Slashdot Mirror
VeriSign Changes DNS Servers: No ASCII Needed
An anonymous reader points to this story at The Register and this one (in French) at news.yahoo, writing "VeriSign has made changes to the root DNS so that they handle non-ascii names (for .com and .net).
Furthemore, an erroneous lookup results in getting a VeriSign IP, not an error message." An excerpt: "The IAB [Internet Architecture Board] feels that the system VeriSign had deployed for .com and .net contains significant DNS protocol errors, risks the further development of secure DNS, and confuses the resolution mechanisms of the DNS with application-based search systems."
-Mark
Perhaps this is the start of having he "other" dns'es take off. We all know how bad Verisign is with DNS (like slamming, overcharging, and in general cheating).
Seems like they're pulling a Microsoft to me. But this time, the big guys are pulling a "WTF" on them.
We all know we can trust corporations to do the right thing. I'm sure they'll sort it out and it will all be alright. Anyone who says they're trying to screw everyone to get some sort of competitive advantage by breaking well-established protocols is an unpatriotic leftist and should be arrested under the terms of the PATRIOT act and put away to let the good people get on with God's work.
Daniel
Carpe Diem
Small town in Florida overnight adopted a new set of street signs they feel create a friendlier driving enviroment, and allow the non-usa population to drive safer.
Within 24 hours the whole city was gridlocked due to wrecks from confused and misguided drivers who didn't understand what was going on...
Yes its a Dramatic example, but valid one of what happens when things are changed without properly informing the public, Just taking things into your own hands.
This change is not going to serve to improve the internet but instead confuse people.
Personal Website
It seems that nothing is sacred anymore. First you get everybody and his brother trying to introduce alternate root zones, then you get morons like NewNet that go a step further and require a browser plugin. Now Verisign does this.
I understand that having non-ascii characters in host/domain names would be desirable, however if they can't do it without breaking the DNS protocol, then they should get their ass right back to the R&D lab and try harder.
You can see what they're talking about by
running this command:
[robert@alpaca robert]$ dig `perl -e 'print chr(160).".com";'` @A.GTLD-SERVERS.NET A
I tried to paste the output but the comment
system prevented me saying "too much junk" --
anyway;
It seems the article is right. Any
domain containing a non-ascii character is resolved to 198.41.1.35 which reverses to
www.idnnow.com. My guess is they need to do this
in order to do http redirects for their customers,
since nobody will have a broken nameserver able
to serve these 'international' domains for themselves.
but since verisign still runs the actual DNS
servers that run
registry just contracted the actual nameserver
work right back to them!) maybe it won't be too
long before we see this on
Doesn't that assume that users only look up the names of webservers?
What happens when a user mistypes a URL and the VeriSign system merrily sends them a verisign IP, but they are using "ssh", or an IMAP mail client, or any other service that the verisign server is unlikely to be running?
The user receives unhelpful "Connection refused" messages, instead of being prompted to correct their typo by a "Can't find..." message.
Ok.. now I have full understanding why people want
DNS adresses in their own language.
For instance, I live in Sweden, where the township of Mönsterås has to use the
URL "monsteras", which happens to mean "monster-carcass"..
But on the other hand, a big point of the internet is that it's supposed to be international,
how are for instance americans supposed to type unique swedish characters to find the web site?
Not to mention chinese and japanese sites..
Verisign are now introducing propriatary, Internet Explorer only, DNS mechanisms much like the system I saw a couple of years ago where by using another company's DNS servers you could have domain.anything. Not only does this mean that anyone not using IE cann't access sites that use this 'special mechanism', but people with standard keyboards cann't access other 'language sites' without using character map - and even that does not contain japaneese/chineese characters IIRC.
Oh, may I also draw your attention to this part of the EULA:
11. Automatic Updates/No Maintenance.
VeriSign has the right, but not the obligation, to provide you periodically with automatic modifications, updates, upgrades, or error fixes for the Software using the transmission mechanism described above. This license does not entitle you to any support or maintenance for the Software.
Another browser 'add-on' that gives itself the right to install whatever the fuck it wants. Verisign should of been closed long ago.
I hear of all these proprietary ways to handle non-ascii domain names and constantly fail to see why people cannot wait for the IETF IDN Working Group to finish their work.
Furthemore, an erroneous lookup results in getting a VeriSign IP, not an error message.
So, does this mean I will be able to type in "http://shittyassregistrar.com" and get VeriSign?
Who the hell actually types in domain names anymore. My first stop on the net is usually google. Why? There is no way of telling where a domain name actually goes.
I work at the Franklin Institute. Our domain fi.edu. Our customers who type in FranklinInstitute.com get sent to one of those DNS parking sites. (We do have FranklinInstitute.org and FranklinInstitute.net.)
Of course, there is also a Franklin Institute in Boston. Are we then supposed to be FranklinInsituteOfPhiladelpbia and they be FranklinInstituteOfBoston. (Hmm, or franklininsitute.phl.pa.us and franklinintitute.boston.ma.us.)
