ICANN, IAB Ask VeriSign to Suspend SiteFinder

dmehus writes "ICANN issued an advisory late today concerning VeriSign's controversial SiteFinder service. The advisory requests that VeriSign voluntarily suspend SiteFinder until various independent and objective reviews, which are now underway, have been completed. Interested parties should see the advisory for more details." I think most people here can agree it was a bad idea, although it's not generating revenue for most of us either. ICANN isn't alone here either. Nuclear Elephant writes "The Internet Architecture Board issued this response to an ICANN inquiry about Verisign's SiteFinder service."

So who gets the money ?

[EpsCylonB]

VeriSign's wildcard creates a registry-synthesized address record in response to lookups of domains that are not otherwise present in the zone (including restricted names, unregistered names, and registered but inactive names). The VeriSign wildcard redirects traffic that would otherwise have resulted in a "no domain" response to a VeriSign-operated website with search results and links to paid advertisements.

Why should VeriSign get the money ?

Re:So who gets the money ?

[Tirel]

maybe because they're tired of running half of the DNS system for free? I mean, we're talking absolutely huge servers that serve hundred of gigabytes per day and like 2/3 of the traffic are absolutely useless queries from random IDS and logging systems.

weekend internet users won't care and the rest of us will find ways to ignore it.

So why not?

Re:So who gets the money ?

[tomstdenis]

Maybe if DNS were used correctly it wouldn't happen that way. DNS is supposed to be distributed. E.g. I contact my router [which runs a DNS server], my server contacts my ISP [which runs a cache] my ISP contacts ??? well it should contact it's providers cache and so on....

Also verisign makes it money by selling domain names. Recall that they used to be free at one point.

The DNS control is *entrusted* to Verisign. Versign doesn't own the internet and they could easily be replaced.

Tom

Re:So who gets the money ?

[twistedcubic]

maybe because they're tired of running half of the DNS system for free?

Are you serious? You think God came down from High and forced Verisign to do this, as if Verisign doesn't have a choice? I don't get the "for free" part either.

Re:So who gets the money ?

[squiggleslash]

Part of running a name lookup system includes receiving queries for names that do not exist. I hardly call it "doing it free" considering that Verisign receives money for every registered entry in that table.

To foist a broken DNS on us in order to introduced a non-consensentual second revenue stream takes some gall. ICANN shouldn't be "asking Verisign" to suspend this, it should be taking actual action against them. I wonder what Jon Postel would say about it?

Re:So who gets the money ?

[gmack]

Free? What on earth are you talking about? They get a fee for every domain registered that their root servers are authoritative for.

So yes they DO get payed to do this. Just because they think that isn't enough doesn't mean they get to use their unique position to make money at the expense of the rest of the net's admins.

Re:So who gets the money ?

They shouldn't. Lets see if any of the committies like ICANN have the guts to tell Verisign to cease or loose the TLD assingment.

They should just tell Verigreedy to cease or loose it.

Re:So who gets the money ?

[zerocool^]

"What we've witnessed here is a motherfucking miracle. God came down from heaven and stopped those motherfucking DNS lookups from hitting any server but verisign's."

~Will

Re:So who gets the money ?

[warkda+rrior]

DNS is not distributed, it is hierarchical. The queries travel up the tree (where the client first queries the ISP which is a leaf in the DNS tree), until the reach the top level DNS. Someone has to be at the top and manage the top level DNS. Of course, it does not have to/should not have to be Verisign...

Re:So who gets the money ?

[Anthem.uxp]

I hope ICANN doesn't catch on the "money"-part. Or maybe (after ICANN's careful review of all the facts) we'll be stuck with an wildcard on the TLD-level.

microsoft.cmo anyone ?

Re:So who gets the money ?

[Directrix1]

The real problem here is the fact that one-company is entrusted to run .com . TLDs should be replicated across mutually trusted servers in different companies. It is stupid to put all our eggs in one basket anyways. If we had at least three businesses replicating .com in their servers, and providing them as a public root server, then we could just kick out/ fine/ threaten rogue servers and our DNS queries would round robin to the other companies servers.

Re:So who gets the money ?

[mlong]

maybe because they're tired of running half of the DNS system for free? I mean, we're talking absolutely huge servers that serve hundred of gigabytes per day and like 2/3 of the traffic are absolutely useless queries from random IDS and logging systems. weekend internet users won't care and the rest of us will find ways to ignore it. So why not?

