VeriSign DNS in Trouble

hesiod writes "Over at CNet News, there is an article reporting that VeriSign may lose their ability to sell domains. Evidently, ICANN is miffed because VS's WHOIS database has incorrect information. Not exactly news to most of us, but they have been given 15 days to fix the errors, or risk losing the ability to sell domains."

Oh my ...

[RinkSpringer]

I wonder if this includes their right to sell SSL certificates too... it's probably an entirely different matter, but still... if they can't handle domains, why should they be able to handle SSL certificates?

Re:Oh my ...

[timeOday]

AFAIK, the "authority" behind a Verisign SSL certificates is... Verisign itself. So the question raised is not whether Verisign can continue to sign certificates, but whether anybody should trust Verisign's assurance that company X is legit.

Re:Oh my ...

[Matty_]

There is no governing body which says who can or can not issue SSL certificates. It pretty much comes down to whether the browsers are aware of the certificate authority.

Re:Oh my ...

[sideone]

bout time.. for what vs charges for a cert, i for one am glad; they are finally getting what is coming to them.

sideone ITBitch.com - Your reason for leaving work!

Re:Oh my ...

[kasperd]

whether anybody should trust Verisign's assurance

The answer to this question is mostly decided by browsers. Most browsers contains a default list of trusted certificate authorities. The user can change this list, but very few users does.

Re:Oh my ...

[Conare]

but whether anybody should trust Verisign's assurance that company X is legit
Good Question

Re:Yeah

[blochsound]

Have they actually abused their power? Or is this just politics?

VeriSign business plan

1. Mess with WHOIS database
2. ?
3. Profit

Re:VeriSign business plan

[cyranose]

4. Pretend expired domains are not expired by filling in false owner information.
5. Profit more.

Re:VeriSign business plan

[strredwolf]

1. Mess w/WHOIS database
2. Spam 'em all
3. Profit

Verisign andgry at ICANN ...

[Hayzeus]

ICANN angry at Verisign. Who's gonna get all pissy next? Satan?

Screw ICANN

[anthony_dipierro]

Pay for my P.O. Box and I'll update my contact information. I'm not giving people my home address.

Re:Screw ICANN

Say "Good Bye!" to your domain(s) then, skippy! I need to go and submit your domain to rfc-ignorant.org

Re:Screw ICANN

[Alrescha]

"Pay for my P.O. Box and I'll update my contact information. I'm not giving people my home address."

Why did you say this? Where does it say that a P.O. Box is problematic?

A.

Re:Screw ICANN

[Software]

He doesn't HAVE a PO box. According to Verisign's policies, he has to list an address. He can either list his home address (which he doesn't want to do) or get a PO box. He doesn't want to do either.

Re:Screw ICANN

[(startx)]

he's saying the only way he'll put in accurate info is if that info is a P.O. Box, which costs money. He doesn't want to list his home address for obvious reasons.

Re:Screw ICANN

[anthony_dipierro]

I don't use Verisign.

Re:Screw ICANN

[Alrescha]

"he's saying the only way he'll put in accurate info is if that info is a P.O. Box, which costs money. He doesn't want to list his home address for obvious reasons."

Thank you, I didn't twig to that. On the other hand, I must point out that if the poster doesn't already *have* a P.O. Box (or the equivalent) that game has already been lost.

A.

Who has had a P.O. Box all of his adult life.

Re:Screw ICANN

[anthony_dipierro]

On the other hand, I must point out that if the poster doesn't already *have* a P.O. Box (or the equivalent) that game has already been lost.

What game is that? Yes, it's possible to track down my address from my domain name, but it's sufficiently difficult to stop most people.

Re:Screw ICANN

[Alrescha]

"What game is that?"

Well, the previous poster claimed 'obvious reasons'. I interpreted that to mean 'wants to keep physical address more or less private'. You may or may not actually feel that way. I was also thinking more generally than just domain names. If you don't use a P.O. Box, your real address appears in far too many places to consider it private.

A.

-100 Offtopic

Re:Screw ICANN

[anthony_dipierro]

Well, the previous poster claimed 'obvious reasons'. I interpreted that to mean 'wants to keep physical address more or less private'.

Well, mainly I just don't want someone getting pissed at something I write on my website or on slashdot showing up at my doorstep. Yes, it's still possible, so maybe I'm just being overly paranoid.

If you don't use a P.O. Box, your real address appears in far too many places to consider it private.

Perhaps. At the moment I just moved 4 days ago, so pretty much no one who doesn't know me personally has my real address. And if I could lie completely about my address, instead of putting an old address, it would be pretty much impossible to figure out which "Anthony DiPierro" I happen to be. The phone number is real, but it's an efax number, so unless you have a subpeona, you're not going to get my identity from it.

Re:Screw ICANN

[raju1kabir]

He doesn't want to list his home address for obvious reasons.

What are those obvious reasons? I've listed my home address for all my domains for many years, and the only consequence of note is that I get about 1 ad for hosting services per month.

Use your office, your school, your parents' house, find a sympathetic non-profit to take your mail... take some responsibility or stay home and leave the internet alone.

Re:Screw ICANN

[13013dobbs]

I think someone thinks a bit *too* highly of themselves. ;)

Re:Screw ICANN

[anthony_dipierro]

What's your home address?

Re:Screw ICANN

[raju1kabir]

What's your home address?

If anything I do using my domain names annoys or intrigues you, I cheerfully encourage you to use whois to find out. Call before coming to my house and I'll even bake cookies.

Re:Screw ICANN

[anthony_dipierro]

What's wrong? You don't want every slashdotter knowing your address? Maybe you see why I feel the same way? Somehow I doubt it.

Re:Screw ICANN

[raju1kabir]

What's wrong? You don't want every slashdotter knowing your address? Maybe you see why I feel the same way? Somehow I doubt it.

You're quite correct; I do not follow your logic (or rather, I do, but I think it might be a bit simplistic).

The potential for mischief is very well controlled within the Slashdot milieux, and the site's purpose is limited to discussion. Both of these make anonymity appropriate and useful, with no significant drawbacks.

The same cannot be said for participation in the world at large. Sometimes anonymity is good, other times it is not. When it comes to interconnection with a shared resource, accountability is essential. That doesn't mean that people shouldn't have the means to send anonymous emails, or to use anonymizing proxies to surf the web. However, there is - as always - a need for balance.

Re:Screw ICANN

[bamf]

rfc-ignorant.org?

The wonderful people who decided to list *.uk because the UK domain registrar doesn't give addresses in their whois output.

All because this violates the "spirit" of RFC954.

Note that it doesn't actually violate the RFC, just the "spirit" of the RFC. Useless feckers.

Although to be fair, I don't want to actually deal with any sites stupid enough to want to reject my mail because of this.

Re:Screw ICANN

[aonaran]

...besides, RFC != law
RFC = Request for Comments
Yes, that's right RFC = proposal.

I think too many people in the industry forget that RFCs are proposals. It would be nice if the whole world followed the same basic set of rules for internet communication, which is what RFCs are born of, but the worst that can happen to you if you don't follow the suggestions in a given RFC is certain companies/individuals who would like you to will refuse to deal with you.

This may mean finding a new registrar, or ISP or whatever... it's the AUPs of your various service providers that you really need to worry about, THOSE are the real laws of the net.

Re:Screw ICANN

[anthony_dipierro]

What's wrong? You don't want every slashdotter knowing your address? Maybe you see why I feel the same way? Somehow I doubt it.

You're quite correct; I do not follow your logic (or rather, I do, but I think it might be a bit simplistic).

Yes, it is simplistic. You don't want every slashdotter knowing your address. I don't want every slashdotter knowing my address. That's my "obvious reason" for not wanting to put my address in my whois data.

You seem to instead focus on justifications. But justifications don't change my desire for anonymity. Yes, if I get forced to put up my address, I will. Actually more likely I'll go ahead and buy a P.O. Box. I was considering it anyway. Or maybe I'll buy from one of the many places that let me buy a domain name anonymously. Actually after reading this article I'm thinking about starting one.

The same cannot be said for participation in the world at large.

We're not talking about the world at large, we're talking about a domain name.

Sometimes anonymity is good, other times it is not. When it comes to interconnection with a shared resource, accountability is essential.

Again, we're not talking about interconnection with a shared resource, we're talking about a domain name.

That doesn't mean that people shouldn't have the means to send anonymous emails, or to use anonymizing proxies to surf the web. However, there is - as always - a need for balance.

Yep, and putting my address on the internet for any idiot to see just because I buy a domain name exceeds that balance.

The internet isn't the real world. It's about time people start realizing that.

17 out of 10.7M

[RebelTycoon]

that ain't bad... give them a break...

If the IRS was this accurate then taxes would be a lot less since all those slipping through the system would be caught...

Re:17 out of 10.7M

[KC7GR]

It's a lot more than that. I've lost count of how many spammer domains I've tried to trace, only to be stopped cold by bogus registration info that, despite such being clearly prohibited by NetSol's terms of service, they never do anything about.

