invoices etc)
- ICANN itself getting out of the spotlight for
firing its At Large Directors

Re:this isnt about bad whois data

[hta]

please don't confuse Verisign the REGISTRY (holder of .net and .com) with Verisign the REGISTRAR (the people responsible for the inaccurate registrations).
Revoking Verisign's registrar business would be ironic indeed - it would get them out of the dual role that they had promised to give up, but gave up .org in order to be allowed to continue doing when the contract was renegotiated.

Just transfered from VeriSign

[stompro]

I have just finished a month long battle with VeriSign to get access to a domain. I would fax them an authorization letter, they would email me back saying I missed the coma on the 21st page after the statment of intent blah blah. I finally got everything to their liking but they didn't respond for a couple more weeks. So I headed over to domainmonger and did a transfer, and was up and running in a day and a half.
I can kind of understand why a larger company would like to know that someone has to jump through major hoops before someone can hijack their domain, but for me all there security was a major pain in the ass. Plus, the last time I checked, they were using some ibm ssl software that doesn't let you use mozilla to manage your account. I am going to plug domainmonger here, I have no affiliation with them, I am just a happy customer.
domainmonger.com
I have had such good luck with domainmonger, they are not a large operation, but I have never had trouble getting ahold of someone if I have had a problem.

....
posting makes you feel goooooodd.

Re:Just transfered from VeriSign

> I have had such good luck with domainmonger.com, they are not a large operation, but I have never had trouble getting ahold of >someone if I have had a problem.

I use godaddy and couldn't be any happier.

Re:Just transfered from VeriSign

[cyb3r0ptx]

I agree, and for 1/2 the price that domainmonger charges, it's even better!

Re:Just transfered from VeriSign

[mesocyclone]

I am in the middle of a long battle with them over changing the domain access. My daughter's site host went belly up, and Verisign's autoresponder never responds. We go to the site, log in, put in the changes, get a message at the correct email, respond to it as requested, and it vanishes into a black hole.

Finally, yesterday I called them on the phone and in about 45 minutes of hassling with a live human (no wonder they are hurting), still got no satisfaction. She told me the system was changing and they could not change the domain in any way except through the autoresponder, and had no idea why it didn't work. She did manage to get it to generate a couple of "unauthorized" person trying to change your domain messages (she works for them, but she is unauthorized)! She later told me should would fix the problem (which she had earlier told me was unfixable) but it would take a few days to show up in the database! This is modern technology?
Now the whois record shows yesterday as the last date changed, but it still has the same wrong information in it!

This incompetent company deserves to have their domain privileges removed. Their whois database should be given to someone who can make it work!

Re:Just transfered from VeriSign

[nathana]

DomainMonger rocks, period. I've been using them since 2000, and even when I have had problems they ALWAYS respond in a timely manner.

Just another happy customer. :-)

Re:Just transfered from VeriSign

[scsiboy]

FWIW, I had the same trouble when trying to transfer domains from Verisign over to INWW (inww.com). I had success though with Dotster - the transfer of 3 domains from INWW and 2 domains from Verisign over to Dotster worked great. I don't know if they have some special agreement with NSI or not, but it's the only thing that's worked for me. Other people I know have had the same black-hole treatment at NSI, except one guy who also uses Dotster and got his NSI domains moved to Dotster without any issues.

Does this really "a"ffect anything?

[DaytonCIM]

So ICANN pulls the plug on Verisign and hands it to another company... what changes? Does this new group have some magical software that will "verify" every registry, every address, every phone number, and add security? I think not.
Sounds suspiciously like someone is willing to fork over a pile of cash to some key ICANN people in return for Verisign's business.

Re:Yeah

In other news, they (VA) are outsourcing sales offshore. CSS will be "reselling" soresforge "licenses". That is a hoot. Don't these people know the FREE code is here.

Silly Faggots, Dicks are for Chicks!

~ R.W.S. gagged

no bulkregister domains

[bberg]

It seems ever since the nonsense with bulkregister none of the bulkregisters domains show up in netsols whois. You just get a page that says "error". Works in any other who is though.

Re:17 out of 10.7M - 30K out of 10.7M, if not more

[JayDude]

That was a quote from a Verisign Exec. There's at least tens of thousands with bad data.

There's a whole block of Worldnic (owned by Verisign) records that down't have correct email addresses for the admin contact...

It soon will be.

[www.sorehands.com]

There is talk of a law that makes it illegal to have false whois data. This is to handle people trying to make money buying domains and selling them to trademark owners.

Currently you are contractually obligated to provide correct whois information by the terms of service that propagated from ICANN.

SPAMMERS usually use false domain information to hide. Maybe the spammers don't want us breaking into their houses to watch TV and use their computers? Why not, their houses are connected to public roads, so we can use them. Right???

Letter from Louis Touton

[nutznboltz]

http://www.icann.org/correspondence/touton-letter- to-beckwith-03sep02.htm

Cites the 17 broken entries.

Re:Letter from Louis Touton

[rustman]

no.valid.email@worldnic.com is the standard contact info that many domains get when registered through NSI's Worldnic service. This is my biggest complaint.

Verisign slap on the wrist?

[Charlie+Bill]

I'm sure ICANN can't be too happy with VS for its somewhat shady business practices recently. Is this just them using a techinicality to nibble at them (akin to tax law suits lodged against bootleggers)?

New Art Of Domain Hi-jacking sponsored by ICANN

ICANN are introducing a 15-day challenge to correct Whois data. If the data is not corrected within 15 days, the domain is pulled. Gone. Poof.

Even if the Whois information is 100% correct and you don't respond within the 15 days, it's gone. Poof.

It works something like this:

1. Take out a dropped domain name registration using WLS or SnapNames.
2. Complain about the Whois data for the domain you want.
3. Wait 15 days
4. When the domain name is dropped, the name is reregistered through WLS or SnapNames and becomes yours.

Slashdot.org will be mine. You have been warned.

Re:New Art Of Domain Hi-jacking sponsored by ICANN

Even if the Whois information is 100% correct and you don't respond within the 15 days, it's gone. Poof.

Interesting. Where exactly is this mentioned in the service agreement that I agreed to?