You do realize that for every domain name registered in .com or .net ANYWHERE VeriSign gets a cut for running the "registry"? I think its $6. Thats a hell of a lot of money when its multiplied out. Now as far as running a root server, then perhaps, but there are dozens of other organizations also running root servers.

Re:So who gets the money ?

[numark]

When Verisign decided to assume control of the .com and .net registries at the time ICANN was formed (as they had done previously), they were making the conscious decision to do a certain number of DNS queries. It comes along with the job. Verisign gets a cut of all of the .com and .net domain registrations, and in return they provide certain DNS services as needed.

It's not as though Verisign didn't know what they were getting into. They knew perfectly well, and I assure you that they are not strapped for cash or bandwidth. Even if they were, blatantly going around destroying the DNS system and violating commonly-held standards of conduct is not the way to do it. Not asking ICANN's opinion in the first place was also somewhat foolish, in my opinion. I would fully expect ICANN to release some sort of order or advisory telling Verisign to stop this practice or lose their contract to run the .com and .net registries.

Re:So who gets the money ?

um, no, that is not how DNS works. You specify a DNS server, usually belonging to your ISP. If the DNS entry is in your ISP's DNS cache, it gets served from there. If the DNS entry is NOT in cache, a root server is queried by your ISP's DNS server (for instance, if you are looking up www.fqdn.com , a .com 'root' server is contacted). The root server instructs your ISP's DNS server which server is responsible for 'fqdn.com'. Your ISPs DNS server then queries the DNS server responsible for 'fqdn.com' and this server returns to your ISPs server the IP of www.fqdn.com. Your ISPs DNS server then returns this IP to you.

Re:So who gets the money ?

[Reziac]

Good idea, and I agree -- the single-basket approach is begging for disaster. Replicating would be a lot safer. Just because no big disaster has yet struck the system doesn't mean it *can't* happen.

What companies would you suggest? IBM comes to mind as having the resources, and has demonstrated a modicum of "community best-interests" as well as support for open standards.

I don't suppose it need be limited to tech-sector companies either. Maybe one with global presence and pret'near infinite resources, like Exxon-Mobil?

Re:So who gets the money ?

[jbottero]

I would fully expect ICANN to release some sort of order or advisory telling Verisign to stop this practice or lose their contract to run the .com and .net registries.

And then VeriSign will sue. In "Today's" business world, they might just win.

Re:So who gets the money ?

[Nintendork]

Reading through this thread, it's obvious that there's a lot of confusion on how DNS works. AC was close by saying that it's hierarchal, but (s)he missed a step or two. When a client needs to resolve a DNS name, it sends a recursive query to the DNS server it's configured to use. Assuming the server isn't using any forwarders (Forwarding the query on to another DNS server), it goes through the name resolution process. Let's say you type in www.slashdot.org in your web browser. Your computer will send a DNS query to the configured DNS server. The query will ask for "www.slashdot.org.". The extra dot is usually not seen by us end users, but it's there. The full host name with the trailing dot is a fully qualified domain name (FQDN). That DNS server (Let's say the ISP) will then contact the root servers (That trailing dot) and ask for the record, www.slashdot.org.. The root servers will respond that they don't have that record, but they do know where the org servers are. The DNS server will then send the same query to an org server. The org server will respond that it doesn't have the record, but it does know where the slashdot.org servers are. Finally, the DNS server sends the query to the slashdot.org servers and gets the host record for www.slashdot.org.

-Lucas

Re:So who gets the money ?

[dissy]

> What companies would you suggest? IBM comes to mind as having the resources

IBM is a good one.
Personally I would also suggest Google.

On the community side, we know they have the resources both computer and network wise to do it, and I can see google coming up with a test bed to attempt to improve the system as well. I also trust google to not just do something, but get community input and support, as well as asking whos above them (ICANN) for contravertial things.
(I picture a system with one or two 'gateway' IPs into the network, then those contact one of a few thousand machines in their google array to do the request, spreading out CPU/mem/[all but network] load to their other servers.

On the selfish side, it would be a great way for google to get sponcering for more bandwidth as well to help the network side of the gtld server plus google itself.

If ICANN would set down a very strict rules base for what can be done, and explicitly state anything not on the list CANT be done without approval from ICANN, then I wouldnt mind a few other companys with large network resources in on the mix, such as Microsoft and maybe even providers like UUnet GlobalCenter and Sprint etc (Or pick the biggest and currently most stable 3 backbones in the US.)