I used to think ICANN wasn't good for anything more than demonstrating how political infighting and empire-building quickly take the place of serving the common interests (of the Internet's users). Now, though, I find myself actually amazed that they're doing something right.

The proof will be in the next whois lookup I do...

Calls?

[ackthpt]

My info is out of date, it's got an old address. Mysterious messages about updating account information have been left on my answering machine.

I wondered who that was... Anyone else get called by them?

Re:Calls?

[Neon+Spiral+Injector]

No, but I just registered a domain with godaddy.com last week, and got a post card from Versign today saying I can transfer domains to them for $15, and get a 1 year extension.

Funny I've been considering transfering my 3 domains from Verisign to Go Daddy for half that. That postcard sold me, I will now.

Re:Calls?

[drsoran]

No, but I just registered a domain with godaddy.com last week, and got a post card from Versign today saying I can transfer domains to them for $15, and get a 1 year extension.

Funny I've been considering transfering my 3 domains from Verisign to Go Daddy for half that. That postcard sold me, I will now.

Everyone using Verisign should take this opportunity to switch! The only reason anyone would use Verisign as their registrar anymore is laziness. We've all been bitching and moaning about how much Network Solutions sucked since before they even started charging for domains but we have a choice now. I would recommend GoDaddy as well. $8.95/year for a domain name and they have a decent web interface for administration. I can register a domain for 4 years for what Network Solutions was charging for 1 year! :-) Talk about rape.

Surprised?

[VisualStim]

Ok, everyone who has a domain registered through VeriSign, please rasie you hand ... for shame ... you are all sentenced to 100 MetaModerations a day for a month. Now get to it!

Re:Surprised?

[gmhowell]

Blah, blah, blah. They were the only game in town first time. Second time was inertia. This time, so long Verisign.

Re:Surprised?

[Sabalon]

Who here had their boss decide to register two domains before anyone else took them (not that they would want them) and decide instead of talking to the local DNS person, register them with Verisign and decide to use the halfpricehosting.com Verisign partner.

What a pain in the ass to get them moved to us.

How significant...

[nairnr]

Will there be a more in depth search of the records? It seems to me that 17 records is not a lot for a major site. The address look perfectly legit - They happen to be some of the addresses I give for online forms :-)

I think the real question now is does Verisign drop the domains that don't have legit info to satisfy this complaint. It is a good resource for tracking down abusers and other complaints. I have used it a number of times to track down contact info of providers of people who have attempted to crack my system...

PR Stooging

[alexmogil]

"Out of 10.3 million records, they pulled out 17 of these that have inaccurate data on it," said VeriSign spokesman Brian O'Shaughnessy. "That doesn't diminish the fact that VeriSign sees this as an important issue, but 17 names out of 10.3 million would hardly be considered a pattern."

I'm sorry, but my rebuttal is: "HAHAHAHAHAHAHAHAHAHAHAH!"

Only Seventeen?! I'd wager 15% of the domains on there are pointed to the phone number 123-456-7890 at the address of 123 Main Street. I'd call that the beginning of a pattern. Buncha jerks.

Re:PR Stooging

[H1r0Pr0tag0n1st]

I would say that a bigger issue than this, and the real reason that Verisign should lose the ability to sell domains, is thier incredibly un-ethical marketing practices. You know the Renew with verisign spam even though you didnt enroll with then in the first place...

Re:PR Stooging

[kiwimate]

I would say that a bigger issue than this, and the real reason that Verisign should lose the ability to sell domains, is thier incredibly un-ethical marketing practices. You know the Renew with verisign spam even though you didnt enroll with then in the first place...

Only problem is that if such a rule was enforced across the board there'd be hardly any registrars left anymore. Verisign, abominable as they may be, are most certainly not the only culprits of this practise in the registrar world.

Re:PR Stooging

[Suppafly]

"Out of 10.3 million records, they pulled out 17 of these that have inaccurate data on it,"

Yeh, but it was probably the first 17.. and I believe the problem isn't people giving them incorrect information, but rather them failing to update peoples information on request.

Re:PR Stooging

[Fulcrum+of+Evil]

Verisign, abominable as they may be, are most certainly not the only culprits of this practise in the registrar world.

They are, however, so legendary for their horrid service and incompetence that they had to change their name.

Re:PR Stooging

[Brendan+Byrd]

If this was the case, why could have ICANN just piled on these massive amounts of cases? I'm sure it wouldn't be that hard to do the following commands:

cat WHOIS-Database | grep -AB 10 "123-456-7890"
cat WHOIS-Database | grep -AB 10 "123 Main Street"
cat WHOIS-Database | grep -AB 10 "555-555-5555"
cat WHOIS-Database | grep -AB 10 "-555-"

Re:Yeah

[javahacker]

They didn't abuse their power, at least that's not what has them in trouble with ICANN. They aren't doing their job, part of which is maintaining a connection between the domain name and the domain name's owner.

The abuse of their position and power is an entirely different matter, although it also is a way they are not doing their job properly. Because they haven't tracked the ownership of some domains properly, they are unable to transfer them to another domain registrar. Convenient for them because they get to keep charging the domain owner, but bad because they are getting called out by ICANN on it. Of course there is the matter of the pot (ICANN) calling the kettle black.

This isn't entirely Verisign's fault

[wowbagger]

True, bogus WHOIS data makes it very hard to track down spamm^H^H^H^H^Htroublemakers on the 'Net, but is this really Verisign's fault?

If I register floobydust.com, and I fill in a contact email that becomes invalid three days after I go live, is that Verisign's fault? What should they do, spam everybody in their WHOIS and purge the bounces?

I can think of lots of reasons to yank Verislime's ability to sell domains, but I'm not sure this is one of them.

Re:This isn't entirely Verisign's fault

[garyevesson]

Given Verisign's attempt to invoice me for a domain that is not registered with them, I'd be happy with any excuse to prevent them from selling domain names ever again.

I no longer use them - for certificates or domain name registrations. I transferred everything elsewhere.

Re:This isn't entirely Verisign's fault

[G27+Radio]

On the other hand as customers we shouldn't have to repeatedly ask them to fix inaccuracies and be ignored until we threaten to switch all our domains to another registrar. I ditched VS over a year ago due to some sleezy crap they pulled with a couple of my personal domains when I tried to transfer. Unfortunately I still have to deal with them for customers that didn't know better when they registered either.

Re:This isn't entirely Verisign's fault

[kiltedtaco]

"The last temptation is the greatest treason, doing the right thing for the wrong reason" -- T.S. Elliot

Re:This isn't entirely Verisign's fault

[emc]

Your Registrant should be FORCED to be the name/entity listed on the Credit Card that was used to purchase the domain, and should NOT be alterable.

Re:This isn't entirely Verisign's fault

[emc]

sorry, it should read -
The Registrant Field...

too anxious

Re:This isn't entirely Verisign's fault

[mindstrm]

No... they should not do that.

But when they are contacted and informed that the contact information for a domain that THEY ISSUED is not valid, then they MUST do something about it.
It is their JOB to maintain that information.
ie: Try to contact the domain holder, decide if the registration was fake or not, then axe the domain.

Re:This isn't entirely Verisign's fault

[magicalyak]

I disagree, what are you paying them for. Or more appropriately, what are they receiveing money for. Real names and addresses should go in the database, otherwise, why have it at all? I don't think Spamming everyone in the database is the solution, but confirmation of the addresses would be. What is the cost to register a domian now? Can't they at least verify by a phone call? A phone call to verify would take less than a minute or maybe two(~12/minute) plus pay someone minumum wage to make the calls (I'm guessing this is near 7/hour now). I do not accept any reason why this can't be done without the use of SPAM. If I gave a fake phone number, I'd pull my domain name. Seriously, what are you paying for to register the domain? Maybe I'm bitching but I've had enough of fake email addresses and phone numbers of spammers.

Re:This isn't entirely Verisign's fault

[delta407]

I can think of lots of reasons to yank Verislime's ability to sell domains, but I'm not sure this is one of them.

...so? Are you complaining? Any reason to hurt NSI/Verisign is a good one in my book.

Re:This isn't entirely Verisign's fault

[Drakin]

Not all of use use credit cards to register domains. My first doman was registered prior to my having a credit card, and was paid by money order.

Although, now, it all goes on my credit card... and all goes through godaddy now. simpler, cheaper, and less headaches if I want to change anything.

Re:This isn't entirely Verisign's fault

[Col.+Klink+(retired)]

> [data changes after validation], is that Verisign's fault?

No, but if one registers with an address like "Yellow Brick Road, Kansas" (yorkstreethardware.com), or "000 Blank St., No city, XX 00000" (dundjerski.com), or a phone number like 650-555-1212 (sunnyside.com) or 000-000-0000 (jaxx.net), one could argue that the domain should have never been issued.

