Slashdot Mirror
Resolving Everything: VeriSign Adds Wildcards
"(VeriSign is a company which purchased Network Solutions, another company which was given the task by the US government of running the .COM and .NET top-level domains (TLDs). VeriSign has been exploiting the Internet's DNS infrastructure ever since.)
This will have the immediate effect of making network trouble-shooting much more difficult. Before, a mis-typed domain name in an email address, web browser, or other network configuration item would result in an obvious error message. You might not have known what to do about it, but at least you knew something was wrong. Now, though, you will have to guess. Every time.
Some have pointed out that this will make an important anti-spam check impossible. A common anti-spam measure is to check and make sure the domain name of the sender really exists. (While this is easy to force, every little bit helps.) Since all .COM and .NET domain names now exist, that anti-spam check is useless.
VeriSign has published white papers about their implementation and also made some recommendations."
expect that ip to get null routed by the backbone carriers real fast.
This also traps all mail sent TO a non-existent domain. Since all RFC-compliant mail servers will follow up a negative MX response with an A lookup and connect to that IP, if you send mail to a bogus domain, it goes to verisign's server, which (currently) bounces it. Imagine the fun the federal government can have subpoena'ing those logs.
Also, you'll note the cookies that 'sitefinder' sends out, so they can uniquely track any traffic to that site. Also a fun subpoena opportunity. And did you read the fun terms of service that they claim you agree to by 'choosing to visit' their site?
I doubt this will stand. I certainly know that, as a major ISP executive, we'll be reviewing our business with Verisign.
So let me get this straight. A site I didn't ask to go to has a Terms of Use which says that my sole remedy is to discontinue use of "The Verisign Services".
So, by mistyping a domain name, I've entered into a legal agreement with Verisign? And the only way to get out of it is to not use the internet?
The only address on the page is their legal department's postal address, at
VeriSign, Inc.
Attention: Legal Department
21355 Ridgetop Circle
Dulles, VA 20166
I guess I'll be sending them a nice letter. As soon as I figure out what legal recourse I actually have.
The IE rediect to the MSN search mess is configurable: you can turn it off AND turn off the stupid useless 'all errors are one thing' error page and make IE actually give you something useful, at least with IE 5.5 and 6.
.(com|net) domains. Verisign has just in effect registered all unregistered domains in those TLD's and pointed them at their own little cash-spinner.
HOWEVER, you can bet that MS and AOL and everyone else who does something interesting and useful with HTTP queries that look for bad domain names (like some ISP's that have proxies for users and some companies that have proxies for employers) will be pissed off. Different people like to do different things with their NXDOMAIN responses, and Verisign has just made sure that a lot of those responses never happen and that only Verisign gets to choose what the user sees instead.
There essentially are no more unregistered
To: icann@icann.org, iana@iana.org, nstld@verisign-grs.com,
.com and .net TLDs to a Verisign owned search
.com and .net TLDs.
rcc@verisign.com, hostmaster@nsiregistry.net, ir@verisign.com,
dcpolicy@verisign.com
Subject: Complaint about Versign abuse of DNS root zones
A Letter of Complaint about actions undertaken by Verisign Incorporated
on or about 9/13/03.
Sent to the Internet Corporation of Assigned Names and Numbers and the
Internet Assigned Number Authority.
Doug Dumitru
xxxxx xxxxxx xxxx Road
xxxxxx xxxxxx, CA 9xxxx
949 xxx-xxxx
Dear sirs,
As you are probably aware, Verisign is redirecting unregistered
2nd-level domains in the
engine. They are using a technique known as DNS wildcarding to
accomplish this.
I firmly believe that this is clearly an abuse of the DNS system, that
it violates the technical requirements for domain lookups, that the
results returned are fraudulent, and that this technical action only
benefits Verisign at the expense of the rest of the internet population.
I respectfully request that IANA and ICANN immediately take action
against Verisign demanding that Verisign cease this fraudulent and
damaging behaviour. Should Verisign refuse, I would recommend that IANA
and/or ICANN (and/or the US government) take immediate action to revoke
Verisign's contract to administer the
I would also recommend that IANA and/or ICANN immediately pass "best
practice" rules that prevent other TLDs and country-code domains from
following in Verisign's deceptive footsteps. It is important that a
"domain not found" error not be subverted into an advertising opportunity.