It would also be nice to say there must be atleast X companys (IE say one company can run two gTLD servers at most, assuming they have the network resources to have two servers located in different parts of the network, otherwise just one server) and there has to be atleast so many servers (IE 14, thus at least 7 companys)

ICANN is suppost to work for us, and they are suppost to oversee NetworkSolutions which they have failed to do a great job of. (I am honestly surprised they reacted to this issue as well)
If there were 7 NetworkSolutions, this can bring the vote back to the community as long as those companys listen to us. Its much more likely that a majority of the 7 will vs the majority of the single one we have now.
If there was a policy that say ICANNs vote counts for 3 votes or something, we can finally get a board of companys that can actually induce change for the better, and seemingly with community feedback that will work.

Then if one gTLD server decides not to sync with the others for some reason, it can be delisted in the root servers. New company appointed. No problem for everyone else.

This is the way it should have been setup from the start.
Now that I think of it, this is what DNS was designed to do.
This is also how it was intended to start. The com/net/org/edu NIC used to be 'one of us' before they got turned over to a corp (NetSol) to make money.

Re:So who gets the money ?

[Reziac]

I don't know why I didn't think of Google as well; they have demonstrated solid ethics and good sense, and I think could be counted on to act as a balance against a member with less mind to the common good. And they've already got a proven fault-tolerant system in place (what with how prolific pigeons are ;)

I *did* think of Microsoft, tho given their past behaviour, I have mixed feelings about that. They do have the monetary resources; however, they don't seem willing to use their own server infrastructure for anything they can farm out (they contract out even piddly crap like their subscriber mailing lists and event signups, which are hardly CPU- or bandwidth-intensive), or maybe it's not competent to support that much load, I dunno.

Big backbones would indeed be another logical place to put it. Might this also speed up response time?

Major ISPs might be considered (mainly AOL and Earthlink as the two biggies), but given that they seem to have enough trouble with their own internal maintenance, I'm not sure that's such a good idea.

Another reason big corps like IBM might work well, is that they have a vested interest in making sure their servers are up ALL the time (downtime is lost money!)

Re:So who gets the money ?

Google has enough power already. But they have extremely limited capital resources, being a privately held company. Also, they have a history of bending over when there's trouble.

Re:So who gets the money ?

[ewolfr]

They don't run half of the DNS system, in fact is less way less than half. This quote is directly from a Verisign webpage, "VeriSign also operates two of the 13 authoritative root servers that identify the complete directory of the DNS or all of the IP addresses for all registered Top Level Domains (TLDs)." at http://www.verisign.com/tl/nds.html?sl=060201.

So they only run 2 of the 13 root servers. Seems like a lot less of a load than you believe it is.

Re:So who gets the money ?

[Lord_Dweomer]

"Why should VeriSign get the money ?"

Cuz they're a corporation. DUH!!!! They're ENTITLED to the money.

Re:So who gets the money ?

[Cramer]

Not exactly... the trailing dot is not there unless you type it. (However, it is generally implied.) Adding the trailing dot on a hostname prevents the resolver from trying domains from the search list (if there are any.) As such, there's a difference between "www" and "www.".

A search for www.ibm.com would look in the cache for a match. Failing that, the leading component is removed and the search repeated. Once it been striped down to nothing, you're at the top of the tree ("."). Those are the gTLD's (global top level domain servers) explicitly provided ("named.cache") to the server. (Changing the root is how various alternative DNS systems work.)

Re:So who gets the money ?

You hypocrite. Have you already forgotten the public outcry when you started to charge the public for your previously free MANHAM CANNING services?

Re:So who gets the money ?

[kdsolutions]

Ahh, here's the REAL deal then...

They get $6 for every domain name registered in .COM and .NET, right? Includin the ones they register themselves, whether they actually transfer funds or not, they can include that as income.

Imagine $6 multiplied infinitely on thier next quarterly report. What will thier stocks do?

Re:So who gets the money ?

[NateTech]

The roots are not the GTLD servers. GTLD is the delegation of a number of TLD's down a few years ago to take some load off the root servers.

(a.root-servers.net - f.root-servers.net are the roots, a.gtld-servers.net - f.gtld-servers.net are the gtld servers -- why a through f? there are old named's out there still to this day that can't handle answers larger than a certain size. "f" is the limit to the number of responses they can deal with.)

Otherwise, you're close to being correct, but you forgot that every system along the way back to the roots also typically has a cache of information and this is what TTL times and other times in the SOA record are for. How long to keep the cached information.

