Slashdot Mirror
VeriSign Changes DNS Servers: No ASCII Needed
An anonymous reader points to this story at The Register and this one (in French) at news.yahoo, writing "VeriSign has made changes to the root DNS so that they handle non-ascii names (for .com and .net).
Furthemore, an erroneous lookup results in getting a VeriSign IP, not an error message." An excerpt: "The IAB [Internet Architecture Board] feels that the system VeriSign had deployed for .com and .net contains significant DNS protocol errors, risks the further development of secure DNS, and confuses the resolution mechanisms of the DNS with application-based search systems."
-Mark
It seems that nothing is sacred anymore. First you get everybody and his brother trying to introduce alternate root zones, then you get morons like NewNet that go a step further and require a browser plugin. Now Verisign does this.
I understand that having non-ascii characters in host/domain names would be desirable, however if they can't do it without breaking the DNS protocol, then they should get their ass right back to the R&D lab and try harder.
Doesn't that assume that users only look up the names of webservers?
What happens when a user mistypes a URL and the VeriSign system merrily sends them a verisign IP, but they are using "ssh", or an IMAP mail client, or any other service that the verisign server is unlikely to be running?
The user receives unhelpful "Connection refused" messages, instead of being prompted to correct their typo by a "Can't find..." message.
Usually the problem is that, as in your case, the name contains characters that are not native to other languages.. well.. get rid of the accents! That should fix everything. Use BOTH. (Of course, if such a thing were allowed.)
Of course, that's the obvious solution.
OTOH, the problem with this is that translitteration isn't easy, or consistent.
Swedish characters like å, ä, ö, for example:
English-speakers usually "brush the dirt off" and write a and o instead. But the correct translitteration is aa, ae and oe, respectively.
(With japanese it gets even worse..)
Not to mention names like München (Munich)..
Should the have www.münchen.de or www.munchen.de or www.muenchen.de or www.munich.de or all of them?
(Actually they do have all of these except the first, ironically..)
Would that be like or not like websites that require flash?
You would think that the same thing that would go for the website would also go for the domaing name.
Selling people domains that are non-standard by using a different DNS... http://alternic.org/ . They've called it "Enhanced DNS". I'm pretty sure hardly anyone actually ever used this...at least no sites of any significance. I'm guessing verisign will have a little more luck, but still not much, as it is a bad business model trying to sell things that require a plugin for the general public... I can just see businesses going out and buying domains that people can't even get to, because they don't have the plugin, and won't get it.
The real significance of the AlterNic site is that the guy that founded it back in the 80's or so ended up in prison for a while, then when he got out, he couldn't use a computer for a signifcant number of years by court order because back when network solutions ran the whole show for domain names, he hacked there DNS to route internic.net to his site, and also hacked their DNS to include his custom top level domains such as .sex.
As far as the license agreement giving verisign the right, but not obligation to automatically update the software without asking first...can you say spyware? Does CometCursor ring a bell?
~Brian
Who the hell actually types in domain names anymore. My first stop on the net is usually google. Why? There is no way of telling where a domain name actually goes.
I work at the Franklin Institute. Our domain fi.edu. Our customers who type in FranklinInstitute.com get sent to one of those DNS parking sites. (We do have FranklinInstitute.org and FranklinInstitute.net.)
Of course, there is also a Franklin Institute in Boston. Are we then supposed to be FranklinInsituteOfPhiladelpbia and they be FranklinInstituteOfBoston. (Hmm, or franklininsitute.phl.pa.us and franklinintitute.boston.ma.us.)
And, the original name for our organization was The Franklin Institute for the Promotion of the Mechanical Arts, that exceeds 32 characters. We could use the acronmy FIPMA, but most of the folks that visit don't know the PMA part.
Just think of WhiteHouse.com or GMSucks.com.
Granted, it is really nice to see www.petesfamouspizza.com on the pizza joint next door. But at some point you end up writing it down. After a while it will end up being just like a damn phone number, making no sense at all.