Re:New Art Of Domain Hi-jacking sponsored by ICANN

[asackett]

I say "Go for it!" Steal something big, like nytimes.com -- and the very instant that it transfers, call the nearest television network affiliate's news department to explain that you've only done this to prove a point, have no intention of actually doing anything. As soon as the news starts to spread, call whomever it is whose domain you hijacked, and ask them to submit the necessary correction, which you'll gladly approve.

Just try to pick something large that belongs to someone unlikely to want to draw and quarter you!

Don't threaten, just do it.

[uncoveror]

ICANN should not threaten to take Verisign's licence to sell domains, they should just do it. The scam they ran trying to get customers of other registrars to switch to them with bogus renewal notices should be all the impetus ICANN needs. I recieved those bogus notices for uncoveror.com, and dontbuycds.org, but godaddy.com had already warned me they were bogus.

#11 is the gem

[stox]

Oh, this is priceless:

11. nsi-direct.com: On 13 June 2002, we sent you an e-mail asking VeriSign Registrar to correct inaccurate Whois data in the record for nsi-direct.com. The administrative contact e-mail address for that registration is still listed as "no.valid.email@WORLDNIC.NET". We sent a test message to that address last week - it bounced back with an indication that the address was not valid. Over two months after the initial report, the invalid data is still being reported in VeriSign's Whois service.

Wasn't this this the "spam" arm of NSI?

Missing the point

[FreshMeat-BWG]

The problem isn't that Verisign has incorrect data. The problem is that they "agreed to take reasonable steps to investigate and correct its Whois data in response to any reported inaccuracy" and have not done so. It is that they KNOW they have incorrect data and haven't corrected it.

Uh

[autopr0n]

How could ICANN stop them from selling SSL certificates?

It'll be intresting to see if VeriSign can actualy fix this in the time alloted, given their amazingly shitty technical skills.

So what happens to existing domains...

that have been registered through Network Solutions/Verisign? Will these then need to be transferred to another registrar? Which Registrar? How will this new registrar be chosen? What type of disruption should we expect (other than something massive that makes our clients angry??)

Not me

[autopr0n]

Register.com for a couple, godaddy now that I managed to get my own DNS server running :P

Re:Not me

[DraKKon]

Same here... used register.com to setup my DNS servers (thanks) now use godaddy to register (and renew) my domains.. cake..

F U VeriSign...

Re:Not me

[Suppafly]

And you provide us with autopr0n, so you are exempt from any punishment anyway :)

Re:Not me

Register.com is almost as bad as verisign.

There are few good domain name sellers out there. Myself I buy from gandi.net. Sure, they're small. But they don't have a fscked up contract, and have provided me with good service for a reasonable price so far (2 years and counting).

Ofcourse, I have to buy my DNS services from an outside company. (Not possible technically to set it up myself because the network I'm on won't allow DNS servers) But it turns out that it's not that expensive (from easydns.com). Add it up to the cost of the domain and you get what you pay verisign or register.com, minus the bad service and the horrible contract.

They have a point

[Kiwi]

I think the point ICANN is making here is not that Verisign has to make each and every single WHOIS contact info accurate. The point is that Verisign does not even care that their WHOIS contact informaiton is bogus more often than not.

People would complain to Network Solutions about spammers having obviously bogus WHOIS information (such as phone numbers of --- --- ----), and their reply was that "WHOIS information is ot guaranteed to be accurate".

I think the response is that, if a given set of WHOIS contact information is bogus, and people complain about the bogus information, Verisign should pull the domain in question until they update the information to have legitimate contact info.

A spam-friendly domain without real WHOIS contact information should be pulled until the information is updated. People should be held more accountable for what they put up on the internet; non-bogus WHOIS contact info is a start.

- Sam (Pot. Kettle. Black. I've moved since signing up for my domains, and have not updated the WHOIS contact info)

An interesting entry...

[numark]

On 29 July 2002, we notified you that VeriSign Registrar's Whois data for namezero.com (a domain sponsored in the registry by VeriSign Registrar) was inaccurate. The phone number is listed as "111-111-1111".)

So Verisign has false contact information for a site with whom they've worked closely for the last few years, and no one caught it and corrected it before now? Yeesh...

This explaines a lot.. Re:Letter from Louis Touton

[dracocat]

It looks to me like ignoring repeated attempts from ICANN to fix a problem is not the best business strategy.

What is amazing is not that they have incorrect data, but that after 15 months and repeated letters from ICANN about a single domain, that they still haven't done anything.

I guess if this is how they do business, its no wonder that they are rated so poorly in customer service.

Ongoing VeriSign problems

Because of some major internal problems, VeriSign may lose their ability to sell domains. Evidently, ICANN is miffed because VeriSign's WHOIS database has incorrect information. That is not exactly news to most of us with a clue. I understand that they have been given 15 days to fix the errors, or risk losing the ability to sell domains. Let's see what happens.

Rare for anyone to be held responsible

[rbanzai]

My company had about eight domains registered through Verisign and were subjected to a few of Verisigns fraudulent business practices as well as their hideous, hideous service.
If they get punished for ANYTHING that will give me a little satisfaction. It's kind of a rarity for companies to be held responsible for being arrogant f-ups. Let's hope this gets carried through and they get the spanking they deserve.

Musings over WHOIS.

[Corvaith]

First of all, I'd be willing to bet the numbers are rather high for fake addresses, across a good number of domain registrars besides VeriSign. There have to be some people out there creative enough to make up addresses that sound plausible... but just don't happen to belong to the person registering the data. (As opposed to 123 Main St, (123) 456-7890.)

I realize that keeping data on who domains belong to is somewhat important, but I don't see why this data has to be made available to the general public. Yes, it lets people trace the supposed owner of a domain... which can mean nothing, if the owner and the person maintaining the website aren't the same. It can also give people an avenue to harass you, especially if you happen to host any content that's in any way controversial.

Once, owning a domain was something businesses did. The average person had an email like jdoe@isp.net, and a web address that probably looked like http://www.isp.net/~jdoe. There are still plenty of those out there. There are also those of us who aren't content with the tiny amount of capability our ISP accounts come with, and so pay for third-party hosting... and a domain.