If you're going to a well-travelled website you're not hitting the roots, the gtld's, or anything above your ISP's DNS server if anyone else has gone there before you did within the allotted time period for TTL caching in the zone. You're getting a non-authoritive answer from your ISP's server.

All this "oh, the firewalls and logging servers overload the roots" is just FUD and misunderstanding how DNS really works. If people keep their TTL times high except prior to making changes, the caches can do their jobs. (Some servers insert an arbitrary minimum TTL for zones that are abusing this.)

Re:So who gets the money ?

[Cramer]

Again, someone with only a partial clue... the roots are a-m (at the moment.) And there are a-m gtld servers as well. The "number of responses" doesn't have anything to do with it... if you send X queries, you get back, at most, X responses. If the payload is too big, all of it will not be processed (or, if it's a crappy M$ Windows product, it'll probablly just crash.) (Yes, I have a 10 year old BIND server that works perfectly fine in the modern internet.)

As for the load on the DNS system... caching doesn't help much when presented with queries for hundreds or thousands of domains that don't exist. What Verisign is doing isn't going to help this -- in fact, with the TTL they have on the wildcard, it'll actually make it worse.

Re:So who gets the money ?

[NateTech]

Ahh... yep, old info on my part. Oh well. Still stops at m for a reason though -- I think your 10-year-old server (BIND 4?) is the limitation. Otherwise they would have just extended the roots out to z instead of splitting the GTLD servers off, methinks. Unless that was politically oriented (always a bad design choice).

I never mentioned Verisign's wildcard at all - I was just explaining to the previous poster that said that all queries go to the root that they really shouldn't. If things are set up correctly.

Re:So who gets the money ?

They have the monetary resources, yes. They even have the CPU resources. However, they don't have the SOFTWARE resources to run any kind of server (no, I don't think Xenix counts).

Windows is hardly able to sustain a full working day (eight hours) of single user work, so how on earth would MS be able to run a DNS server?

Re:So who gets the money ?

[wizman]

I agree with you on Microsoft - however I'm willing to bet "contracting out the piddly stuff" is yet another way to sell their OS and other products. Think about it -- they get to use their OS for free, but third parties do not. So, lets say Microsoft only contracts with people who run Windows, and they farm out mailing lists to some company. Given proven lack of performance, said company probably needs to purchase a rack or two full of servers, all loaded with Windows Server, probably Exchange and SQL, etc.

So, third party gets a big contract, Microsoft sells a few tens of thousands of dollars worth of software and license, and both parties are happy.

Re:So who gets the money ?

Its not just about the money.. This causes lots of problems with lots of software. See the following linke for lots of information on what these wildcards do...

http://www.iab.org/documents/docs/2003-09-20-dns -w ildcards.html

Re:So who gets the money ?

[Reziac]

Erm... not so, this here Win98 box has been up for a couple weeks now, and it gets used up to 16 hours a day for Real Work. And Win2K is pretty well proven as a stable platform.

*sigh* bigots, gods...

Re:So who gets the money ?

[Reziac]

I don't think product placement has anything to do with it. Last time I checked out one of M$'s email contractors (because the header was so gawdawful full of crap that it got mistook for spam, and I wanted to be sure it was legit), they weren't using M$-anything at least for the mailing list and visible servers (per headers and Netcraft).

I don't know what M$'s logic is other than maybe that because they've gotten into the outsourcing mindset for every sort of support, email lists/event signups have been lumped into that.

Anyway, my feeling boils down to -- outsourced support equals ZERO support, and do we really want a company that has so totally embraced outsourcing running a public service? Since after all, gods know who would REALLY be running it.

Pretty much the same reason HP didn't come to mind. (*cough* EDS *cough* Carly *cough*)

IBM isn't exactly pure there either, but one still gets the feeling that they keep stuff in-house when it's really important to do so.

Re:So who gets the money ?

[WCityMike]

Took me a second, but for those who didn't place it, the parent's an altered quote from Samuel L. Jackson's character in Pulp Fiction.

I'd love to have been a fly on the wall...

...in the meetings in which Verisign decided to implement SiteFinder.

Do you think they innocently believed they had found a valid loophole for commercial exploitation a legitimate feature of the Internet protocols?

Or did they say something like this? "Well, OK, so it does violate DNS specifications. People will scream. Let them scream. Nobody can touch us. The IETF has only moral authority. And ICANN and the U. S. Department of Commerce are never going to interfere seriously with any big, successful Internet company. So a few technies get angry, big deal."

Re:I'd love to have been a fly on the wall...