Re:This isn't entirely Verisign's fault

[astroboy]

If I register floobydust.com, and I fill in a contact email that becomes invalid three days after I go live, is that Verisign's fault?

Right, except that according to the article:

One customer who registered a domain name using the fictitious name of "Toto" with the fake address of "Yellow Brick Road" in "Oz, Kansas." [...]

ICANN said VeriSign's violations include ignoring repeated requests to correct customer information for Dundjerski.com, in which the administrative contact was, "OOO Blank St., No City, XX 0000" with a phone number of "123-123-1234."

which is a little bit more obvious than an email address change.

Re:This isn't entirely Verisign's fault

[Trekologer]

Actually, yes it is. The information contained about the domain contained in the WHOIS database is very important and the registrar should make sure that the information is valid.

Here's what I think that should be done to make sure that the information is correct... Build in a clause to the registration agreement that the registrar will verify the information periodically and if any of it changes, the registrant is required to supply the changed. Then, the registrar verifies the information by sending an email to the contact addresses that must be replied to within a certain timeframe. If the email bounces or there is no reply, the domain gets suspended (out of the DNS database until the problem is rectified). Start off with checking the address frequently and then less frequently as the address seems to become more perminant.

Re:This isn't entirely Verisign's fault

[tschild]

[...] Then, the registrar verifies the information by sending an email to the contact addresses that must be replied to within a certain timeframe. If the email bounces or there is no reply, the domain gets suspended (out of the DNS database until the problem is rectified). [...]

Fine for avoiding outdated addresses, but it would mean a lot of corporations dropping off the Net every now and then. There have been all those instances of domains put on hold because its owner did no manage to pay a yearly bill in time...

is april 1?

[squarefish]

ok, this and adobe story are just too good to be true.

One record in question..

[molo]

One of the records in question is that for dundjerski.com, in which there is false information for the Administrative Contact:

Dundjerski, Marina (MDE220)
Marina Dundjerski
000 Blank St.
No city, XX 00000
US
123-123-1234

However, on the same record, the "Registrant" field lists an address for the same name as above. If this is the worst that they can come up with, I hardly consider this a big deal.

-molo

That can't be right!

[burgburgburg]

Verisign losing the ability to sell domains would be helpful. There must be some sort of mistake here.

Oh, wait. I know: They'll take it away from Verisign and give it to Microsoft. Okay. That makes sense. Then you'd need a Passport ID to buy a domain.

How convenient

[gmhowell]

Verisign has given me about 15 days to renew my registration of domain.

Not gonna happen.

Hello gandi.net

About time!!

[vonkraken]

I have been trying for 2 weeks now to get my information updated for my 1 (that's single folks) domain. I have gone the through the forms and the calls, but still no love. If it takes the threat of their removal from the Domain Name business, so be it, at least they will get on the ball and get things moving.

OAO,

VonKraken

We are always fixing this one...

[nutznboltz]

# whois Dundjerski.com

Whois Server Version 1.3

[...]

Administrative Contact:
Dundjerski, Marina (MDE220) marina10@EARTHLINK.NET
Marina Dundjerski
000 Blank St.
No city, XX 00000
US
123-123-1234

# date ; whois Dundjerski.com | grep updated
Wed Sep 4 18:12:24 EDT 2002
Database last updated on 4-Sep-2002 18:12:24 EDT.
# date ; whois Dundjerski.com | grep updated
Wed Sep 4 18:12:25 EDT 2002
Database last updated on 4-Sep-2002 18:12:25 EDT.
# date ; whois Dundjerski.com | grep updated
Wed Sep 4 18:12:26 EDT 2002
Database last updated on 4-Sep-2002 18:12:27 EDT.

Re:We are always fixing this one...

[Neon+Spiral+Injector]

You don't want the date that the database was updated, you want the date the domain information was updated:

Updated Date: 15-jan-2002

The letter to verisign!

[joeldg]

http://www.icann.org/correspondence/touton-letter- to-beckwith-03sep02.htm I was howling laughing reading this letter to Verisign

Re:The letter to verisign!

[DoomHaven]

On 21 February 2001, ICANN's Chief Registrar Liaison, Dan Halloran, sent you an e-mail pointing out that the contact details for yorkstreethardware.com were inaccurate. According to VeriSign's Whois data, the domain was registered to "Toto", residing at "the yellow brick road" in "Oz, KS 06750".

Thanks, if only for that quote! I had a good laugh over that one.

SSL operations seperate from DNS operations

[sjanich]

The DNS operations are a completely different thing from the issuing of SSl certifications. So, there is no fear in that going away.

i'm forgetting again

[gsfprez]

what law is it breaking to have incorrect data?

in fact, i have incorrect data because i and my wife were being stalked - and the WHOIS database is where he thought i lived. He went looking for us at the old address.

and what's the worst part of all - to have ANY level of security from a whois search that could give sickos and perverts your address is by getting a P.O. Box.. from the USPS!

Imagine, the key to internet privacy is the Postal Service. Now that's just great.

Re:i'm forgetting again

[anthony_dipierro]

what law is it breaking to have incorrect data?

None yet, but if ICANN gets their way they'll buy this law.

Re:i'm forgetting again

[jdreed1024]

what law is it breaking to have incorrect data?

There is no such law. But what's your point? If Ashcroft or someone from the justice dept were pursuing them, and there was no law, then you'd have a point.

They did, however, sign a contact with ICANN, in which they agreed to have up to date data. They chose to take a big shit on that contract. That's why ICANN is pissed.

Personally, I'd love to see Verisign out of business. Someone stole my identity two years ago and bought $1000 worth of services from Verisign. Verisign took a YEAR to remove the domains, claiming they needed to verify with the registrant before they could be cancelled. (Thieves have more rights than I do, apparently). They still refuse to remove the bogus whois information that the thief supplied using my correct name and address, but a fake phone number and e-mail. They claim I can't remove it, because I told them I didn't enter it in the first place. They also don't answer the phone anywhere but the sales department.

They're a bunch of lying, thieving, ignorant wankers, who deserve to have the book thrown at them. Not that it'll happen, since ICANN will probably give up at the last minute (c.f. United States v. Microsoft).

Re:i'm forgetting again

[anthony_dipierro]

Someone stole my identity two years ago and bought $1000 worth of services from Verisign.

Wow. What did it feel like to not have an identity?

They claim I can't remove it, because I told them I didn't enter it in the first place.

Sounds like a legitimate reason to me.

Re:i'm forgetting again

[Fulcrum+of+Evil]

They claim I can't remove it, because I told them I didn't enter it in the first place.

Sounds like a legitimate reason to me.

Sounds actionable to me (IANAL). Something about accomplice to fraud.

Re:i'm forgetting again

[starburst]

A PO Box will not shield you from stalkers. The counter workers frequently give out information gathered in the application process for a PO Box.

Here is what you must give the fine workers to get your PO Box:

http://pe.usps.gov/text/dmm/d910.htm#Rbr39715

2.2Verification

An application for post office box service may not be approved until the applicant's identity and current permanent physical address where he or she resides or conducts business is verified. Verification criteria are as follows:

a. At the time of application, applicants must present two items of valid identification; one item must contain a photograph of the applicant. Social Security cards or credit cards and birth certificates are unacceptable as identification. The following are acceptable identification:

(1) Valid driver's license or state non-driver's identification card.

(2) Armed forces, government, university, or recognized corporate identification card.

(3) Passport, alien registration card, or certificate of naturalization.

(4) Current lease, mortgage, or deed of trust.

(5) Voter or vehicle registration card.

(6) Home or vehicle insurance policy.

b. The identification presented must be current. It must contain sufficient information to confirm that the applicant is who he or she claims to be and must be traceable to the bearer.

Re:i'm forgetting again

[anthony_dipierro]

Sounds actionable to me (IANAL). Something about accomplice to fraud.

I don't see how. If anyone was defrauded, it was Network Solutions. You can't be an accomplice to a crime committed against yourself.

I'm sure if you had gotten an injunction NetSol would have gladly removed the information. Until then it's not their place to get involved. Innocent until proven guilty in a court of law, and all that nonsense.

Re:i'm forgetting again

[mosch]

I fully agree, there's no reason to have valid contact data for your domains, as long as you pay your bill. There are numerous reasons why a person would not want to be listed, and those should be honored.

All my domains are registered with false contact information, with the exception of the email addresses, which are tagged, but valid. Can anybody tell me why this is a problem?

None of my phones are listed in a phone book, why should my whois data be forced to be any less private?

Re:i'm forgetting again

[stephanruby]

and what's the worst part of all - to have ANY level of security from a whois search that could give sickos and perverts your address is by getting a P.O. Box.. from the USPS

If your stalker can prove to the post office that you're using your PO box for business purposes, the post office is *obligated* by law to releaseyour personal address. You're probably better off using the more expensive "Mailbox, etc."

You better forget about voting too. Your voting registration is public information.

Re:i'm forgetting again

[Jammer@CMH]

I'll try to explain.