My domain holds a bunch of stuff. A forum for a hobby of mine. My public journal. Some links. Nothing out of the ordinary. I don't see why it's in any way important for other people to have easy access to my address and phone number. If the police need it, let them get it from my registrar.

I don't think there should be a blanket assumption that domains are going to belong to businesses who don't have anything to lose from their contact info being public.

Re:Musings over WHOIS.

Exactly. My address is currently nowhere on the Internet, and I know that if it gets out there it'll be cached somewhere forever. When I registered my domain, they said they had a strict policy to have real information, and could kick me out if I gave something fake. I carefully considered the tradeoff, and decided "no way." They can have my plausible-sounding fake address.

Re:Musings over WHOIS.

[anonymous+cupboard]

In many countries, any publication must carry a contact address for the owner. This is done for a reason because amongst other things, if you want to say things about somebody that are untrue, they can take action against you (note this is civil rather than criminal so the police are not involved).

If you have a web page that does not demand a password, then it is publication. You are the publisher not the ISP. If it is 'just private stuff' then sorry, your contact details must be registered. I would however grant you as a private citizen operating a non-commercial site the ability to hide your telephone number but not your name and address.

What do you want from them?!

[fireboy1919]

Do you expect a company to keep track of the mailing addresses and names - the very IDENTITY of its clients?

I mean, are there even companies whose business is to guarantee that someone is who they say they are and that they provide accurate information?

The very idea is ludicrious!

Seriously though...why not have government controlled digital signatures? They could use the passport system (not Microsoft's...the kind you get before you go to another country) as a starting point. It seems like one of the rare chances for beneficial government interference. Sure, we'd lose a particular private sector, but it'd give lots of people the same warm, fuzzy feeling that the FDIC does.

They've already got one # to represent each person anyway.

Really looking for (negative) responses here; I can't see anything bad about this (and I'm usually against government intervention).

Re:What do you want from them?!

[mindstrm]

Yes, we absolutely expect them to do that, becuase they are not selling teddy bears, they are a REGISTRY. Their ENTIRE BUSINESS is based on keeping track of which domain is registered to which person.
The contract that enables them to BE in this business REQUIRES them to keep this information accurate, and update it in a timely manner. This is something they AGREED to.. and I don't mean 'agreed' the same way you 'agree' to a clickthrough.. I mean dozens of lawyers reading documtns and commenting back and forth until a final contract is ratified.

And now they are basically ignoring a key part of that contract.

Re:What do you want from them?!

[graxrmelg]

Moreover, VeriSign's other business (digital certificates) is all about determining that people are who they say they are, so it should be less a problem for them than for other registrars.

The fact that the digital certificate business is based entirely on having a reputation as a trustworthy company is what made VeriSign's slimeball fake-renewal scam all the more amazing.

Re:What do you want from them?!

[Zelig321]

Don't you give them the idea to require us to purchase digital certificates in order to ensure our identity when we register a domain name!!!

Re:What do you want from them?!

[fireboy1919]

Ahem. Ever heard of sarcasm?

Let me spell out my view.

I find it rather disturbing that an organization whose main business is to keep track of people has trouble keeping track of people on their secondary business.

It makes me think that perhaps they're not doing their main job right - something which is much harder to verify because the main thing people want from VeriSign is a certificate already in NS and IE's databases. People just aren't going to complain much if they can get their key request replies.

Further, it makes me consider that perhaps privately owned business does not have enough vested interest in its clients to ensure accurate record-keeping, since the cash will keep rolling in anyway (for digital certs).

Sorry if you couldn't read my train of thought through the lines. More clear now?

Die VS DIE!

Flog 'em all!!!!!

In the News

[Herkum01]

ICANN meets to determine whether they can get away with charging $20 to domain name owners, and finally gets around to doing the job their supposed to do, more at 11...

ICANN's press release

[n8_f]

The press release ICANN sent out can be found here. It looks like the article was written straight from this with a reaction from VeriSign, which just muddled the real issue.

The problem isn't that VeriSign has incorrect information in the WHOIS database, it is that it makes no effort to correct that information. They have been notified to correct several records and they haven't. And in one case, VeriSign told a registrant to put in an incorrect address.

No, they aren't breaking the law, but they are breaking their contract with ICANN and so ICANN is enforcing that contract. And this isn't a personal privacy issue; that is completely separate from VeriSign not updating WHOIS records when requested and telling customers to give false information. Please, no more pity posts for VeriSign!

Re:ICANN's press release

[anthony_dipierro]

And this isn't a personal privacy issue; that is completely separate from VeriSign not updating WHOIS records when requested and telling customers to give false information.

But it is a personal privacy issue. Verisign is breaking its contract, but by doing so it's protecting its customers' personal privacy.

Please, no more pity posts for VeriSign!

I agree there. But please, no more pity posts for ICANN.

Instead lets have pity posts for the domain name holders. In the end that's who's going to lose, because Netsol will give in within 15 days, and won't lose their status as Registrar.

Re:ICANN's press release

[n8_f]

But it is a personal privacy issue. Verisign is breaking its contract, but by doing so it's protecting its customers' personal privacy.

I still respectfully disagree. I'm going off incomplete facts here, but it sounds like in some of the cases ICANN sites, the registrants are trying to get their contact information changed and VeriSign isn't allowing them.
I sincerely doubt VeriSign is doing this to help their customers. I have tried to change contact information with them (my dad registered a domain for his business; bad dad!) and it is a very difficult process. So whether or not in these specific cases they are trying to protect their customers privacy, I have first hand knowledge that the general complaints ICANN is raising are valid: VeriSign can be very slow or even completely unresponsive in changing WHOIS records.

Also, if you want to register a domain, there has to be some way for people to contact you. No one requires you to give your home address, but you have to give some contact information. It is like receiving mail. Use a P.O. box or your work address, but if no one can reach you in the eventuality your domain is misused, you shouldn't have a domain. With priviledges come responsibilites. I understand the various concerns such as frivolous lawsuits, but breaking one system to compensate for a broken system isn't the solution.

Please, no more pity posts for ICANN.