[hephro]

Well, OK, so it does violate DNS specifications.

In fact it does not violate the DNS specs as the advisories explicitly state.

Re:I'd love to have been a fly on the wall...

Probably you haven't read tha IAB's response, right ? ...

Any person with minor understanding of the DNS protocol knows that it violates SEVERAL points of the DNS specs ...

It's incredible why some people prefer to believe the unveliebable ...

Re:I'd love to have been a fly on the wall...

It should be noted that, even though Verisign's implementation is not RFC compliant, a system with essentially the same effect can be implemented without violating RFCs.

Re:I'd love to have been a fly on the wall...

Indeed one can. At the browser level. Which is where this kind of stuff should be any way.

Re: I'd love to have been a fly on the wall...

[gidds]

Hanlon's Razor may well apply here.

Re:I'd love to have been a fly on the wall...

[Nurgled]

At DNS level also. Wildcard records are part of the master record format. Verisign's servers are using a more complex decision than "anything not registered" which is detailed in the IAB report.

If they simply added a wildcard record there would be no spec violation.

Re:I'd love to have been a fly on the wall...

According to research at an English university, flies are unable to comprehend human language.

Re:I'd love to have been a fly on the wall...

[sketerpot]

Yes, that way those of us using, say, Firebird can just ignore the whole thing in peace. Of course, it probably won't make much difference. Have you tried visiting mocrosoft.com or microsift.com recently? They're both registered, and niether of them are microsoft.

Re:I'd love to have been a fly on the wall...

I'm with you 99%.

Re:I'd love to have been a fly on the wall...

[squiggleslash]

No, not at the DNS level. At the DNS level, NXDOMAIN should be returned for domains that do not exist. www.sjnnasdfdfjksdfdndajkadjndks.com is NOT a valid name for a machine in Verisign and should never be resolved to a machine in Verisign. If you misuse wildcards to point domains at machines they're not valid for, then it becomes impossible to automatically detect errors.

While theres some legitimacy in saying "I want every email ending in .isp.net to get directed to mail.isp.net so that all my customers can have subdomains, so I'll use a wildcard for that" despite that resulting in misspellings going to that machine too, there's no such excuse with the Verisign grab. Verisign's wildcard never matches legitimate sites, and it's at such a high level that third parties will regularly be inconvenienced. It's worth noting that every paper I've read on wildcards specifically advises against using them if possible.

I have one domain at work I maintain that uses one, and we only use it because we know that if we have to get our technical services people and the DNS server company we contract the thing out to to change it for each additional subdomain we add, then it's going to get messy. I'm not happy about it, and if I could manage the name server directly, I'd do that instead.

Re:I'd love to have been a fly on the wall...

[Directrix1]

I agree NXDOMAIN should be returned. But the RRs are valid, they point to the CNAME sitefinder.verisign.com. Its a real host with a real address, and your going to need a better argument than its not valid for those domains. The whole point of DNS is domain lookup using a hierarchy. Good or bad, they are TLD .com until some things get changed. Nuff said.

OK, so set up one DNS server locally. Simple configurations are available on the net. I just went through setting up BIND 9.2.2 server, it takes some reading but its not impossible. Took me a little less than a week (and thats just because I read through all of BINDs documentation, in addition to a couple of RFCs). Set your zones to be masters and have them notify slave servers in some Secondary DNS provider. Its not that hard really. www.dyndns.org is just one of many secondary dns providers (among other thing and they are 5x globally redundant too, I might add). You might want to look into it.

Re:I'd love to have been a fly on the wall...

[Cramer]

• But the RRs are valid, they point to the CNAME...

WRONG. There is an "A" record (address) resovling for everything. If it were a CNAME, then it wouldn't be an issue for compliant SMTP servers -- email isn't delivered to CNAMEs.

At any rate, what they are doing is a violation of the RFCs. Nonexistant domains return NXDOMAIN - period; there is simply no area for discussion on this point. Wildcards for host records and/or subdomains ala "*.bar.com" are perfectly valid; they are wildcards for individual hosts and subdomains. A wildcard for "*.net" is a violation of the RFCs as you are now returning something other than NXDOMAIN for a nonexistant domain. It doesn't matter what the f*** the user asked for, if the domain does not exist, you DO NOT return a record.

We're working at a different point in the tree. A different section of the rules apply. The asses at Verisign are attempting to attach application intelligence to a system that has no application awareness -- DNS doesn't know what protocol you're going to be using or to what port you're going to attempt to connect.

