Resolving Everything: VeriSign Adds Wildcards

DragonHawk writes "As of a little while ago (it is around 7:45 PM US Eastern on Mon 15 Sep 2003 as I write this), VeriSign added a wildcard A record to the .COM and .NET TLD DNS zones. The IP address returned is 64.94.110.11, which reverses to sitefinder.verisign.com. What that means in plain English is that most mis-typed domain names that would formerly have resulted in a helpful error message now results in a VeriSign advertising opportunity. For example, if my domain name was 'somecompany.com,' and somebody typed 'soemcompany.com' by mistake, they would get VeriSign's advertising." Read on below for some more information.

"(VeriSign is a company which purchased Network Solutions, another company which was given the task by the US government of running the .COM and .NET top-level domains (TLDs). VeriSign has been exploiting the Internet's DNS infrastructure ever since.)

This will have the immediate effect of making network trouble-shooting much more difficult. Before, a mis-typed domain name in an email address, web browser, or other network configuration item would result in an obvious error message. You might not have known what to do about it, but at least you knew something was wrong. Now, though, you will have to guess. Every time.

Some have pointed out that this will make an important anti-spam check impossible. A common anti-spam measure is to check and make sure the domain name of the sender really exists. (While this is easy to force, every little bit helps.) Since all .COM and .NET domain names now exist, that anti-spam check is useless.

VeriSign has published white papers about their implementation and also made some recommendations."

joy

[digitalsushi]

this should make troubleshooting dns records as a netadmin much more fun with all those glorious false positives... guess that means i'll have to learn how to spell finally!

What?

[Lord_Dweomer]

So let me get this straight.....If I own http://www.hardtospelldomain.com, and someone mispells it, Verisign now has the opportunity to offer up the highest bidders site for redirects? Even potential competitors? Perhaps I'm missing something here, but wouldn't this open them to all kinds of lawsuits from companies that were affected in that way?

Verisign would look nice in gasoline and flame

[netmask]

This is really sad.

Not only will mail have problems, as the "non-existent domain" check will always fail.. but this is completely criminal it seems.

I hate to mention, but they are giving Microsoft a dose of their own medicine.. taking away their ability to bring you to their 'search' page for non-existent domains.. and AOL's own feature similar to that. It hurts google, since Verisign teamed with yahoo on this one for search services (Although, google provides yahoos search functionality for now).

All .com domains are resolving with an authoratitive section of Verisign's server.. and .net's with the list of root servers. It would seem that no domain should ever resolve with either of those as an authority.. The real dns server for the domain should. Hopefully BIND and other DNS packages will start blocking domains that have a root server or a verisign server as the authoratitive dns server.

Further.. they'll be harvesting bounced email addresses for sure. If you get spammed from a bunk domain, and it gets returned.. or you typo and email address.. they are nice enough to run a mail daemon on port 25 to harvest those addresses. It lets you helo, from, rcpt, and data.. and then closes your connection.. just long enough to snag all the info it wants from you.

This entire thing is a mess, and seems like it should be highly illegal. Hopefully OpenSRS and GoDaddy and others will have a fit over it. This just seems completely wrong.

DDOS in the making

[digitalsushi]

think about it.. your dns server caches the entries it gets back, but now we can make scripts that check sequentially all the way up! crash your ISPs name servers, or crash a root server for the prize! remember kids, take down 2/3 + 1 of the root servers and it's not running on spec anymore!

Now let's see

[psyconaut]

Porn companies aren't allowed to run sites with slightly mispelled names because it's considered unfair practice, but a 'registrar' is allowed to catch anything that might come their way?

-psy

Re:Abusing the Power that be

[ScrewMaster]

Verisign has forgotten that they don't own the Internet: they were granted the power to run the root servers and manage primary DNS by the federal government. That government-granted monopoly is revocable. This is a risky maneuver, as it will have global implications. They will probably get their wrists slapped.

Re:network operators are pissed at this

[Wateshay]

I wonder how long it will be before Verisign decides to sue the backbone carriers for some kind of unfair business practice crap.

Re:This is a bitch

[pavon]

I vote that we concider anything from 64.94.110.11 to be spam. That should take care of the problem for spam filters.

Re:network operators are pissed at this

[Alien+Being]

That would leave browsers waiting to timeout. ICMP-Rejects wouldn't be much better.

We'll need to hack the resolver libraries and/or DNS servers to translate 64.94.110.11 into "no such domain". Verisign will add some more numbers, and soon we'll have blacklists.

Re:Agreement by typo.

[JayBlalock]

That's not hillarious, that's maddening beyond my ability to properly express. Especially, #10 - Sole Remedy: "YOUR USE OF THE VERISIGN SERVICES IS AT YOUR OWN RISK. IF YOU ARE DISSATISFIED WITH ANY OF THE MATERIALS, RESULTS OR OTHER CONTENTS OF THE VERISIGN SERVICES OR WITH THESE TERMS AND CONDITIONS, OUR PRIVACY STATEMENT, OR OTHER POLICIES, YOUR SOLE REMEDY IS TO DISCONTINUE USE OF THE VERISIGN SERVICES OR OUR SITE." If you don't like what Verisign is doing, get off the Internet. This could well inspire even our current Administration to smack them down. This is the most hubris-laden abuse of a monopoly I've heard of in a long time.

Contact ICANN comments@icann.org

[Teflon]

If you want this "feature" of verisign's turned off (I know I sure do), contact ICANN now. This is yet another example of Verisign having far too much unchecked power over the .COM and .NET registries.

Re:Contact ICANN comments@icann.org

[innocent_white_lamb]

What is this, better living through DDoS?