I also disagree with your characterization that my post was a "pity post for ICANN". It most certainly was not and I fail to see what caused you to reach that conclusion. That said, while I don't support ICANN, I'm also not going to fault them for taking a step in the right direction and I see trying to clean up the WHOIS database as a step in the right direction.

Nathan

Re:ICANN's press release

[anthony_dipierro]

I'm going off incomplete facts here, but it sounds like in some of the cases ICANN sites, the registrants are trying to get their contact information changed and VeriSign isn't allowing them.

Do you have any quotes or references that suggest that? I read the article, I read the press release, and I don't see anything which suggests that.

I sincerely doubt Verisign is doing this to help their customers.

I agree with you there. Verisign's motive is almost certainly profit. But I don't really care about their motive so much as what they are doing. If they are protecting their customer's privacy, then I'm going to support that, regardless of their motive.

So whether or not in these specific cases they are trying to protect their customers privacy, I have first hand knowledge that the general complaints ICANN is raising are valid: VeriSign can be very slow or even completely unresponsive in changing WHOIS records.

That may be the case. In fact, from what I've read I believe it probably is the case. But that's not what ICANN is charging them with.

Also, if you want to register a domain, there has to be some way for people to contact you.

Well, I disagree. I don't think there needs to be some way for people to contact me. Certainly not without obtaining a subpeona. But in any case, I have provided my phone number and email address, as well as my name. There is absolutely no reason the public needs my mailing address as well.

No one requires you to give your home address, but you have to give some contact information.

More specifically, you have to give a mailing address.

Use a P.O. box or your work address, but if no one can reach you in the eventuality your domain is misused, you shouldn't have a domain.

As I said in my other post, I'll use a P.O. Box if ICANN pays for it. And I work at home.

With priviledges come responsibilites.

Yes, with the priviledge of being granted a monopoly comes the responsibility to not infringe upon my right to free speech.

I understand the various concerns such as frivolous lawsuits, but breaking one system to compensate for a broken system isn't the solution.

My concern is not over frivolous lawsuits. My concern is over burglers and psychos.

I also disagree with your characterization that my post was a "pity post for ICANN".

I agree. I wasn't referring to your post.

That said, while I don't support ICANN, I'm also not going to fault them for taking a step in the right direction and I see trying to clean up the WHOIS database as a step in the right direction.

And while I don't support Verisign, I'm also not going to fault them for taking a step in the right direction and trying to facilitate anonymous publication of free speech on the internet. I see allowing anonymous ownership of domain names as a step in the right direction.

I currently have several domain names through Tucows. Many of them have incorrect address information, and I don't want to be forced to change it. But if ICANN gets their way I will have four choices: fix the address, get a P.O. Box, subscribe through a provider who will put the domain in their name, or lose the domain. None of those choices are attractive to me, but I'll probably wind up getting the P.O. Box.

Re:ICANN's press release

[n8_f]

Okay, I made some mistakes in the last post. You're right, none of the problem's relate to a registrant being unable to get their record updated.
In fact, I more or less agree with all of your points. I probably shouldn't have even bothered posting that last one.

I would like to elucidate on the one point I think there could be some meaningful debate on: anonymous ownership of domain names.

I think that contact information should be optional. However, I think the owner should be listed publically. I can't think of any way one can legally, publically distribute information anonymously. The author of a piece of information can be anonymous, but if one chooses to distribute that piece of information, in a news story or a pamphlet or a book, etc., one can't do it anonymously. And the Internet is just another method for distributing information.

Perhaps I am wrong, but I think of domain names as analogous to property, the ownership of which is public record. Is that overly retrictive? I can see where anonymous publication would be useful, but it seems like all accountability is lost as well. It seems like the existing mechanisms for anonymity are enough: an author has to find someone who will bear the responsibility for publishing the information.

Who gives a shit about the whois database anyway?

I mean what use does it serve? Does a website in the virtual world need to be tied to a physical address? Sure it might be useful for someone to track down the owners of a domain name for whatever reason, but why make it necessary?

They big enough?

[cheese_wallet]

I wonder if they are established enough in the net community to fork DNS and start up their own DNS architecture.

How about this penalty?

[Deal-a-Neil]

Increase their cost from the $5.00 or so per domain, to $100.00 per two years -- make 'em feel the pain like we used to a few years back. :-)

Might not be the fault of VeriSign

True, bogus WHOIS data makes it very hard to track down spamm^H^H^H^H^Htroublemakers on the 'Net, but is this really Verisign's fault?

If I register floobydust.com, and then I fill in a contact email that becomes invalid three days after I go live, is that Verisign's fault? What should they do, spam everybody in their WHOIS and purge the bounces?

I can think of lots of reasons to yank Verislime's ability to sell domains, but I'm not sure this is one of them.

What does ICANN expect?

[Ra5pu7in]

What does ICANN expect VeriSign to do if it cannot get updated information?

"Update the database" sounds easy enough, except that people that fill in that kind of bogus information don't want their accurate information listed and, if contact is possible, will likely give equally false information that sounds more real (i.e. 2957 Barracuda Lane). With all contact information deliberately falsified, it would be next to impossible to reach those people anyway.

Should VeriSign shut down every .com that doesn't have a valid verifiable addresses? Listen to those screams from all the legitimate sites who didn't want personal information easily available to the world.

Lying with statistics

[AndroidCat]

I love the lying with statistics in this statement: "Out of 10.3 million records, they pulled out 17 of these that have inaccurate data on it," "That doesn't diminish the fact that VeriSign sees this as an important issue, but 17 names out of 10.3 million would hardly be considered a pattern."

Uh-huh, and how many did ICANN check to get those 17? Is that 17 out of 10.3M or 17 out of 32? Verisign obviously thinks everyone is dumber than they are.

Blatant Misdirection on ICANNs Part

[limekiller4]

17 records out of 10 million? This is ICANN "making hay" to look like they're sticking up for the little guy and a blatant public relations move after they went ahead and pushed through WLS despite an overwhelming vote against it by pretty much everyone ...except for the gTLDs (ie, .COM and .NET, which, amazingly enough, Verisign controls.).

ICANN is so in bed with Verisign it's not even funny. This is a nudge-nudge wink-wink arrangement between them so ICANN can look like they're doing their job and Verisign takes a black eye that nobody will remember in a year so that WLS happens.