A domain was registered, with this guy listed as the contact but with incorrect email. He can prove that he is himself, he has all sorts of documentation to demonstrate that he is the fellow of the listed name who lives at the listed address. If the domain is indeed registered by him, he should be able to remove it. If it is not registered by him, but is registered by someone else using his name and address, then I believe that Network Solutions is assisting that unnamed other person in perpetrating a fraud if Network Solutions refuses to remove the listing after the individual with the name and address appearing in the registration appears (with piles of identification) and demands the removal of the listing.

If I post an advertisement in the paper announcing (say) your bankrupcy, giving your name and address as contact information and printing them in the add, and the newspaper refuses to pull it even after you demonstrate that you are the person referred to in the add and are not at all bankrupt, then I'd think that the paper is an accomplice to my fraud.

Of course, I'm not a lawyer. YMMV.

Re:i'm forgetting again

[dmuth]

in fact, i have incorrect data because i and my wife were being stalked - and the WHOIS database is where he thought i lived. He went looking for us at the old address.

One problem with this is that when have you bogus contact information, it makes it look like you may have something to hide, seeing as how spammers employ similar tactics with their domain registration.

My suggestion would be to get a Mailboxes, Etc. dropbox and list that in your domain contact. That way, people who need to legitimately reach you via postal mail can, while stalkers will not find you.

Re:i'm forgetting again

[user2048]

Something similar happened to me. Somebody charged $500 of VeriSign services to my Discover card. I called to complain. They wouldn't even talk about removing the charge unless I faxed all sorts of info to them. And they wouldn't tell me what services they were charging me for (I did manage to get the phone rep to say it involved some domain involving "graphics" and a Yahoo email address.

I let Discover handle it. They gave me an immediate temporary credit, and a few months later the credit became permanent.

While I was waiting for the matter to be resolved, I got a (postal) mail notice about renewing another set of domains I had nothing to do with (all containing the string "sony").

this isnt about bad whois data

[leto]

It is about
- Getting rid of Verisign in the .org deal
- Getting rid of Verisign before they get the 3
year on .net and 5 year on .com names
- Getting rid of a company that is going bankrupt
and is highly fraudulent (snapnames, bogus
invoices etc)
- ICANN itself getting out of the spotlight for
firing its At Large Directors

Re:this isnt about bad whois data

[hta]

please don't confuse Verisign the REGISTRY (holder of .net and .com) with Verisign the REGISTRAR (the people responsible for the inaccurate registrations).
Revoking Verisign's registrar business would be ironic indeed - it would get them out of the dual role that they had promised to give up, but gave up .org in order to be allowed to continue doing when the contract was renegotiated.

Just transfered from VeriSign

[stompro]

I have just finished a month long battle with VeriSign to get access to a domain. I would fax them an authorization letter, they would email me back saying I missed the coma on the 21st page after the statment of intent blah blah. I finally got everything to their liking but they didn't respond for a couple more weeks. So I headed over to domainmonger and did a transfer, and was up and running in a day and a half.
I can kind of understand why a larger company would like to know that someone has to jump through major hoops before someone can hijack their domain, but for me all there security was a major pain in the ass. Plus, the last time I checked, they were using some ibm ssl software that doesn't let you use mozilla to manage your account. I am going to plug domainmonger here, I have no affiliation with them, I am just a happy customer.
domainmonger.com
I have had such good luck with domainmonger, they are not a large operation, but I have never had trouble getting ahold of someone if I have had a problem.

....
posting makes you feel goooooodd.

Re:Just transfered from VeriSign

[cyb3r0ptx]

I agree, and for 1/2 the price that domainmonger charges, it's even better!

Re:Just transfered from VeriSign

[mesocyclone]

I am in the middle of a long battle with them over changing the domain access. My daughter's site host went belly up, and Verisign's autoresponder never responds. We go to the site, log in, put in the changes, get a message at the correct email, respond to it as requested, and it vanishes into a black hole.

Finally, yesterday I called them on the phone and in about 45 minutes of hassling with a live human (no wonder they are hurting), still got no satisfaction. She told me the system was changing and they could not change the domain in any way except through the autoresponder, and had no idea why it didn't work. She did manage to get it to generate a couple of "unauthorized" person trying to change your domain messages (she works for them, but she is unauthorized)! She later told me should would fix the problem (which she had earlier told me was unfixable) but it would take a few days to show up in the database! This is modern technology?
Now the whois record shows yesterday as the last date changed, but it still has the same wrong information in it!

This incompetent company deserves to have their domain privileges removed. Their whois database should be given to someone who can make it work!

Re:Just transfered from VeriSign

[nathana]

DomainMonger rocks, period. I've been using them since 2000, and even when I have had problems they ALWAYS respond in a timely manner.

Just another happy customer. :-)

Re:Just transfered from VeriSign

[scsiboy]

FWIW, I had the same trouble when trying to transfer domains from Verisign over to INWW (inww.com). I had success though with Dotster - the transfer of 3 domains from INWW and 2 domains from Verisign over to Dotster worked great. I don't know if they have some special agreement with NSI or not, but it's the only thing that's worked for me. Other people I know have had the same black-hole treatment at NSI, except one guy who also uses Dotster and got his NSI domains moved to Dotster without any issues.

Does this really "a"ffect anything?

[DaytonCIM]

So ICANN pulls the plug on Verisign and hands it to another company... what changes? Does this new group have some magical software that will "verify" every registry, every address, every phone number, and add security? I think not.
Sounds suspiciously like someone is willing to fork over a pile of cash to some key ICANN people in return for Verisign's business.

no bulkregister domains

[bberg]

It seems ever since the nonsense with bulkregister none of the bulkregisters domains show up in netsols whois. You just get a page that says "error". Works in any other who is though.

Re:17 out of 10.7M - 30K out of 10.7M, if not more

[JayDude]

That was a quote from a Verisign Exec. There's at least tens of thousands with bad data.

There's a whole block of Worldnic (owned by Verisign) records that down't have correct email addresses for the admin contact...

It soon will be.

[www.sorehands.com]

There is talk of a law that makes it illegal to have false whois data. This is to handle people trying to make money buying domains and selling them to trademark owners.

Currently you are contractually obligated to provide correct whois information by the terms of service that propagated from ICANN.

SPAMMERS usually use false domain information to hide. Maybe the spammers don't want us breaking into their houses to watch TV and use their computers? Why not, their houses are connected to public roads, so we can use them. Right???

Letter from Louis Touton

[nutznboltz]

http://www.icann.org/correspondence/touton-letter- to-beckwith-03sep02.htm

Cites the 17 broken entries.

Re:Letter from Louis Touton

[rustman]

no.valid.email@worldnic.com is the standard contact info that many domains get when registered through NSI's Worldnic service. This is my biggest complaint.

Verisign slap on the wrist?

[Charlie+Bill]

I'm sure ICANN can't be too happy with VS for its somewhat shady business practices recently. Is this just them using a techinicality to nibble at them (akin to tax law suits lodged against bootleggers)?

New Art Of Domain Hi-jacking sponsored by ICANN

ICANN are introducing a 15-day challenge to correct Whois data. If the data is not corrected within 15 days, the domain is pulled. Gone. Poof.

Even if the Whois information is 100% correct and you don't respond within the 15 days, it's gone. Poof.

It works something like this:

1. Take out a dropped domain name registration using WLS or SnapNames.
2. Complain about the Whois data for the domain you want.
3. Wait 15 days
4. When the domain name is dropped, the name is reregistered through WLS or SnapNames and becomes yours.

Slashdot.org will be mine. You have been warned.

Re:New Art Of Domain Hi-jacking sponsored by ICANN

[asackett]

I say "Go for it!" Steal something big, like nytimes.com -- and the very instant that it transfers, call the nearest television network affiliate's news department to explain that you've only done this to prove a point, have no intention of actually doing anything. As soon as the news starts to spread, call whomever it is whose domain you hijacked, and ask them to submit the necessary correction, which you'll gladly approve.

Just try to pick something large that belongs to someone unlikely to want to draw and quarter you!

Don't threaten, just do it.

[uncoveror]

ICANN should not threaten to take Verisign's licence to sell domains, they should just do it. The scam they ran trying to get customers of other registrars to switch to them with bogus renewal notices should be all the impetus ICANN needs. I recieved those bogus notices for uncoveror.com, and dontbuycds.org, but godaddy.com had already warned me they were bogus.

#11 is the gem

[stox]

Oh, this is priceless:

11. nsi-direct.com: On 13 June 2002, we sent you an e-mail asking VeriSign Registrar to correct inaccurate Whois data in the record for nsi-direct.com. The administrative contact e-mail address for that registration is still listed as "no.valid.email@WORLDNIC.NET". We sent a test message to that address last week - it bounced back with an indication that the address was not valid. Over two months after the initial report, the invalid data is still being reported in VeriSign's Whois service.