No, this is receiving feedback from the affected administrators, engineers and other interested persons; said feedback hopefully leading ICANN to do the give Verisign a short, sharp lesson in "WHOA!".

You know, the job that they are supposed to be doing and all that kind of thing.

Re:Contact ICANN comments@icann.org

[tulare]

Sorry, but bullshit.

ICANN is responsible for, among other things, ensuring that it's registrars perform their duties properly. If an issue such as this one crops up, and the /. community (trolls and non-trolls alike) decide to make their complaints known using the established protocol that ICANN itself has provided for such matters, so be it. Yes, this will generate an enormous volume of sometimes absurd attempts at flaming, and yes, someone at ICANN has probably filtered all that traffic - although I suspect not to a circular file as you seem to suggest, but to a count-aggregation file to provide a record of public comment.

Face it - sometimes, being responsible for a little thing like the internet can be a bitch. Most of us do have to deal with inane crap as a part of our daily grind, although I admit that getting 20,000 emails suggesting I view a goatsex link in a single day would probably be unusual for me at least. But at least ICANN has said outright that they aren't going to read all of them :) But that's their job, and the closetfull of people who work for ICANN get paid to do it, knowing fulll well that things like this will happen. Big deal. Such is life, such is work. Or do you have a job where your responsibility is guaranteed to be 100% hassle-free? If so, I applaud and doubt you.

Re:Complain to ICANN *NOW*

[tuba_dude]

If ICANN was still there for the good of the internet, yeah, that should work. Otherwise, you should only bother complaining if you're a CEO.

Misplaced root of trust?

[LostCluster]

Is it just me, or is Verisign now absuing the trust of the Internet community, which is a very strange thing for a company that wants to be a root of trust when it comes to issuing SSL certs?

Re:What about Google?

[Asgard]

Fortunately there is a robots.txt hosted on that server:

User-agent: *
Disallow: /

There is no Internet

[DragonHawk]

(Pre-emptive strike: Insert Matrix-spoon reference here.)

I feel it is worthwhile to post a more general response to this point as well.

There is this myth that "the Internet" exists as a single, cohesive network. It does not, and never has. "The Internet" is a network of networks. What that means is that a bunch of independent network operators have agreed to exchange traffic with each other because it benefits them. When you dial in to your ISP of choice (or plug in your Ethernet cable or whatever), you're not connecting to the Internet. You're connecting to your ISP. Your ISP probably connects to their ISP. Their ISP (if you're lucky) connects to several other ISPs, who connect to other ISPs, and so on. All these independent network operators form "the Internet". So, "the Internet" exists as an abstract concept (and a useful one), but not as something you can touch. Not even as something you can route traffic through. All you can do is connect to some other guy's network and hope for the best.

The reason this is important is because we are already seeing ISPs implementing countermeasures against this VeriSign move. Some are null-routing that IP address at layer two; others are using DNS tricks to give us the old behavior. If enough ISPs do this, VeriSign's move will be largely ineffective. In effect, ISPs as a community can veto VeriSign or anyone else. It only works if most of them agree and take action, of course, and it remains to be seen if they will do that. And, of course, some of these countermeasures may themselves be easily defeated, leading to an arms race (like the spammer vs anti-spam arms race).

The possible consequences of all this are, shall we say, interesting.

(BTW, I don't disagree with the OP's suggested course of action, nor with the principle behind it. I'm just pointing out that things are, as usual, more complicated then they might appear.)

Re:PLEASE DO NOT CLICK ON ANY SEARCH ENGINE RESULT

[okigan]

Actually I think you are totally right.

The whole thing was done exactly with this
purpose, but I think it can be used to break the
system. If enough bots (and bots only)
constantly "click" on the ads, their price will
plummet. Since now they cannot tell if a person
saw the ad, they "pay per click" becomes
pointless. (and boy they will be mad when find
out they paid all that money for nothing)

On the other other hand if every slashdoter
would ping the thing it would be way more fun.
Come one everybody just type : ping 64.94.110.11
(at -t if you are in windows)

Re:Boycott Thawte (Verisign's SSL subsidiary)

[mino]

Email your Thawte rep to explain why you or, better yet, your huge organization :) won't be renewing your certificates with Thawte.

Superb idea, ajks. Have a cookie (or a certificate).

Here's a form-letter version of the email I'm about to shoot off to our rep, the delightful(!) Barbara:

Dear [Thawte Rep Name],

I am an employee (and listed CSO) of [company name], which purchases 128-bit SSL certificates from Thawte. We purchase approximately [x] certificates a year, which works out to approximately $US[y] per year.

As you might be aware, Verisign, parent company of Thawte, has recently introduced a deceptive and misleading practise with regards to DNS resolution of non-existent domains. Any attempt to locate the IP address of a domain which is not registered (www.non-existent-domain.com) will, rather than returning an error message, return the address of a Verisign advertising server.

This practice is not only ethically dubious, it is also something which promises to cause untold headaches for network administrators all over the world, as well as confusion for end-users of the Internet, all purely for the financial benefit of Verisign.

I am not writing this letter to you in an official capacity as representative of my company: however, I wish to advise you that come certificate renewal time, I will be strongly recommending to my company that we change to an alternate SSL certificate provider, rather than Thawte, if this practice of Verisign's is still in place.

As the listed CSO of this company, I strongly expect that my stance will result in the direct and immediate loss of this $US[y] worth of annual business to Thawte.

This is an selfish and narrow-minded move on the part of Verisign, and I have no hesitation in recommending that my company withdraw its business from Thawte.

Kind Regards,

[Your Name],
[Your location]

We're a small company: but even in our case, [x] and [y] are are 10 and 3000 respectively. It won't take that many to make a sizeable hole in Thawte's pockets.