Re:I'd love to have been a fly on the wall...

[Zeinfeld]

At DNS level also. Wildcard records are part of the master record format. Verisign's servers are using a more complex decision than "anything not registered" which is detailed in the IAB report.

The IAB letter is dated January and refers to the original international domain version of sitefinder. The more recent version of sitefinder is simply a standard DNS wildcard.

There are no protocol deviations in either case. The argument that synthesized domain responses are somehow illegal is completely bogus. But in any case the original objection was made to the system that only wildcarded the I18N domain codes rather than the whole zone.

There is no requirement to support domain transfers, the dotcom and dotnet servers have not supported external domain transfers for many, many years. So why being unable to support that format is an issue is a mystery.

I don't doubt that the IAB and IESG would like to discuss sitefinder. They have been discussing improvements to the DNS like I18N and DNSSEC for over ten yearsw now with negligible result. They have an I18N spec that is in limbo for reasons no DNS registrar can fathom. Meanwhile the DNSSEC spec was deliberately sabotaged to make deployment in dotcom and dotnet as hard as possible.

This is politics, don't assume that the one side story you are getting from slashdot is the whole story. There are a lot of people who are really fed up with the IETF because it takes a minimum of five years to get anything done and often more like ten years.

The IETF pretends to be open, but when you get down to it, it is really run by a small and very exclusive clique. If they don't want to take any notice of my needs I don't see why I should hold their opinions in any special regard.

With the exception of Cisco it is very hard to find a major vendor that is at all happy with the IETF. Sun, Microsoft and IBM have been pushing the majority of their standards work out into OASIS for a long time now. Things are not that much better in open source land, there are lots of IETFers who use open source but it is getting harder to find open source developers who want to take a project there.

Re:I'd love to have been a fly on the wall...

Someone needs to send them some BOFH, then they'll find out when they make a few techies angry :-) ...Although I think they found out anyway when everyone starting patching their dns servers.

Re:I'd love to have been a fly on the wall...

[Directrix1]

Yeah, I don't know why I said it was a CNAME record, I even looked it up earlier and saw that it returned an A record, my bad. But anyways domains are hierarchal, the domain .com exists and it is run by verisign. The wildcard in the .com zone is valid because it references a valid host. Otherwise show me in which RFC it says otherwise, and I will promptly shut up.

Re:I'd love to have been a fly on the wall...

[Cramer]

No, .com is not a domain. foo.com is a domain. ".com" is a primary branch in the DNS tree. And providing a single A record does not make it a valid domain. The are no SOA or NS records for these nonexistant domains created by the wildcard.

We're working in a different part of the tree. Leaves don't sprout from the trunk of a tree (or from the roots); they form at the end of branches off larger branches from the trunk.

At any rate, Verisign has changed the behavior of a well established system with reckless disregard for it's impact. Furthermore, they did so expressly for their financial gain. In this country, we have laws to prevent people/companies from unjustly weild monopoly power. Verisign receives a fee for every domain that exists, yet they still see fit to coopt the domain system for their benefit. At the very least, they are violating the Sherman Act.

Re:I'd love to have been a fly on the wall...

[Directrix1]

TLD = Top Level Domain = .com .net .org .edu .whatever . com is a domain. I don't see start of authority records for www.google.com either, just for google.com. You don't need SOA records for individual hosts (which is all this wildcard references), just for individual domains. Just FYI, SOA record for "com":
Authoritative Server: a.gtld-servers.net
Responsible Person: nstld.verisign-grs.com
Zone Serial Number: 2003092101
Refresh Interval: 1800
Retry Interval: 900
Expire Interval: 604800
Minimum Time to Live: 86400

Bind

Ask? How about demand. Verisign screwed up when they thought up this scheme. They have abused their position and should be stripped of it.

Re:Bind

[Directrix1]

OK, you go ahead and set up all the DNS servers necessary to replace verisign as the .com TLD, then we'll go ahead and strip them of their position, and assign it to your servers. And then we'll get to watch the hell that follows as DNS servers are slow to update their root hints and so cannot resolve any .com addresses until everybody realizes whats going on. Weeeeeee!

Versign should have to pay to register domain.

[Proudrooster]

I think the real solution is this: If Verisign wants to continue this practice then Verisign should have to pay to register each mis-typed domain. After all, the end effect of Verisign's Sitefinder is to dynamically create a domain if it isn't already registered. Making Verisign pay to register each of these mis-typed domains would most likely halt their practice. In my opinion, Verisign is now "domain squatting" on any domain that isn't registered.