Do not be fooled.

Bad whois info

[terrymr]

Wasn't there a case recently where an arbitrator based his decision in part on bad whois info for the domain (I believe it was a .biz so it didn't involve verisign). But this is an important reason why the whois must be accurate.

Did Versign just turn off DNS for Slashdot??

Anyway, there's a piece about how a large portion of Versign's problems are actually because of their Microsoft IIS servers.

Though not any excuse, it details how they're a little lost with the 10.7 million-entry database.

Interesting Read. Anyone else have any ideas how to deal with such a large amount of data?

What is the TRUE motivation for this?

[loggia]

What is ICANN's true motivation for this?

Read: which of their cronies are miffed that Verisign does not have this data updated properly?

We all know ICANN does not actually *care* about this.

Breach of Contract

[spacefrog]

what law is it breaking to have incorrect data?

Breach of Contract.

When a registrar signs up with ICANN, they sign a binding contract. Whether or not you agree with the contract, it is a binding contract. Below is an excerpt:

3.7.7.1 The Registered Name Holder shall provide to Registrar accurate and reliable contact details and promptly correct and update them during the term of the Registered Name registration, including: the full name, postal address, e-mail address, voice telephone number, and fax number if available of the Registered Name Holder; name of authorized person for contact purposes in the case of an Registered Name Holder that is an organization, association, or corporation; and the data elements listed in Subsections 3.3.1.2, 3.3.1.7 and 3.3.1.8.

source

Re:Breach of Contract

Also in the agreement:

With respect to all matters that impact the rights, obligations, or role of Registrar, ICANN shall during the Term of this Agreement not apply standards, policies, procedures or practices arbitrarily, unjustifiably, or inequitably and not single out Registrar for disparate treatment unless justified by substantial and reasonable cause.

So it looks to me like ICANN needs to show that NetSol's records are somehow worse than all the other Registrars.

The /. effect strikes again!

[Lucky+Kevin]

Even the whois database is timing out now. I'd like to list all the whois data here in the traditional slashdot manner but I think that it may be a little too large :-)

Verisign's REAL problem

[mrnick]

The problem that ICANN is opting to ignore is Verisign's blaten anti-trust policies. For example, if you have a domain registered with another registrar.. i.e. Tucows and you want to add a new DNS server to that domain and make that change at Tucows then it will take 24 to 72 hours to update at all registrars in the world, except for Verisign. They maintain the global database and it does get updated but if someone has a domain registered with Verisign it will take at least a week of harsh over the phone negotiations with them to get them to add it to thier local database. It's obviously an attempt to discredit other registrars and it's just not fair.

Nick Powers

Re:17 out of 10.7M - 30K out of 10.7M, if not more

[AndroidCat]

As I said in a post above "Lying with statistics" (didn't realize that I was drilled in a level, d'oh!), there's no indication of how large ICANN's sample was to get 17 bad ones.

So did ICANN sample 10.3M or 32 to get 17 bad ones?

Re:17 out of 10.7M - 30K out of 10.7M, if not more

[raju1kabir]

That was a quote from a Verisign Exec. There's at least tens of thousands with bad data.

I'd guess far more than that. Pretty much every time I go to look up a domain, it's got bad info. Of course, the only reason I look up domains is when I'm annoyed at the spam they've left in my inbox or the attack attempts they've left in my logs.

So I dunno about the converse, but bad internet citizenship seems to be an excellent predictor of bad contact info.

Verisign showing incompetence?

[angst_ridden_hipster]

I'm shocked -- shocked to learn that Verisign is permitting bogus data.

(I'd be more shocked if I were to learn that someone there knew the difference between good data and bad)

did /. make verisign mad?

[edrugtrader]

looks like they totally fucked up the site!

Cheap registration -- you're paying for it.

[fm6]

If I register floobydust.com, and I fill in a contact email that becomes invalid three days after I go live, is that Verisign's fault?

You're forgetting that domain owners are also supposed to give physical addresses. Of course spammers (and shy people) give a bogus address. Apparently some registrars check that the address actually exists, but that's not really useful if they don't verify that the registree receives mail there. Doing that would add a couple bucks to the cost of registering a domain -- but does the world really need ten-buck registration services?

Once, on some weird whim, I tracked down and contacted the person registered as owner of a spam domain. Turned out to be an elderly lady who didn't even own a computer! Obviously the real owner got her name and address out of a phone book. I reported this to the registrar, Verisign, and got back a form email about jerking domains not having any effect on spam. No comment on the fact that they had helped perpetrate a fraud!

The best of both worlds... at register.com.

At register.com, they let you setup billing address info for your account that they use to contact you, privately. It's SEPARATE from the information actually showing in the public WHOIS database.

View the WHOIS record for my domain, winzig.com.

Truly, this is not my contact information:

123 No Spam Ave.
No Spam, CA 90210 US
Phone: 800-555-1212
Email: spam-me-not@winzig.com

However, if I was a spammer, or breaking the law on my website, the feds could still contact me if they are able to subpoena register.com for my billing info. And register.com can still send me reminders for domain renewals, which is all I care about anyway.

Law?

[mindstrm]

It's not breaking a law. It's breaking a contract.

The agreement that ALLOWS Verisign to be a registrar requires that they provide accurate information in the whois database for all contacts.
They are required to verify said information upon registration, and to correct errors promptly when they are found.

In other words, you cannot 'anonymously' register a domain.

Privacy? If you want privacy, don't go to the trouble of having your own domain, that's pretty simple. That's like saying you want to get a business license and open a shop in your town, but you don't want anyone to know where you live or who you are.. well guess what, your business license and said filings are a matter of public record, and anyone can go see them.

This is not dissimilar.

Re:Law?

Privacy? If you want privacy, don't go to the trouble of having your own domain, that's pretty simple. That's like saying you want to get a business license and open a shop in your town, but you don't want anyone to know where you live or who you are..