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
Remember that if you use IE, you automatically get thrown to a Microsoft Web site if you go to a non-existant domain.
.com and .net registry away from them ASAP.
But Verisign change the behaviour of the underlying DNS system, no matter which portnumber, application or OS you use. Yet they only provide a MSIE for windows plugin for IDN domain names.
The internet is not all web, and the changes they made can be bad for applications like mail. The changes they made to DNS behaviour is not a good thing.
Verisign is evil. This is yet another proof. Take the
At least the way I read the document, it does only support web servers, which means that SMTP email fails, as well as all the other services. So you can have http://MyChineseServerName.com but not postmaster@MyChineseServerName.com, which is spectacularly broken.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I'll hate to shatter an illusion, but .com , .net and .org ARE international domains (along with .int) - the USA has .us as it's country code. Ok, it might not be widely used, but it IS there.
- "MSDOS" cp866;
- "Windows" 1251;
- "Unix" KOI8
- "Mac" (???)
- ISO 8859-5
The Russian goverment offially approves only ISO 8859-5, but most of people just ignore that charset and noone (besides the govt) use it.All charsets are different one from each other, mainly (and in most cases) by different positioning the same russian letter in different places of the "code page". That requires to have separate font modification for each charset you want to use (yes, it's true, I have 5 areals, 5 couriers etc); alternatively it requires to decode the document on the fly from the doc's charset to the charset of currently chosen font (some programs can do it, others cannot).
Now, when I see a domain name with some non-ascii letters, and I assume it is in Russian language, which charset should I choose in order to display it properly and to be able to read it? The domain name itslef doesn't keep such information. Does DNS keep it? I don't think so.
Is one russian charset has been chosen over others? If so, who dare to decide it and to be critisized by users of other 4 charsets?
Personally I think that due to such problems in some languages (Chineese also? India as well?) all non-ascii strings should be used in internet only along with some identifiers of the charset. For example, web pages and email messages use such (often - in inconsistent way). Also, XML can assign a charset per sub-tree. But how about domain names? I think non-ascii usage should be limited to documents, while all system identifiers (including domain names) must be ASCII. Period.
Less is more !
Though supporting international, non-English characters in domain names is a Good Thing, Verisign makes some arrogant assumptions in their broken implementation:
a) DNS is only used for HTTP (web). By pointing failed lookups at idnnow.com (198.41.1.35) to see the plugin website, Verisign breaks all other services' proper "not found/unresolved/connection refused" response. "Not found" is a more helpful answer than an erroneous one.
b) The universal web platform is Internet Explorer on Windows. First, it's not just the browser that needs to be patched -- all internet hosts will need updated DNS resolvers to handle the binary, non-ASCII names. Even if (a) were true above, there are many other browsers and platforms than IE/Win. And they're using their monopoly power to leverage proprietary software into users browsers.
c) Everybody speaks English. It's time that we as Americans realize that we are not alone in this world. Pompous assumptions like these foster hatred of the U.S. Yes, Verisign offers eight other translations of idnnow.com, but combined with (a) and (b) above, it's just another broken way that an American Megacorp tells the world How It's Gonna Be.
d) Verisign runs the internet. Okay, so this one's almost true, because they have a stranglehold on some of the internet's most intimate infrastructure... but my big beef with Verisign is that they do not approach their responsibilities with an attitude of service. Nameless servants of the public all over the globe quietly keep the internet up and running, but Verisign's public decisions infer that theirs is the only policy that matters.
So, can we just mod Verision as "arrogant?"
roderickm
Not only is the implementation a painful, incomplete hack, but even if the DNS protocol were cleanly extended to handle non-ASCII names, it would still be wrong.