Sincerely,
Doug Dumitru
They don't seem to have an e-mail address for the category of "Subversion of the global DNS," so pick one of the following e-mail addresses and use it to CC your complaint to Verisign:
i sign.com,p ki@verisign.com,m ,c omi gn.com,e rprise-sslsupport@verisign.com,s .com,o m,s igning-support@verisign.com,g n.com,e tworksolutions.com,@ networksolutions.com,p ort@verisign.com,u pport@verisign.com,
v ts-mktginfo@verisign.com,
websitesales@verisign.com,g n.com
authenticode-support@verisign.com,
billing@ver
channel-partners@verisign.com,
client
consultingsolutions@verisign.co
dbms-support@verisign.com,
dcpolicy@verisign.
digitalbranding@verisign.com,
dnssales@veris
enterprise-pkisupport@verisign.com,
ent
info@verisign-gr
internetsales@verisign.com,
IR@verisign.c
jobs@verisign.com,
mss@verisign.com,
object
paymentsales@verisi
practices@verisign.com,
premiersupport@n
press@verisign.com,
privacy
renewal@verisign.com,
sup
verisales@verisign.com,
vps-s
vts-csrgroup@verisign.com,
webhelp@verisign.com,
websitesupport@verisi
Verisign has continually been abusing the power that has been handed out to them. Two such examples are its mailing of false renewal notices, and its most recent exploit: sitefinder.verisign.com. Now, nearly all mistyped names will be sent to Verisign where they can do whatever they like to the unwitting user. There are even categories on sitefinder.verisign.com where one can browse and go to sites which are undoubtedly paying Verisign for the space.
Please take this, and the hundreds or thousands of e-mails you will receive, into consideration, and exercise the power that ICANN has. Verisign has continually been abusing and tricking people through deceptive business practices, and this should be the last straw. Verisign should not only be removed from it's post, but it should also be fined for its numerous escapades designed to make money.
Sincerely,
Michael B****
I've got to wonder: where do they come up with such evil ideas? Verisign must have a beowulf cluster of insensitive clods...
--<Mike>--
Speaking of search engines. What would happen if a significant number of web sites put links on every page to a poison page. This poison page would generate 10,000 random links of the form "www.verisignblows948950948393903848585.com", with the number obviously being random. How long would it take for all the search engines and web crawlers to hit this and have a serious impact on verisigns servers?
Now, I'm not suggesting anybody do this, I'm just asking the question.
Excessive forking causes un-wanted children.
It seems that they have effectively violated the ICANN Domain Name Dispute Policy: "circumstances indicating that you have registered or you have acquired the domain name primarily for the purpose of selling, renting, or otherwise transferring the domain name registration". They're definitely doing this to sell domains.
Bill
I wonder if more people will become concerned when verisign starts to harvest instead of bounce?
Preliminary (as in, it seems to work for me) BIND 8 patch that I just cooked up available here.
If you have SSL certificates from Thawte (a subsidiary of Verisign), you can send them a message today.
Email your Thawte rep to explain why you or, better yet, your huge organization :) won't be renewing your certificates with Thawte.
You can tell them "it's a trust thing" (their own motto).
IANAL, but I dated on once, so take this for what it's worth. This appears to me to be a clear violation of anti-trust laws. Verisign is using their monopoly position as the root DNS to create business opportunities which are not available to others. Verisign can create a nearly infinite number of domains for free, and sell advertising on all those domains. Any of their competition would have to pay for those domains (in fact, would have to pay Verisign). If this isn't abuse of a monopoly position, nothing is. Somebody should sue them under the Sherman Anti-Trust act and get an immediate injunction against them.
Eric
eric at koldware dot SpamThisSucker dot com
I've created a Squid redirector to deal with this problem. I tried to post it here, but couldn't get past the Slashdot lameness filter.
It catches anything going to a gTLD's wildcard response (there's about 15 gTLDs doing this!) and redirects it to google. It also does some other niceties that don't automatically happen when using a proxy, such as adding www. and .org/.com/.net if needed.
If anybody wants the code, then post a reply here and I'll set up a web page with it and post the URL. (I won't bother if nobody wants it.)
You may want to know, also, that some of the NANOG folks have patches for BIND to change these responses back into NXDOMAIN.
One of many problems is that web.archive.org will honor the /robots.txt of any host and remove that host from its archive. So, sooner or later, the archive of all formerly (and currently no longer) registered domains will be gone...