No it's not.

changing registrars

[phriedom]

I had the same problem getting VeriSign to change a domain host, they ignored faxes, etc. I finally got it moved, but was tired of the BS from VS. So I tried to move to a new registrar, GoDaddy to be exact, and got a "the current registrar has denied your transfer request." GoDaddy says there is nothing they can do about it and that I must take up the issue with VeriSign. I am of course seething mad. I am paid up. I am in compliance with their entire Service Agreement. The link in the Service Agreement that refers to changing registrars leads to a Procedure for changing restrants, not registrars. VeriSign ignored my first Help request. I just tried again and got the form email that says they will get back to me in 24hours. I'm hoping I don't have to send a certified letter to their legal department. Anyone have any advice out there?

Re:changing registrars

[stompro]

Do you still have access to the admin email account. If not then that might be your problem, you might have to jump through the hoops to get them to change the registration info.
The transfer went pretty smoothly for me. I filled out the domainmonger forms, then I recieved a message from verisign/network solutions asking me to confirm(sent to the old admin email), I replied to that and got a confirmation, and that was it. It is funny how verisign begs you not to leave in the transfer messages. They even mention how great their support is, that was very entertaining.
What really pissed me off is that I did have access to the admin email for the domain, but they also have a extra security question that you have to know. I had no way of finding out what the origional guy had set for his mothers maiden name or his date of birth.

Re:changing registrars

[phriedom]

Yes, I still use the admin email account, but I didn't receive any authorization check email from VS, they just denied the request.

Re:changing registrars

[stompro]

Hmm, that is strange.
I noticed something when I did my transfer, the transfer was not done between domainmonger and verisign, it was done between tucows and verisign. I think that tucows handles stuff like that for many smaller domain registrars. It could be that tucows is large enough to have a trusting relationship with verisign, where as some of the other small domain registrars try to go it alone and have a harder time.

Hopefully someone who knows more about how it all works will chime in, but I doubt it, I think this story is dead now. You might want to give domainmonger a try, or did you, I can't remember, to lazy to check your other post now too :)

greedy marketing

[stock]

a real sign of greedy marketing: "VeriSign DNS in Trouble" ..
In the oll days (internic , networksolutions) one had to roll its own DNS servers, today by default a verisign domain can only be started using VeriSign's own DNS servers. After that a tiresome DNS server move has to be done to your own DNS servers.

It smells like most people forget that last step, and after a while verisign has overloaded DNS servers. Anyone who has info on what type DNS servers Verisign is using?

Robert

THANK GOD

[windex]

I just got a domain back NSI had been holding for 3 years. ITS MINE NOW! MINE!

nsihorrorstories.com

[mieses]

this site is a testament to their quality of service.

They raped the database doing an upgrade

[swb]

They went through a process of changing Versign domain holders over to their new, improved system of authentication. On paper (or in my head) it was supposed to have been a question of assingning usernames and passwords and transparently changing the auth method.

What they actually DID do was rape the whole WHOIS database for lots of domains, changing zone contacts, technical contacts and in some cases administrative contacts to NO.VALID.EMAIL@blahblah, in many cases before or without EVER sending the stupid letters explaining what happened.

It was a TOTAL FUCKAROUND to get it fixed when it happened, especially when you got no information about specific domains (usernames, passwords).

I even had supervisors at Verisign tell me to make up my own letterhead and fax in changes for domains. They said all they looked for was info that looked vaguely professional. I eventually made a template in word that I faxed in when I pasted in new "logos" I ripped off from google.

They can suck it up!

[JebusIsLord]

They can suck it up. The WHOIS is there for a reason - you don't need to list a personal email address there but you should be obligated to have a contact address of some sort.

Re:They can suck it up!

You have it backwards. You MUST have a valid email address there in case the servers that you're responsible for go haywire, you SHOULD have a phone number for the same reason, but there's no legitimate reason to require anybody's physical address.

Re:They can suck it up!

[JebusIsLord]

No i just ment you don't need to list a PERSONAL email, just an admin@ address. I dont think you have to fill out the physical address, thats optional AFAIK.

How I became a porn king without even trying.

[stonewolf]

VeriSign made a data entry error and listed my nic handle, something like, SW123 as the technical contact for a porn site. The nic handle of the real technical contact for the site was something like SW1234. They just dropped the last digit. I found out about the problem when angry customers of the porn site started contacting me. A couple threatened to sue me. I contacted VeriSign and asked them to correct the error. They refused. I explained the problem, they couldn't care less. I contacted the actual web site owner, in Australia, I live in the US, he never responded.

I found that I was on many porn dealer mailing lists. I contacted VeriSign. I started getting promotional offers for disks of barn yard porn. Both VeriSign and the owner of the site refused to reply to my emails. When I called VeriSign they told me to stop bothering them. They refused to take any action.

Eventually the owner tried to change the DNS server for the site, as technical contact I blocked it. They tried again, I blocked it. They tried to change the technical contact. I let them!

I was listed as technical contact for that site for more than 4 years. VeriSign refused to do anything. I was never able to contact the actual owners of the site. I contacted VeriSign by email and by phone repeatedly. They refused to do anything.

My name and my home address are still listed in directories of porn site operators.

I would like to see the President of VeriSign draw and quartered. I hate those guys. Putting them out of business is the least that should be done to them. They are sick sick sick bastards.

Stonewolf

Re:How I became a porn king without even trying.

When I called VeriSign they told me to stop bothering them.
Wait, you actually got someone from Verisign on the phone? How did you pull that off? Every time I called Network Solutions, I got a recording telling me how important my call was to them, and then it disconnected me after leaving me on hold for a few seconds.

Re:How I became a porn king without even trying.

[rthille]

The first thing you should have done as Technical Contact for the porn site is to point at a web page that kept the porn sight from making money. They would have fixed the problem in a day, two at most.

Re:How I became a porn king without even trying.

[stonewolf]

I considered doing exactly what you suggested. I looked into the law covering such an action and realized that I could be prosecuted for doing it.Unauthorized access to a computer system and unauthorized modification of data are illegal.

Yes, they left the door open, but that doesn't give me the legal right to go through the door.

Stonewolf

Re:How I became a porn king without even trying.

[nutznboltz]

Eventually the owner tried to change the DNS server for the site, as technical contact I blocked it. They tried again, I blocked it. They tried to change the technical contact. I let them!