And, the original name for our organization was The Franklin Institute for the Promotion of the Mechanical Arts, that exceeds 32 characters. We could use the acronmy FIPMA, but most of the folks that visit don't know the PMA part.
Just think of WhiteHouse.com or GMSucks.com.
Granted, it is really nice to see www.petesfamouspizza.com on the pizza joint next door. But at some point you end up writing it down. After a while it will end up being just like a damn phone number, making no sense at all.
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
Remember that if you use IE, you automatically get thrown to a Microsoft Web site if you go to a non-existant domain.
.com and .net registry away from them ASAP.
But Verisign change the behaviour of the underlying DNS system, no matter which portnumber, application or OS you use. Yet they only provide a MSIE for windows plugin for IDN domain names.
The internet is not all web, and the changes they made can be bad for applications like mail. The changes they made to DNS behaviour is not a good thing.
Verisign is evil. This is yet another proof. Take the
At least the way I read the document, it does only support web servers, which means that SMTP email fails, as well as all the other services. So you can have http://MyChineseServerName.com but not postmaster@MyChineseServerName.com, which is spectacularly broken.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
- "MSDOS" cp866;
- "Windows" 1251;
- "Unix" KOI8
- "Mac" (???)
- ISO 8859-5
The Russian goverment offially approves only ISO 8859-5, but most of people just ignore that charset and noone (besides the govt) use it.All charsets are different one from each other, mainly (and in most cases) by different positioning the same russian letter in different places of the "code page". That requires to have separate font modification for each charset you want to use (yes, it's true, I have 5 areals, 5 couriers etc); alternatively it requires to decode the document on the fly from the doc's charset to the charset of currently chosen font (some programs can do it, others cannot).
Now, when I see a domain name with some non-ascii letters, and I assume it is in Russian language, which charset should I choose in order to display it properly and to be able to read it? The domain name itslef doesn't keep such information. Does DNS keep it? I don't think so.
Is one russian charset has been chosen over others? If so, who dare to decide it and to be critisized by users of other 4 charsets?
Personally I think that due to such problems in some languages (Chineese also? India as well?) all non-ascii strings should be used in internet only along with some identifiers of the charset. For example, web pages and email messages use such (often - in inconsistent way). Also, XML can assign a charset per sub-tree. But how about domain names? I think non-ascii usage should be limited to documents, while all system identifiers (including domain names) must be ASCII. Period.
Less is more !
The real problem is that the DNS standards say that capital and lower-case letters are equivalent, so example.com and EXAMPLE.COM and ExAmPlE.com all get the same result, and DNS lookups translate everything to the same case before looking it up. To handle single-byte international character sets wouldn't have been that difficult - either define a mapping from uppercase to lowercase, or else require that users translate all of those things by hand. But Unicode's two-byte characters make this fail badly - if the bytes happen to be aa, changing them to AA gets you an entirely unrelated character, and vice versa, but the DNS standards force this to be done, because they don't know about double-byte characters. The most serious problems this causes are that only about 1/4 of the characters are valid in DNS, which makes far too many words unavailable - it's bad enough that aa and AA and aA and Aa all become aa, but the chances of a 10-letter word being available are way too low (and think about the trademark problems of coke.com vs. COKE.com vs. CoKe.com etc.) Other problems include the chance that you can't display reverse DNS names properly (because the database has the wrong case in it) or alternatively that the canonical forward and reverse DNS names are different, which is annoying enough for 7-bit character sets where only the case is different, but when the letters change entirely, it's really bad.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
In Windows, you use what's called an Imput Method Editor. (IME) For example, if you computer runs Japanese Windows XP, and you type into Notepad, you phonetically type out the character names on an English keyboard, and it maps the characters to the appropriate Kanji characters. Or if you just want to play with this in English, you can install some other languages and fonts... but don't hit Left-Shift and Left-Alt (as I once did) while in the password dialog... You can't type an English password in Arabic...
Because English keyboards have far fewer letters than asian alphabets, the Speech recognition and Handwriting IMEs are much more popular in these regions. It's also really weird how RTL/LTR directions are handled in Windows when you type multiple languages on the same line of text. English goes left to right, then Hebrew or Arabic which goes right to left, and if you go left, it goes right or left depending on where you are...
Here's an analogy: let's say you try to implement a method to display a pop-up search window when an executable file is not found. The obvious and clean way to do that is at the application level. When the application gets "file not found" from the filesystem, it arranges to pop up a search window. You'd only resort to alternate means if you can't modify existing applications.
Alternatively, you could implement a hideous hack where the file system instead opens a default executable. The application then never knows that the file wasn't found and executes it. It's achieved the same end, but it'll have a lot of side-effects. For a start, the application may not have wanted to execute it. It might even be trying to detect whether it exists. Other applications may not be expecting that behaviour and it'll break them. Another operating system may have that file system remotely accessed and end up running a non-native executable when it was looking for a native one. And years later, developers will still be working around this messed up behaviour because hacks are hard to get rid of once they are deployed at large.