DNS names are a very low level component of the internet- they layer just above IP addresses, and provide a persistent way to find an IP host. Today, with hostnames in ASCII, any person smart enough to use a computer can write down a name off a printout, and type it in later. Everybody, regardless of speaking Spanish, Korean, Russian, Chinese, Swedish, or Hindi, can basically recognize and repeat the ASCII alphabet. Not only is it the shortest, simplest character set the world has to offer, but most internet users are already getting some training in it.
Sure, with a Russian character map it might not be completely convenient to punch in an ASCII name- but with a little effort, anyone can do it. But if DNS hostnames start to come in Kanji or Hangul, it will be inestimably worse.
It's trivial to print the whole English alphabet on a single page, and with a rudimentary pronounciation-guide too. But Chinese contains more than 10k characters, many so rare that just 10% of the Chinese population can reproduce them. How'd you like that as the hostname that's been DNSing you? Try reading it over the phone to the upstream sysadmin, maybe?
The system of DNS hostnames is most useful when it uses a least-common-denomintator character set which every literate human can reasonably read, input, and maybe even pronounce. It's mostly like that today, and keeping it ASCII is the way to maintain it.
Naturally, non-English speakers will want to be able to publish server addresses in their own language. But systems to perform these lookups should be created separately from DNS- either on top of it (resolving to DNS hostnames), or alongside (resolving to IP addresses). That way, major international servers will tend to be dual-named: local language for primary users, ASCII-DNSname for everyone else.
The system libraries that software uses to lookup names can be extended to optionally check alternative-charset nameservers before going to the DNS ones, depending on the user's i8n settings.
That solution would be drastically more complete, and less disruptive, than what is presented in the article.
What's the native language of the USA? Well some messed up hybrid of English.
Actually, contrary to popular belief, American English isn't really any less 'correct' than British English. At the time when the original settlers of the US left Britain, there were numerous dialects of English corresponding to the various Germanic kingdoms existing on the isle. Since most of the colonists were not from London, they brought with them English rules and vocabularies different from those of the London dialect which eventually became British English. For example, 'color' is not actually a shortening of 'colour,' just the Latin-esque spelling rather than the French. So it's really a case of divergent evolution.
This has been your pedantic, pointless etymology lesson of the day. Don't eat me.
Try going to http://www.épocas.com.
Although you will have to cut/paste as Slashcode strips intl character from the URL (they killed all unicode and non- [A-za-z0-9] characers after all that crapflodding).
Does this mean the domain names are ISO-8859-1 or can they be Uniocde? If they are Unicode, how do you represent it in an HTTP URL? And do browsers support such a thing?
I'm sorry, but Verisign should have their status as both registrar and root nameserver operator revoked after this. We depend on being able to tell when a DNS name doesn't exist. The master nameservers for two of the biggest TLDs should never, I repeat never, lie to us about that by returning a record when no such record exists for the name queried.
What Verisign's doing is the equivalent of the phone company responding to a 411 request for a name that isn't in the phone listings not with "I'm sorry, we don't have a listing for that name." but with "The number is .".
Well there's three breakages already:
Secondly, in the real world IE won the browser wars, live with it. The end users voted with their mice.
I think that at least one justice system has found this to be untrue - users didn't vote with their mouse, it was won by illegal means. I mostly agree with that ruling. The world is more than just Windows and IE - that's what a proper platform independent protocol is supposed to be all about.
NAT is a hack. It also makes a mess of transparency and isn't 100% in the minority of cases. However, the minority of cases usually break completely. Even things like Quake broke originally until the protocol was modified and people put in special handling in their NAT stuff.
But NAT isn't a fair analogy at all. People use NAT on their home networks, office networks, and other small LANs. Or simply as a poor man's firewall. We're not asking VeriSign (or a local cache) for information on how we should NAT. It's a local hack with the locals completely understanding that it's in there. VeriSign's DNS hack has global effect and can't be turned off.
Unless, of course, you filter the response of "198.41.1.35" (what they return) to mean "host not found". But that would be a hack to fix another hack... which is usually how these poorly thought out "fixes" end up...