I looked into the law covering such an action and realized that I could be prosecuted for doing it. Unauthorized access to a computer system and unauthorized modification of data are illegal.

Uh, in what way was blocking their modifications not unauthorized access to a computer system?

Re:How I became a porn king without even trying.

[stonewolf]

Good point, I was worried about the legal side of blocking the change of their DNS.

The difference is that *I* didn't initiate the transaction. I just recieved an email asking me to authorize a change. Refusing to authorize the change kept things the same, so I wasn't changing anything. So, in fact blocking the change was what I was required by law to do. And, each time I blocked the change I sent email to both VeriSign and the site owner telling them that I was blocking the change because I wasn't authorized to approve the change because I wasn't the technical contact for the site.

OTOH, helping them correct a typo, at their request, could not be considered unauthorized access. After all, they sent me email asking me to make the change.

Anyway, the only way I could get them to fix the database was to block the change. I could have sued them for damage to my reputation, I could STILL sue them. But, this was easier.

Stonewolf

ObPlug

[Simon+Garlick]

www.easydns.com

No bullshit, great service.

Yeah...like this would happen

[Sabalon]

About as likely to happen as uunet kicking Ziff-Davis off for violation of their anti-spam policy when they kept sending me all the comdex crap a few years ago and I complained.

Big money/companies like this get a whole other set of rules to play by. Probably a PR step to make ICANN look like heroes.

Distraction

[ziegast]

This is ICANN doing something to help justify their existance when they normally do a whole lot of nothing. Politically, Verisign can make the appropriate changes to calm the waters, but I doubt ICANN would have the ability to enforce anything on Verisign. In a legal pissing match, Verisign has more money and probably more influence than ICANN.

In the meantime, I get "renew your licences or else" spam from the BSA and Microsoft using the information from my outdated and expired Verisign WHOIS record. Knowing this, I really wish I could unpublish my WHOIS data for my domain. Perhaps there's an appropriate need for privacy which the people behind these improperly-registered domains are fighting.

-ez

Place your banner here, just $1000.

Click here to report bad domain info

[Animats]

Click here to report bad domain info in .com, .net, or .org. This is ICANN's form, and there is a tracking system, so you can watch nothing happen in real time.

I've been reporting some big-name spamvertized sites that hide behind phony domain registrations, and I encourage others to do so.

re: your sig

[mumkin]

bukra fil mish mish

tomorrow in apricots??

15 days ain't enough...

Verisign has given me about 15 days to renew my registration of domain.

Not gonna happen.

Hello gandi.net

then you are too late... 30 days mininum

Alternative?

What IS the alternative?

Call me n00b, Mod me less than 0. take my little remaing Karma, just don't /. my website..

"namezero"

[jonathanbearak]

"17. namezero.com: On 29 July 2002, we notified you that VeriSign Registrar's Whois data for namezero.com (a domain sponsored in the registry by VeriSign Registrar) was inaccurate. The phone number is listed as "111-111-1111".) We asked you to investigate and correct this inaccurate information pursuant to RAA 3.7.8. It has been over thirty days and the data still has not been corrected."

something's wrong when a company that actually registers domain names uses bs whois data.

the issue isn't incorrect whois data. if i register a domain and provide fake data who cares. but if i use it for email or something related to business, and the data's bogus, i've broken laws written a long time before we had dns.

just incorrect data?

It's not just that a lot of domain names seem to have incorrect data: the whole VeriSign monster is one of the worst registrars one can dream of: you need to fill in papers and wait months to change domain ownership (unless you pay, of course), but my ISP could "steal" me my domain in two days, just sending an email to VS. And what about updating nameserver data for the 3 or 4 last domains I haven't yet moved to another registrar? You can't use the old email authentication procedure because they have been migrated to the new account system. wow... but they forgot to send us passwords, so our domains are pretty stuck with their old DNS info. Unless, of course, faxing authorization requests, and waiting, and waiting.
While most other registrars let you see DNS changes in seconds...
And maybe you get half the VS' prices...

Wonder why I bookmarked the Internic Registrar Problem Reports page?

I hope they go under

[Nemith]

Then maybe they'll quit sending me letters saying that my 2 month old domains are going to expire (who i registered with someone) else!)

Bastards!

Why do we need addresses/phone #'s anyway?

So, um, why do we need three distinct, publicly available methods of contact? I would have no real problem with providing my real address and phone number to a registrar if they were kept secret (Verisign's faults notwithstanding), but the rest of the world has no need for that information with the ubiquity of E-mail, and as someone else pointed out, providing your real address or phone number can lead to real-life security problems. It seems to me that keeping that information in the public database is a relic of the old days of DNS when it was actually needed, and isn't at all appropriate or desirable any more; if nothing else, it encourages the "vigilante" mindset that the Internet really needs to grow out of.

I hope they close the doors on Verisign

[fishman]

Since Verisign "stole" the domain business off NetworkSolutions, I had nothing but trouble. At my previous job, they registered one of primary DNS servers incorrectly. And because of that, we couldn't set up any of our sites to point to our it! After about 10 emails with automated responses, I gave up.

That was about 12 months ago, I'm still not sure if it has been resolved.

Re:I hope they close the doors on Verisign

[vidarh]

"Stole" as in "bought the company"? That's a quite interesting definition...

Re:I hope they close the doors on Verisign

[acceleriter]

That's no more bogus than "stole" as in "infringed copyright." If we're going to be flexible with the lexicon, why not go whole hog?

Re:I hope they close the doors on Verisign

[fishman]

I think I was being sarcastic. For months I typed http://www.networksolutions.com... and then all the sudden one day I was taken to VeriSign?

What RFC?

[phr2]

What RFC says that domains need valid WHOIS info? That's especially for the snail addresses and phone numbers, though I don't remember any requirement of any WHOIS info at all. Tonga (.to), for example, refuses to run a WHOIS server. ICANN isn't happy but Tonga has stood its ground. If you want the contact info for a .to domain, you have to file a subpoena for it. They consider user privacy more important than the wishes of spammers. Good on 'em, I say.