Wasn't this this the "spam" arm of NSI?

Missing the point

[FreshMeat-BWG]

The problem isn't that Verisign has incorrect data. The problem is that they "agreed to take reasonable steps to investigate and correct its Whois data in response to any reported inaccuracy" and have not done so. It is that they KNOW they have incorrect data and haven't corrected it.

Uh

[autopr0n]

How could ICANN stop them from selling SSL certificates?

It'll be intresting to see if VeriSign can actualy fix this in the time alloted, given their amazingly shitty technical skills.

Not me

[autopr0n]

Register.com for a couple, godaddy now that I managed to get my own DNS server running :P

Re:Not me

[DraKKon]

Same here... used register.com to setup my DNS servers (thanks) now use godaddy to register (and renew) my domains.. cake..

F U VeriSign...

Re:Not me

[Suppafly]

And you provide us with autopr0n, so you are exempt from any punishment anyway :)

They have a point

[Kiwi]

I think the point ICANN is making here is not that Verisign has to make each and every single WHOIS contact info accurate. The point is that Verisign does not even care that their WHOIS contact informaiton is bogus more often than not.

People would complain to Network Solutions about spammers having obviously bogus WHOIS information (such as phone numbers of --- --- ----), and their reply was that "WHOIS information is ot guaranteed to be accurate".

I think the response is that, if a given set of WHOIS contact information is bogus, and people complain about the bogus information, Verisign should pull the domain in question until they update the information to have legitimate contact info.

A spam-friendly domain without real WHOIS contact information should be pulled until the information is updated. People should be held more accountable for what they put up on the internet; non-bogus WHOIS contact info is a start.

- Sam (Pot. Kettle. Black. I've moved since signing up for my domains, and have not updated the WHOIS contact info)

An interesting entry...

[numark]

On 29 July 2002, we notified you that VeriSign Registrar's Whois data for namezero.com (a domain sponsored in the registry by VeriSign Registrar) was inaccurate. The phone number is listed as "111-111-1111".)

So Verisign has false contact information for a site with whom they've worked closely for the last few years, and no one caught it and corrected it before now? Yeesh...

This explaines a lot.. Re:Letter from Louis Touton

[dracocat]

It looks to me like ignoring repeated attempts from ICANN to fix a problem is not the best business strategy.

What is amazing is not that they have incorrect data, but that after 15 months and repeated letters from ICANN about a single domain, that they still haven't done anything.

I guess if this is how they do business, its no wonder that they are rated so poorly in customer service.

Rare for anyone to be held responsible

[rbanzai]

My company had about eight domains registered through Verisign and were subjected to a few of Verisigns fraudulent business practices as well as their hideous, hideous service.
If they get punished for ANYTHING that will give me a little satisfaction. It's kind of a rarity for companies to be held responsible for being arrogant f-ups. Let's hope this gets carried through and they get the spanking they deserve.

Musings over WHOIS.

[Corvaith]

First of all, I'd be willing to bet the numbers are rather high for fake addresses, across a good number of domain registrars besides VeriSign. There have to be some people out there creative enough to make up addresses that sound plausible... but just don't happen to belong to the person registering the data. (As opposed to 123 Main St, (123) 456-7890.)

I realize that keeping data on who domains belong to is somewhat important, but I don't see why this data has to be made available to the general public. Yes, it lets people trace the supposed owner of a domain... which can mean nothing, if the owner and the person maintaining the website aren't the same. It can also give people an avenue to harass you, especially if you happen to host any content that's in any way controversial.

Once, owning a domain was something businesses did. The average person had an email like jdoe@isp.net, and a web address that probably looked like http://www.isp.net/~jdoe. There are still plenty of those out there. There are also those of us who aren't content with the tiny amount of capability our ISP accounts come with, and so pay for third-party hosting... and a domain.

My domain holds a bunch of stuff. A forum for a hobby of mine. My public journal. Some links. Nothing out of the ordinary. I don't see why it's in any way important for other people to have easy access to my address and phone number. If the police need it, let them get it from my registrar.

I don't think there should be a blanket assumption that domains are going to belong to businesses who don't have anything to lose from their contact info being public.

Re:Musings over WHOIS.

[anonymous+cupboard]

In many countries, any publication must carry a contact address for the owner. This is done for a reason because amongst other things, if you want to say things about somebody that are untrue, they can take action against you (note this is civil rather than criminal so the police are not involved).

If you have a web page that does not demand a password, then it is publication. You are the publisher not the ISP. If it is 'just private stuff' then sorry, your contact details must be registered. I would however grant you as a private citizen operating a non-commercial site the ability to hide your telephone number but not your name and address.

What do you want from them?!

[fireboy1919]

Do you expect a company to keep track of the mailing addresses and names - the very IDENTITY of its clients?

I mean, are there even companies whose business is to guarantee that someone is who they say they are and that they provide accurate information?

The very idea is ludicrious!

Seriously though...why not have government controlled digital signatures? They could use the passport system (not Microsoft's...the kind you get before you go to another country) as a starting point. It seems like one of the rare chances for beneficial government interference. Sure, we'd lose a particular private sector, but it'd give lots of people the same warm, fuzzy feeling that the FDIC does.

They've already got one # to represent each person anyway.

Really looking for (negative) responses here; I can't see anything bad about this (and I'm usually against government intervention).

Re:What do you want from them?!

[mindstrm]

Yes, we absolutely expect them to do that, becuase they are not selling teddy bears, they are a REGISTRY. Their ENTIRE BUSINESS is based on keeping track of which domain is registered to which person.
The contract that enables them to BE in this business REQUIRES them to keep this information accurate, and update it in a timely manner. This is something they AGREED to.. and I don't mean 'agreed' the same way you 'agree' to a clickthrough.. I mean dozens of lawyers reading documtns and commenting back and forth until a final contract is ratified.

And now they are basically ignoring a key part of that contract.

Re:What do you want from them?!

[graxrmelg]

Moreover, VeriSign's other business (digital certificates) is all about determining that people are who they say they are, so it should be less a problem for them than for other registrars.

The fact that the digital certificate business is based entirely on having a reputation as a trustworthy company is what made VeriSign's slimeball fake-renewal scam all the more amazing.

Re:What do you want from them?!

[Zelig321]

Don't you give them the idea to require us to purchase digital certificates in order to ensure our identity when we register a domain name!!!

Re:What do you want from them?!

[fireboy1919]

Ahem. Ever heard of sarcasm?

Let me spell out my view.

I find it rather disturbing that an organization whose main business is to keep track of people has trouble keeping track of people on their secondary business.

It makes me think that perhaps they're not doing their main job right - something which is much harder to verify because the main thing people want from VeriSign is a certificate already in NS and IE's databases. People just aren't going to complain much if they can get their key request replies.

Further, it makes me consider that perhaps privately owned business does not have enough vested interest in its clients to ensure accurate record-keeping, since the cash will keep rolling in anyway (for digital certs).

Sorry if you couldn't read my train of thought through the lines. More clear now?

In the News

[Herkum01]

ICANN meets to determine whether they can get away with charging $20 to domain name owners, and finally gets around to doing the job their supposed to do, more at 11...

ICANN's press release

[n8_f]

The press release ICANN sent out can be found here. It looks like the article was written straight from this with a reaction from VeriSign, which just muddled the real issue.

The problem isn't that VeriSign has incorrect information in the WHOIS database, it is that it makes no effort to correct that information. They have been notified to correct several records and they haven't. And in one case, VeriSign told a registrant to put in an incorrect address.

No, they aren't breaking the law, but they are breaking their contract with ICANN and so ICANN is enforcing that contract. And this isn't a personal privacy issue; that is completely separate from VeriSign not updating WHOIS records when requested and telling customers to give false information. Please, no more pity posts for VeriSign!

Re:ICANN's press release

[anthony_dipierro]

And this isn't a personal privacy issue; that is completely separate from VeriSign not updating WHOIS records when requested and telling customers to give false information.

But it is a personal privacy issue. Verisign is breaking its contract, but by doing so it's protecting its customers' personal privacy.

Please, no more pity posts for VeriSign!

I agree there. But please, no more pity posts for ICANN.

Instead lets have pity posts for the domain name holders. In the end that's who's going to lose, because Netsol will give in within 15 days, and won't lose their status as Registrar.

Re:ICANN's press release

[n8_f]

But it is a personal privacy issue. Verisign is breaking its contract, but by doing so it's protecting its customers' personal privacy.

I still respectfully disagree. I'm going off incomplete facts here, but it sounds like in some of the cases ICANN sites, the registrants are trying to get their contact information changed and VeriSign isn't allowing them.
I sincerely doubt VeriSign is doing this to help their customers. I have tried to change contact information with them (my dad registered a domain for his business; bad dad!) and it is a very difficult process. So whether or not in these specific cases they are trying to protect their customers privacy, I have first hand knowledge that the general complaints ICANN is raising are valid: VeriSign can be very slow or even completely unresponsive in changing WHOIS records.