Re:Versign should have to pay to register domain.

[LostCluster]

Pay to whom? Verisign is the one who collects wholesale fees from all of the registration services...

Re:Versign should have to pay to register domain.

[Crimplene+Prakman]

If Verisign wants to continue this practice then Verisign should have to pay to register each mis-typed domain.

Ahem, they manage the registry, so paying to register each domain involves nothing more than allocating the server space and writing code to automate such registries. There would be an uproar (more than there is now) about monopoly and resource exploitation, and they'd be seriously whipped into shape. Fun, eh? Maybe it IS an idea...

Re:Versign should have to pay to register domain.

[j0hnn135]

I like Paul Hoffer's advice from the response. If Verisign did this, they may try something else slimy. Take the power away is my vote.

ICANN should demand that VGRS immediately stop giving incorrect answers to any query in .com and .net, and should instead follow the IETF standards. If VGRS refuses, ICANN should re-delegate the .com and .net zones to registries that are more willing to follow the DNS standards. Please let me know if you have any further questions. --Paul Hoffman, Director --Internet Mail Consortium

Re:Versign should have to pay to register domain.

[Proudrooster]

Well, I would be willing to take the money if no one else wants it :) ...

Seriously though, the money could go to ICANN, IEEE, EFF, or the G.W. Bush war in Iraq fund. My point is this, if Verisign wants to "domain squat" they shouldn't get the domains for FREE and should have to pay for them just like everybody else. They are abusing their unique position as a registrar. For example: I can't hijack or redirect every mistyped domain to my ad server e.g. (yaho.com or yaahoo.com). I have to register each misspelling. Verisign should have to do the same.

Does anyone have a copy of Verisign's charter?

Re:Versign should have to pay to register domain.

[Crimplene+Prakman]

Take the power away [from Verisign] is my vote.

Bah. If this was the Real World (read 'international political arena'), the minority power-abuser holding a monopoly on the resource in question(read 'arbitrary powerful government with lots of weapons') would simply stomp on the independent standards-setting body (read 'international concensus organisation with global mandate'), and take the power away from them! None of this wishy-washy "international standards body" slapping the wrist of a powerful money-making authority!

Irony warning: the above may differ slightly from your perceived moral standpoint. Chuckle with care

Re:Versign should have to pay to register domain.

[Crimplene+Prakman]

For example: I can't hijack or redirect every mistyped domain to my ad server e.g. (yaho.com or yaahoo.com). I have to register each misspelling.

You could if you owned/managed the recursive outward-facing DNS server in your organisation or ISP, at least for those clients using your server. Verisign controls the authoritative iterative zone authoritative for the .com and .net TLDs, so their benefit is that the buck stops with them for all failed (i.e. non-existant) .com and .net domain queries, whereas your company or ISP DNS server only handles the up-channel from clients to the root servers (along with maybe the internal zone).

The point is that it would break the expected IETF standard behaviour for DNS, and that's the upsetting part.

Re:Versign should have to pay to register domain.

[blibbleblobble]

"I think the real solution is this: If Verisign wants to continue this practice then Verisign should have to pay to register each mis-typed domain."

Well that's the obvious answer. If it cost us all $20 to register a domain, there's no reason why verisign should be any different. They want an infinite number of domains? Sure. And they pay $6.386e+125 for them. Note that paying themselves is considered cheating.

Re:Versign should have to pay to register domain.

[Joe+U]

Actually, there aren't an infinite number of domains. The number could be calculated if you had the time or really cared.

I think it would be something like amount = (max_DNS_entry_size! - registered .com domains) + (max_DNS_entry_size! - registered .net domains)

This would give you a nice fair dollar amount to charge them.

Re:Versign should have to pay to register domain.

[RealUlli]

I think it would be something like amount = (max_DNS_entry_size! - registered .com domains) + (max_DNS_entry_size! - registered .net domains)

No, it would be:

amount = ((number_of_allowed_characters^max_DNS_entry_size) *2-registered_dot_com_domains)-registered_dot_net_ domains

Max_DNS_entry_size is AFAIR 64,
number_of_allowed_characters is something on the order of 28 (chars in alphabet + special chars).

About the number of registered domains I have no idea, but I'll assume 15 Million per TLD, so that's about 30 million. Running these numbers through my trusty HP48, I get about 4.15*10^92.

At $20 per domain and year, that is a bill of 8.3*10^93 dollars - not even M$ has that much money! ;-)

Regards, Ulli

Re:Versign should have to pay to register domain.