DNS is not supposed to be a "lookup service for http transfers". Assuming that every lookup will be because of web browsing (by IE no less) is stupid. It's not even a good hack. As someone else who has replied to this article has pointed out it may not even cover the majority users. What about all those email servers bouncing email all over the place? What about all the peer-to-peer users? VeriSign would end up getting an enormous amount of non-web related connections hitting their "default IP".
VeriSign may be trying to get something out the door, but they could at least have implemented one of the preliminary specs (like simple UTF-8 encoding or mangling). Not a hack which only works for http transfers initiated specifically by IE, which breaks every other protocol and every other application.
Though supporting international, non-English characters in domain names is a Good Thing, Verisign makes some arrogant assumptions in their broken implementation:
a) DNS is only used for HTTP (web). By pointing failed lookups at idnnow.com (198.41.1.35) to see the plugin website, Verisign breaks all other services' proper "not found/unresolved/connection refused" response. "Not found" is a more helpful answer than an erroneous one.
b) The universal web platform is Internet Explorer on Windows. First, it's not just the browser that needs to be patched -- all internet hosts will need updated DNS resolvers to handle the binary, non-ASCII names. Even if (a) were true above, there are many other browsers and platforms than IE/Win. And they're using their monopoly power to leverage proprietary software into users browsers.
c) Everybody speaks English. It's time that we as Americans realize that we are not alone in this world. Pompous assumptions like these foster hatred of the U.S. Yes, Verisign offers eight other translations of idnnow.com, but combined with (a) and (b) above, it's just another broken way that an American Megacorp tells the world How It's Gonna Be.
d) Verisign runs the internet. Okay, so this one's almost true, because they have a stranglehold on some of the internet's most intimate infrastructure... but my big beef with Verisign is that they do not approach their responsibilities with an attitude of service. Nameless servants of the public all over the globe quietly keep the internet up and running, but Verisign's public decisions infer that theirs is the only policy that matters.
So, can we just mod Verision as "arrogant?"
roderickm
I can see it now (taking a previous post accurately pointing out that Web browsers are not the sole users of DNS):
[on a *nix type machine]
% telnet iwanttohackdns.com
Welcome to the Verisign unsecured "no one ever uses telnet" root server configuration system.
Command? Delete DNS
Are you sure (Y/N)? Y
DNS Purged.
Command? Quit
Goodbye.
% telnet myserver.mydomain.com
Welcome to the Verisign unsecured "no one ever uses telnet" root server configuration system.
Command? Quit
Goodbye.
Not only is the implementation a painful, incomplete hack, but even if the DNS protocol were cleanly extended to handle non-ASCII names, it would still be wrong.
DNS names are a very low level component of the internet- they layer just above IP addresses, and provide a persistent way to find an IP host. Today, with hostnames in ASCII, any person smart enough to use a computer can write down a name off a printout, and type it in later. Everybody, regardless of speaking Spanish, Korean, Russian, Chinese, Swedish, or Hindi, can basically recognize and repeat the ASCII alphabet. Not only is it the shortest, simplest character set the world has to offer, but most internet users are already getting some training in it.
Sure, with a Russian character map it might not be completely convenient to punch in an ASCII name- but with a little effort, anyone can do it. But if DNS hostnames start to come in Kanji or Hangul, it will be inestimably worse.
It's trivial to print the whole English alphabet on a single page, and with a rudimentary pronounciation-guide too. But Chinese contains more than 10k characters, many so rare that just 10% of the Chinese population can reproduce them. How'd you like that as the hostname that's been DNSing you? Try reading it over the phone to the upstream sysadmin, maybe?
The system of DNS hostnames is most useful when it uses a least-common-denomintator character set which every literate human can reasonably read, input, and maybe even pronounce. It's mostly like that today, and keeping it ASCII is the way to maintain it.
Naturally, non-English speakers will want to be able to publish server addresses in their own language. But systems to perform these lookups should be created separately from DNS- either on top of it (resolving to DNS hostnames), or alongside (resolving to IP addresses). That way, major international servers will tend to be dual-named: local language for primary users, ASCII-DNSname for everyone else.
The system libraries that software uses to lookup names can be extended to optionally check alternative-charset nameservers before going to the DNS ones, depending on the user's i8n settings.
That solution would be drastically more complete, and less disruptive, than what is presented in the article.
I'm sorry, but Verisign should have their status as both registrar and root nameserver operator revoked after this. We depend on being able to tell when a DNS name doesn't exist. The master nameservers for two of the biggest TLDs should never, I repeat never, lie to us about that by returning a record when no such record exists for the name queried.
What Verisign's doing is the equivalent of the phone company responding to a 411 request for a name that isn't in the phone listings not with "I'm sorry, we don't have a listing for that name." but with "The number is .".