Also, if you want to register a domain, there has to be some way for people to contact you. No one requires you to give your home address, but you have to give some contact information. It is like receiving mail. Use a P.O. box or your work address, but if no one can reach you in the eventuality your domain is misused, you shouldn't have a domain. With priviledges come responsibilites. I understand the various concerns such as frivolous lawsuits, but breaking one system to compensate for a broken system isn't the solution.

Please, no more pity posts for ICANN.

I also disagree with your characterization that my post was a "pity post for ICANN". It most certainly was not and I fail to see what caused you to reach that conclusion. That said, while I don't support ICANN, I'm also not going to fault them for taking a step in the right direction and I see trying to clean up the WHOIS database as a step in the right direction.

Nathan

Re:ICANN's press release

[anthony_dipierro]

I'm going off incomplete facts here, but it sounds like in some of the cases ICANN sites, the registrants are trying to get their contact information changed and VeriSign isn't allowing them.

Do you have any quotes or references that suggest that? I read the article, I read the press release, and I don't see anything which suggests that.

I sincerely doubt Verisign is doing this to help their customers.

I agree with you there. Verisign's motive is almost certainly profit. But I don't really care about their motive so much as what they are doing. If they are protecting their customer's privacy, then I'm going to support that, regardless of their motive.

So whether or not in these specific cases they are trying to protect their customers privacy, I have first hand knowledge that the general complaints ICANN is raising are valid: VeriSign can be very slow or even completely unresponsive in changing WHOIS records.

That may be the case. In fact, from what I've read I believe it probably is the case. But that's not what ICANN is charging them with.

Also, if you want to register a domain, there has to be some way for people to contact you.

Well, I disagree. I don't think there needs to be some way for people to contact me. Certainly not without obtaining a subpeona. But in any case, I have provided my phone number and email address, as well as my name. There is absolutely no reason the public needs my mailing address as well.

No one requires you to give your home address, but you have to give some contact information.

More specifically, you have to give a mailing address.

Use a P.O. box or your work address, but if no one can reach you in the eventuality your domain is misused, you shouldn't have a domain.

As I said in my other post, I'll use a P.O. Box if ICANN pays for it. And I work at home.

With priviledges come responsibilites.

Yes, with the priviledge of being granted a monopoly comes the responsibility to not infringe upon my right to free speech.

I understand the various concerns such as frivolous lawsuits, but breaking one system to compensate for a broken system isn't the solution.

My concern is not over frivolous lawsuits. My concern is over burglers and psychos.

I also disagree with your characterization that my post was a "pity post for ICANN".

I agree. I wasn't referring to your post.

That said, while I don't support ICANN, I'm also not going to fault them for taking a step in the right direction and I see trying to clean up the WHOIS database as a step in the right direction.

And while I don't support Verisign, I'm also not going to fault them for taking a step in the right direction and trying to facilitate anonymous publication of free speech on the internet. I see allowing anonymous ownership of domain names as a step in the right direction.

I currently have several domain names through Tucows. Many of them have incorrect address information, and I don't want to be forced to change it. But if ICANN gets their way I will have four choices: fix the address, get a P.O. Box, subscribe through a provider who will put the domain in their name, or lose the domain. None of those choices are attractive to me, but I'll probably wind up getting the P.O. Box.

Re:ICANN's press release

[n8_f]

Okay, I made some mistakes in the last post. You're right, none of the problem's relate to a registrant being unable to get their record updated.
In fact, I more or less agree with all of your points. I probably shouldn't have even bothered posting that last one.

I would like to elucidate on the one point I think there could be some meaningful debate on: anonymous ownership of domain names.

I think that contact information should be optional. However, I think the owner should be listed publically. I can't think of any way one can legally, publically distribute information anonymously. The author of a piece of information can be anonymous, but if one chooses to distribute that piece of information, in a news story or a pamphlet or a book, etc., one can't do it anonymously. And the Internet is just another method for distributing information.

Perhaps I am wrong, but I think of domain names as analogous to property, the ownership of which is public record. Is that overly retrictive? I can see where anonymous publication would be useful, but it seems like all accountability is lost as well. It seems like the existing mechanisms for anonymity are enough: an author has to find someone who will bear the responsibility for publishing the information.

They big enough?

[cheese_wallet]

I wonder if they are established enough in the net community to fork DNS and start up their own DNS architecture.

How about this penalty?

[Deal-a-Neil]

Increase their cost from the $5.00 or so per domain, to $100.00 per two years -- make 'em feel the pain like we used to a few years back. :-)

What does ICANN expect?

[Ra5pu7in]

What does ICANN expect VeriSign to do if it cannot get updated information?

"Update the database" sounds easy enough, except that people that fill in that kind of bogus information don't want their accurate information listed and, if contact is possible, will likely give equally false information that sounds more real (i.e. 2957 Barracuda Lane). With all contact information deliberately falsified, it would be next to impossible to reach those people anyway.

Should VeriSign shut down every .com that doesn't have a valid verifiable addresses? Listen to those screams from all the legitimate sites who didn't want personal information easily available to the world.

Lying with statistics

[AndroidCat]

I love the lying with statistics in this statement: "Out of 10.3 million records, they pulled out 17 of these that have inaccurate data on it," "That doesn't diminish the fact that VeriSign sees this as an important issue, but 17 names out of 10.3 million would hardly be considered a pattern."

Uh-huh, and how many did ICANN check to get those 17? Is that 17 out of 10.3M or 17 out of 32? Verisign obviously thinks everyone is dumber than they are.

Blatant Misdirection on ICANNs Part

[limekiller4]

17 records out of 10 million? This is ICANN "making hay" to look like they're sticking up for the little guy and a blatant public relations move after they went ahead and pushed through WLS despite an overwhelming vote against it by pretty much everyone ...except for the gTLDs (ie, .COM and .NET, which, amazingly enough, Verisign controls.).

ICANN is so in bed with Verisign it's not even funny. This is a nudge-nudge wink-wink arrangement between them so ICANN can look like they're doing their job and Verisign takes a black eye that nobody will remember in a year so that WLS happens.

Do not be fooled.

Bad whois info

[terrymr]

Wasn't there a case recently where an arbitrator based his decision in part on bad whois info for the domain (I believe it was a .biz so it didn't involve verisign). But this is an important reason why the whois must be accurate.

What is the TRUE motivation for this?

[loggia]

What is ICANN's true motivation for this?

Read: which of their cronies are miffed that Verisign does not have this data updated properly?

We all know ICANN does not actually *care* about this.

Breach of Contract

[spacefrog]

what law is it breaking to have incorrect data?

Breach of Contract.

When a registrar signs up with ICANN, they sign a binding contract. Whether or not you agree with the contract, it is a binding contract. Below is an excerpt:

3.7.7.1 The Registered Name Holder shall provide to Registrar accurate and reliable contact details and promptly correct and update them during the term of the Registered Name registration, including: the full name, postal address, e-mail address, voice telephone number, and fax number if available of the Registered Name Holder; name of authorized person for contact purposes in the case of an Registered Name Holder that is an organization, association, or corporation; and the data elements listed in Subsections 3.3.1.2, 3.3.1.7 and 3.3.1.8.

source

The /. effect strikes again!

[Lucky+Kevin]

Even the whois database is timing out now. I'd like to list all the whois data here in the traditional slashdot manner but I think that it may be a little too large :-)

Verisign's REAL problem

[mrnick]

The problem that ICANN is opting to ignore is Verisign's blaten anti-trust policies. For example, if you have a domain registered with another registrar.. i.e. Tucows and you want to add a new DNS server to that domain and make that change at Tucows then it will take 24 to 72 hours to update at all registrars in the world, except for Verisign. They maintain the global database and it does get updated but if someone has a domain registered with Verisign it will take at least a week of harsh over the phone negotiations with them to get them to add it to thier local database. It's obviously an attempt to discredit other registrars and it's just not fair.

Nick Powers

Re:17 out of 10.7M - 30K out of 10.7M, if not more

[AndroidCat]

As I said in a post above "Lying with statistics" (didn't realize that I was drilled in a level, d'oh!), there's no indication of how large ICANN's sample was to get 17 bad ones.

So did ICANN sample 10.3M or 32 to get 17 bad ones?

Re:17 out of 10.7M - 30K out of 10.7M, if not more

[raju1kabir]

That was a quote from a Verisign Exec. There's at least tens of thousands with bad data.

I'd guess far more than that. Pretty much every time I go to look up a domain, it's got bad info. Of course, the only reason I look up domains is when I'm annoyed at the spam they've left in my inbox or the attack attempts they've left in my logs.

So I dunno about the converse, but bad internet citizenship seems to be an excellent predictor of bad contact info.

Verisign showing incompetence?

[angst_ridden_hipster]

I'm shocked -- shocked to learn that Verisign is permitting bogus data.