Still no need for public WHOIS

[phr2]

There's no reason public WHOIS info is needed. You could have private contact info just like you can have unlisted phone numbers. The Tonga (.to) NIC keeps user contact info confidential and doesn't run a WhOIS. However, if you need to take action against a .to domain holder, you can get the info from the registrar by serving a properly issued subpoena from a court having jurisdiction (Tonga's DNS is in California, so you can use either a Tongan court or a California court).

Why do you need any more "accountability" than that? If you want to take legal action against someone, you have to go to court. If you don't want to go to court, what you want the address for is extralegal action, such as spamming or stalking. There's no reason any registrar should assist in anything like that.

Re:Still no need for public WHOIS

[raju1kabir]

Why do you need any more "accountability" than that? If you want to take legal action against someone, you have to go to court. If you don't want to go to court, what you want the address for is extralegal action, such as spamming or stalking. There's no reason any registrar should assist in anything like that.

There's a whole wide world between sitting on your thumbs and filing suit.

Perhaps you just want to contact them to discuss something (a settlement, strange packets coming out of their network, what have you - and yes I know, Verisign has nothing to do with IP assignment but I'm discussing the principle here). That's what the judge is going to tell you to do anyway.

Perhaps you'd like to know where they're located so you can assess the feasibility of legal action before going to the expense.

If the only resort is the last resort, then every disagreement has to be settled with nuclear weapons. That's one hell of a way to run a circus.

Re:Still no need for public WHOIS

[phr2]

Perhaps you just want to contact them to discuss something (a settlement, strange packets coming out of their network, what have you - and yes I know, Verisign has nothing to do with IP assignment but I'm discussing the principle here).

You don't need their physical address for that. Just send email to postmaster@(the domain name), per the internet standard. Or if there's a web site at the domain name, use whatever contact info is provided there (email address, web form, etc.). Or the registrar itself could forward messages for you after collecting a small fee (the fee would keep spammers away). If the domain holder doesn't respond, they probably don't want to hear from you and even having the WHOIS info won't get you anywhere without a lawsuit, so there's no point in the registrar giving it to you.

A computer on the internet is not really different than a fancy telephone on the phone network. Phone companies have supported unlisted numbers for as long as phones have existed, and it isn't that big a deal.

Perhaps you'd like to know where they're located so you can assess the feasibility of legal action before going to the expense.

The way that works is you file against a John Doe in some court having jurisdiction over the registrar, then subpoena the domain holder's info. That involves submitting some forms to the court and paying a small filing fee. It's not like starting a DoJ vs. Microsoft case with thousands of lawyers.

One important aspect of this is the domain holder now knows who YOU are and that you're trying to obtain their info. That's different from WHOIS, where you can get people's info without their being informed. But there's no reason to support that kind of stalking feature. If you want someone else's info, you should be willing to supply your own info to them. You got a problem with that?

Re:Still no need for public WHOIS

[raju1kabir]

The way that works is you file against a John Doe in some court having jurisdiction over the registrar, then subpoena the domain holder's info. That involves submitting some forms to the court and paying a small filing fee. It's not like starting a DoJ vs. Microsoft case with thousands of lawyers.

To file in a remote jurisdiction takes either time (to research the procedure) or money (to hire a law firm to do it for you). Thousands of lawyers? Probably not. But that's what we in the bickering business call a straw man.

One important aspect of this is the domain holder now knows who YOU are and that you're trying to obtain their info. That's different from WHOIS, where you can get people's info without their being informed. But there's no reason to support that kind of stalking feature. If you want someone else's info, you should be willing to supply your own info to them. You got a problem with that?

That is already arbitrated by existing systems. Someone sends you an envelope, they can put a return address on it, or not. If it's a bogus or unsupplied address, you can throw the envelope away. Likewise with phone calls. No need to get the courts involved.

There are hundreds of ways to get people's addresses, from calling the DMV to following them home. All legal. Your accessibility to the outside world is a byproduct of your choice to live in society. If you don't like it, there are still plenty of openings in the hermit industry.

Sure you weren't trying

Solicitations for barnyard exploits, trying to "get off" porn spam lists. Uh huh, sure you weren't trying to be porn king, just some hapless user with nic id SW123 . . .

;)

This isn't their only problem!

[libertynews]

I have tried for months (and months) to get the host record for nexuscomputing.com removed. I have completed all the forms, called them (been told it will be removed immediatly, that it had been given a top priority), etc. Needless to say, the host record still points to the wrong damn IP address.

I also recently transferred my wife's busybride.com domain away from them, using joker.com and Verisign is now telling me that it is up for renewal. But if you check the whois information it is obviously registered with joker.com!

(No, I didn't register it with Verisign, the previous owner did and after buying it I also discovered Verisign's other scam, holding domains hostage after a sale and refusing to transfer them for 60 days).

Feh! A pox on their house.

Why should personal details be exposed?

[scott-thomason]

As a sysadmin, I know how useful it is to simply look up WHOIS info to help resolve domain issues. However, I think there's lots to be said for privacy, too:

I operate a hobby domain. I have no contact info on the website. Once, someone took offense to something I said, and called me late on a Sunday night threatening legal action. I immediately nullified all my WHOIS info, except email addresses, to prevent that from happening again. From now on, if they want to complain, they can do so via email, and if things get really serious, they can find my physical address by subpoenaing the information from my ISP.
---scott

Re: your sig

[angst_ridden_hipster]

tomorrow in apricots??

It's idiom, with a meaning kinda like "manana" (Slashdot won't let me put the tilde over that first n) in Spanish. I guess the closest English equivalent would be "someday..."

I'd have to agree on this.

[Devil]

While its a good thing (better records mean a better Net), it seems to me like ICANN is trying to blow smoke up our poopers to make us think that they actually do anything worth having them around for.

Re:17 out of 10.7M - tip of the iceberg

That's 17 where they have repeatedly ignored complaints. Nobody is saying how many they've already corrected. Nobody is saying how many other bad records there may be, but I suspect that it's more likely to be thousands than dozens.

Yes, this is entirely Verisign's fault

What you're missing is that those are records where they repeatedly ignored complaints that
the whois contact data were incorrect. The contract with ICANN doesn't require them to
verify all of the records, but it does require them to act once the errors are brought to light.