(I'd be more shocked if I were to learn that someone there knew the difference between good data and bad)

did /. make verisign mad?

[edrugtrader]

looks like they totally fucked up the site!

Cheap registration -- you're paying for it.

[fm6]

If I register floobydust.com, and I fill in a contact email that becomes invalid three days after I go live, is that Verisign's fault?

You're forgetting that domain owners are also supposed to give physical addresses. Of course spammers (and shy people) give a bogus address. Apparently some registrars check that the address actually exists, but that's not really useful if they don't verify that the registree receives mail there. Doing that would add a couple bucks to the cost of registering a domain -- but does the world really need ten-buck registration services?

Once, on some weird whim, I tracked down and contacted the person registered as owner of a spam domain. Turned out to be an elderly lady who didn't even own a computer! Obviously the real owner got her name and address out of a phone book. I reported this to the registrar, Verisign, and got back a form email about jerking domains not having any effect on spam. No comment on the fact that they had helped perpetrate a fraud!

The best of both worlds... at register.com.

At register.com, they let you setup billing address info for your account that they use to contact you, privately. It's SEPARATE from the information actually showing in the public WHOIS database.

View the WHOIS record for my domain, winzig.com.

Truly, this is not my contact information:

123 No Spam Ave.
No Spam, CA 90210 US
Phone: 800-555-1212
Email: spam-me-not@winzig.com

However, if I was a spammer, or breaking the law on my website, the feds could still contact me if they are able to subpoena register.com for my billing info. And register.com can still send me reminders for domain renewals, which is all I care about anyway.

Law?

[mindstrm]

It's not breaking a law. It's breaking a contract.

The agreement that ALLOWS Verisign to be a registrar requires that they provide accurate information in the whois database for all contacts.
They are required to verify said information upon registration, and to correct errors promptly when they are found.

In other words, you cannot 'anonymously' register a domain.

Privacy? If you want privacy, don't go to the trouble of having your own domain, that's pretty simple. That's like saying you want to get a business license and open a shop in your town, but you don't want anyone to know where you live or who you are.. well guess what, your business license and said filings are a matter of public record, and anyone can go see them.

This is not dissimilar.

changing registrars

[phriedom]

I had the same problem getting VeriSign to change a domain host, they ignored faxes, etc. I finally got it moved, but was tired of the BS from VS. So I tried to move to a new registrar, GoDaddy to be exact, and got a "the current registrar has denied your transfer request." GoDaddy says there is nothing they can do about it and that I must take up the issue with VeriSign. I am of course seething mad. I am paid up. I am in compliance with their entire Service Agreement. The link in the Service Agreement that refers to changing registrars leads to a Procedure for changing restrants, not registrars. VeriSign ignored my first Help request. I just tried again and got the form email that says they will get back to me in 24hours. I'm hoping I don't have to send a certified letter to their legal department. Anyone have any advice out there?

Re:changing registrars

[stompro]

Do you still have access to the admin email account. If not then that might be your problem, you might have to jump through the hoops to get them to change the registration info.
The transfer went pretty smoothly for me. I filled out the domainmonger forms, then I recieved a message from verisign/network solutions asking me to confirm(sent to the old admin email), I replied to that and got a confirmation, and that was it. It is funny how verisign begs you not to leave in the transfer messages. They even mention how great their support is, that was very entertaining.
What really pissed me off is that I did have access to the admin email for the domain, but they also have a extra security question that you have to know. I had no way of finding out what the origional guy had set for his mothers maiden name or his date of birth.

Re:changing registrars

[phriedom]

Yes, I still use the admin email account, but I didn't receive any authorization check email from VS, they just denied the request.

Re:changing registrars

[stompro]

Hmm, that is strange.
I noticed something when I did my transfer, the transfer was not done between domainmonger and verisign, it was done between tucows and verisign. I think that tucows handles stuff like that for many smaller domain registrars. It could be that tucows is large enough to have a trusting relationship with verisign, where as some of the other small domain registrars try to go it alone and have a harder time.

Hopefully someone who knows more about how it all works will chime in, but I doubt it, I think this story is dead now. You might want to give domainmonger a try, or did you, I can't remember, to lazy to check your other post now too :)

greedy marketing

[stock]

a real sign of greedy marketing: "VeriSign DNS in Trouble" ..
In the oll days (internic , networksolutions) one had to roll its own DNS servers, today by default a verisign domain can only be started using VeriSign's own DNS servers. After that a tiresome DNS server move has to be done to your own DNS servers.

It smells like most people forget that last step, and after a while verisign has overloaded DNS servers. Anyone who has info on what type DNS servers Verisign is using?

Robert

THANK GOD

[windex]

I just got a domain back NSI had been holding for 3 years. ITS MINE NOW! MINE!

nsihorrorstories.com

[mieses]

this site is a testament to their quality of service.

They raped the database doing an upgrade

[swb]

They went through a process of changing Versign domain holders over to their new, improved system of authentication. On paper (or in my head) it was supposed to have been a question of assingning usernames and passwords and transparently changing the auth method.

What they actually DID do was rape the whole WHOIS database for lots of domains, changing zone contacts, technical contacts and in some cases administrative contacts to NO.VALID.EMAIL@blahblah, in many cases before or without EVER sending the stupid letters explaining what happened.

It was a TOTAL FUCKAROUND to get it fixed when it happened, especially when you got no information about specific domains (usernames, passwords).

I even had supervisors at Verisign tell me to make up my own letterhead and fax in changes for domains. They said all they looked for was info that looked vaguely professional. I eventually made a template in word that I faxed in when I pasted in new "logos" I ripped off from google.

They can suck it up!

[JebusIsLord]

They can suck it up. The WHOIS is there for a reason - you don't need to list a personal email address there but you should be obligated to have a contact address of some sort.

Re:They can suck it up!

[JebusIsLord]

No i just ment you don't need to list a PERSONAL email, just an admin@ address. I dont think you have to fill out the physical address, thats optional AFAIK.

How I became a porn king without even trying.

[stonewolf]

VeriSign made a data entry error and listed my nic handle, something like, SW123 as the technical contact for a porn site. The nic handle of the real technical contact for the site was something like SW1234. They just dropped the last digit. I found out about the problem when angry customers of the porn site started contacting me. A couple threatened to sue me. I contacted VeriSign and asked them to correct the error. They refused. I explained the problem, they couldn't care less. I contacted the actual web site owner, in Australia, I live in the US, he never responded.

I found that I was on many porn dealer mailing lists. I contacted VeriSign. I started getting promotional offers for disks of barn yard porn. Both VeriSign and the owner of the site refused to reply to my emails. When I called VeriSign they told me to stop bothering them. They refused to take any action.

Eventually the owner tried to change the DNS server for the site, as technical contact I blocked it. They tried again, I blocked it. They tried to change the technical contact. I let them!

I was listed as technical contact for that site for more than 4 years. VeriSign refused to do anything. I was never able to contact the actual owners of the site. I contacted VeriSign by email and by phone repeatedly. They refused to do anything.

My name and my home address are still listed in directories of porn site operators.

I would like to see the President of VeriSign draw and quartered. I hate those guys. Putting them out of business is the least that should be done to them. They are sick sick sick bastards.

Stonewolf

Re:How I became a porn king without even trying.

[rthille]

The first thing you should have done as Technical Contact for the porn site is to point at a web page that kept the porn sight from making money. They would have fixed the problem in a day, two at most.

Re:How I became a porn king without even trying.

[stonewolf]

I considered doing exactly what you suggested. I looked into the law covering such an action and realized that I could be prosecuted for doing it.Unauthorized access to a computer system and unauthorized modification of data are illegal.

Yes, they left the door open, but that doesn't give me the legal right to go through the door.

Stonewolf

Re:How I became a porn king without even trying.

[nutznboltz]

Eventually the owner tried to change the DNS server for the site, as technical contact I blocked it. They tried again, I blocked it. They tried to change the technical contact. I let them!

I looked into the law covering such an action and realized that I could be prosecuted for doing it. Unauthorized access to a computer system and unauthorized modification of data are illegal.

Uh, in what way was blocking their modifications not unauthorized access to a computer system?

Re:How I became a porn king without even trying.

[stonewolf]

Good point, I was worried about the legal side of blocking the change of their DNS.

The difference is that *I* didn't initiate the transaction. I just recieved an email asking me to authorize a change. Refusing to authorize the change kept things the same, so I wasn't changing anything. So, in fact blocking the change was what I was required by law to do. And, each time I blocked the change I sent email to both VeriSign and the site owner telling them that I was blocking the change because I wasn't authorized to approve the change because I wasn't the technical contact for the site.

OTOH, helping them correct a typo, at their request, could not be considered unauthorized access. After all, they sent me email asking me to make the change.

Anyway, the only way I could get them to fix the database was to block the change. I could have sued them for damage to my reputation, I could STILL sue them. But, this was easier.

Stonewolf

ObPlug

[Simon+Garlick]

www.easydns.com

No bullshit, great service.

Yeah...like this would happen

[Sabalon]

About as likely to happen as uunet kicking Ziff-Davis off for violation of their anti-spam policy when they kept sending me all the comdex crap a few years ago and I complained.

Big money/companies like this get a whole other set of rules to play by. Probably a PR step to make ICANN look like heroes.

Distraction

[ziegast]

This is ICANN doing something to help justify their existance when they normally do a whole lot of nothing. Politically, Verisign can make the appropriate changes to calm the waters, but I doubt ICANN would have the ability to enforce anything on Verisign. In a legal pissing match, Verisign has more money and probably more influence than ICANN.

In the meantime, I get "renew your licences or else" spam from the BSA and Microsoft using the information from my outdated and expired Verisign WHOIS record. Knowing this, I really wish I could unpublish my WHOIS data for my domain. Perhaps there's an appropriate need for privacy which the people behind these improperly-registered domains are fighting.

-ez

Place your banner here, just $1000.

Click here to report bad domain info

[Animats]

Click here to report bad domain info in .com, .net, or .org. This is ICANN's form, and there is a tracking system, so you can watch nothing happen in real time.

I've been reporting some big-name spamvertized sites that hide behind phony domain registrations, and I encourage others to do so.

re: your sig

[mumkin]

bukra fil mish mish

tomorrow in apricots??

"namezero"

[jonathanbearak]

"17. namezero.com: On 29 July 2002, we notified you that VeriSign Registrar's Whois data for namezero.com (a domain sponsored in the registry by VeriSign Registrar) was inaccurate. The phone number is listed as "111-111-1111".) We asked you to investigate and correct this inaccurate information pursuant to RAA 3.7.8. It has been over thirty days and the data still has not been corrected."

something's wrong when a company that actually registers domain names uses bs whois data.

the issue isn't incorrect whois data. if i register a domain and provide fake data who cares. but if i use it for email or something related to business, and the data's bogus, i've broken laws written a long time before we had dns.

I hope they go under

[Nemith]

Then maybe they'll quit sending me letters saying that my 2 month old domains are going to expire (who i registered with someone) else!)

Bastards!

I hope they close the doors on Verisign

[fishman]

Since Verisign "stole" the domain business off NetworkSolutions, I had nothing but trouble. At my previous job, they registered one of primary DNS servers incorrectly. And because of that, we couldn't set up any of our sites to point to our it! After about 10 emails with automated responses, I gave up.

That was about 12 months ago, I'm still not sure if it has been resolved.

Re:I hope they close the doors on Verisign

[vidarh]

"Stole" as in "bought the company"? That's a quite interesting definition...

Re:I hope they close the doors on Verisign

[acceleriter]

That's no more bogus than "stole" as in "infringed copyright." If we're going to be flexible with the lexicon, why not go whole hog?

Re:I hope they close the doors on Verisign

[fishman]

I think I was being sarcastic. For months I typed http://www.networksolutions.com... and then all the sudden one day I was taken to VeriSign?

What RFC?

[phr2]

What RFC says that domains need valid WHOIS info? That's especially for the snail addresses and phone numbers, though I don't remember any requirement of any WHOIS info at all. Tonga (.to), for example, refuses to run a WHOIS server. ICANN isn't happy but Tonga has stood its ground. If you want the contact info for a .to domain, you have to file a subpoena for it. They consider user privacy more important than the wishes of spammers. Good on 'em, I say.

Still no need for public WHOIS

[phr2]

There's no reason public WHOIS info is needed. You could have private contact info just like you can have unlisted phone numbers. The Tonga (.to) NIC keeps user contact info confidential and doesn't run a WhOIS. However, if you need to take action against a .to domain holder, you can get the info from the registrar by serving a properly issued subpoena from a court having jurisdiction (Tonga's DNS is in California, so you can use either a Tongan court or a California court).

Why do you need any more "accountability" than that? If you want to take legal action against someone, you have to go to court. If you don't want to go to court, what you want the address for is extralegal action, such as spamming or stalking. There's no reason any registrar should assist in anything like that.

Re:Still no need for public WHOIS

[raju1kabir]

Why do you need any more "accountability" than that? If you want to take legal action against someone, you have to go to court. If you don't want to go to court, what you want the address for is extralegal action, such as spamming or stalking. There's no reason any registrar should assist in anything like that.

There's a whole wide world between sitting on your thumbs and filing suit.

Perhaps you just want to contact them to discuss something (a settlement, strange packets coming out of their network, what have you - and yes I know, Verisign has nothing to do with IP assignment but I'm discussing the principle here). That's what the judge is going to tell you to do anyway.

Perhaps you'd like to know where they're located so you can assess the feasibility of legal action before going to the expense.

If the only resort is the last resort, then every disagreement has to be settled with nuclear weapons. That's one hell of a way to run a circus.

Re:Still no need for public WHOIS

[phr2]

Perhaps you just want to contact them to discuss something (a settlement, strange packets coming out of their network, what have you - and yes I know, Verisign has nothing to do with IP assignment but I'm discussing the principle here).

You don't need their physical address for that. Just send email to postmaster@(the domain name), per the internet standard. Or if there's a web site at the domain name, use whatever contact info is provided there (email address, web form, etc.). Or the registrar itself could forward messages for you after collecting a small fee (the fee would keep spammers away). If the domain holder doesn't respond, they probably don't want to hear from you and even having the WHOIS info won't get you anywhere without a lawsuit, so there's no point in the registrar giving it to you.

A computer on the internet is not really different than a fancy telephone on the phone network. Phone companies have supported unlisted numbers for as long as phones have existed, and it isn't that big a deal.

Perhaps you'd like to know where they're located so you can assess the feasibility of legal action before going to the expense.

The way that works is you file against a John Doe in some court having jurisdiction over the registrar, then subpoena the domain holder's info. That involves submitting some forms to the court and paying a small filing fee. It's not like starting a DoJ vs. Microsoft case with thousands of lawyers.

One important aspect of this is the domain holder now knows who YOU are and that you're trying to obtain their info. That's different from WHOIS, where you can get people's info without their being informed. But there's no reason to support that kind of stalking feature. If you want someone else's info, you should be willing to supply your own info to them. You got a problem with that?

Re:Still no need for public WHOIS

[raju1kabir]

The way that works is you file against a John Doe in some court having jurisdiction over the registrar, then subpoena the domain holder's info. That involves submitting some forms to the court and paying a small filing fee. It's not like starting a DoJ vs. Microsoft case with thousands of lawyers.

To file in a remote jurisdiction takes either time (to research the procedure) or money (to hire a law firm to do it for you). Thousands of lawyers? Probably not. But that's what we in the bickering business call a straw man.

One important aspect of this is the domain holder now knows who YOU are and that you're trying to obtain their info. That's different from WHOIS, where you can get people's info without their being informed. But there's no reason to support that kind of stalking feature. If you want someone else's info, you should be willing to supply your own info to them. You got a problem with that?

That is already arbitrated by existing systems. Someone sends you an envelope, they can put a return address on it, or not. If it's a bogus or unsupplied address, you can throw the envelope away. Likewise with phone calls. No need to get the courts involved.

There are hundreds of ways to get people's addresses, from calling the DMV to following them home. All legal. Your accessibility to the outside world is a byproduct of your choice to live in society. If you don't like it, there are still plenty of openings in the hermit industry.

This isn't their only problem!

[libertynews]

I have tried for months (and months) to get the host record for nexuscomputing.com removed. I have completed all the forms, called them (been told it will be removed immediatly, that it had been given a top priority), etc. Needless to say, the host record still points to the wrong damn IP address.

I also recently transferred my wife's busybride.com domain away from them, using joker.com and Verisign is now telling me that it is up for renewal. But if you check the whois information it is obviously registered with joker.com!

(No, I didn't register it with Verisign, the previous owner did and after buying it I also discovered Verisign's other scam, holding domains hostage after a sale and refusing to transfer them for 60 days).

Feh! A pox on their house.

Why should personal details be exposed?

[scott-thomason]

As a sysadmin, I know how useful it is to simply look up WHOIS info to help resolve domain issues. However, I think there's lots to be said for privacy, too:

I operate a hobby domain. I have no contact info on the website. Once, someone took offense to something I said, and called me late on a Sunday night threatening legal action. I immediately nullified all my WHOIS info, except email addresses, to prevent that from happening again. From now on, if they want to complain, they can do so via email, and if things get really serious, they can find my physical address by subpoenaing the information from my ISP.
---scott

Re: your sig

[angst_ridden_hipster]

tomorrow in apricots??

It's idiom, with a meaning kinda like "manana" (Slashdot won't let me put the tilde over that first n) in Spanish. I guess the closest English equivalent would be "someday..."

I'd have to agree on this.

[Devil]

While its a good thing (better records mean a better Net), it seems to me like ICANN is trying to blow smoke up our poopers to make us think that they actually do anything worth having them around for.