[beebware]

$20 per domain year for .coms/.nets ? Phew - that's pricey! OpenSRS sells domains to their resellers for $10/year (although a number of resellers are using domains as "loss leaders" - see EV1servers.com for an example). Even then, OpenSRS makes a profit as .com/.net registries have to "buy" the domain names off Verisign in the first place (as they are the "central" registry) for $6/year. And I'm sure if Verisign is purchasing millions of domains years in one "block", then Verisign will be able to give Verisign an appropriate discount...

Re:Versign should have to pay to register domain.

[Joe+U]

Well, that explains my C- in math.

Re:Versign should have to pay to register domain.

I think a rather large amount of people around the world would be opposed to the money going into anything to do with the War on Oil.

Re:Versign should have to pay to register domain.

[Reziac]

As was pointed out in the previous discussion, Verisign has contracted with another agency (whose name I forget already) to parse these typoes.. now, why in hell would they care, other than to learn which ones are "popular", so they can register 'em and squat on 'em for real??

Oh, you don't think this is practical as a revenue model?? Back when hotbot.com was a popular search engine, someone registered htobot.com because it was a common typo. Originally it was just a joke (and at the time even said so on the htobot.com site). NOW -- it's a paid-placement portal. Newbies wouldn't realise that, especially since it looks a lot like one incarnation of altavista.

I'm sure Verisign has something similar in mind.

Re:Versign should have to pay to register domain.

[dissy]

> I have to register each misspelling. Verisign should have to do the same.

That isnt true at all.

You can create as many sub domains as you would like in any zone you have control over.

For example, if you register moo.com, you can create ANYTHING you like under moo.com. This includes one.moo.com oen.moo.com and any other misspellings of one that you may like.
You can even setup a wildcard for *.moo.com to resolve to an IP, and it will match anything not listed. So one.moo.com would resolve to what you set it up to, as will oen and all, but anything else will resolve to the wildcard.
Hell, you can even make just moo.com with no subdomain resolve!

NetSol is doing nothing different. they run com. and net.
They could even make just 'com' resolve to an IP!

Your complaint is much like me complaining because i cant have cow.moo.com but you get it for 'free'.
The detail is, moo.com is yours to do with as you please.
'com' is NetSols. Not quite to do with as they please, but mostly so.
And the only things they cant do with it are dictated by ICANN.. Which is the point of why this article was posted :)

Re:Versign should have to pay to register domain.

[nacturation]

Well, you're a little bit off.

a-z = 26 characters
0-9 = 10 characters
hyphen = 1 character

Total: 37 characters

Domain names can be up to 64 characters long, including the .com or .net. So this gives us 60 characters for the part before .com. In other words:

37 ^ 60 possibilities per .com and .net
Total is then 2 * 37 ^ 60 - (number of existing domains in .com and .net)

Let's be easy on them and say that 10% of those are already registered. Thus, we have the number of infringing domains at:

2 * 37 ^ 60 * 0.9 = 22252353429014982009339821546205923505017038096526 563169518968401054359580664411777805840944721

Now what's really interesting is that the Anticybersquatting Consumer Protection Act specifies the damages for such cybersquatting:

(b) STATUTORY DAMAGES- Section 35 of the Trademark Act of 1946 (15 U.S.C. 1117) is amended by adding at the end the following: `(d) In a case involving a violation of section 43(d)(1), the plaintiff may elect, at any time before final judgment is rendered by the trial court, to recover, instead of actual damages and profits, an award of statutory damages in the amount of not less than $1,000 and not more than $100,000 per domain name, as the court considers just.'

Let's take the minimum $1000 per domain fine. Thus, we have a fine of:

$22,252,353,429,014,982,009,339,821,546,205,923, 50 5,017,038,096,526,563,169,518,968,401,054,359,580, 664,411,777,805,840,944,721,000.00

Bonus points if you can spell out that number. :)

Re:Versign should have to pay to register domain.

[darc]

Twenty two untrigintillion,
two hundred fifty two trigintillion,
three hundred fifty three novemvigintillion,
four hundred twenty nine octovigintillion,
fourteen septenvigintillion,
nine hundred eighty two sexvigintillion,
nine quinvigintillion,
three hundred thirty nine quattuorvigintillion,
eight hundred twenty one trevigintillion,
five hundred forty six dovigintillion,
two hundred five unvigintillion,
nine hundred twenty three vigintillion,
five hundred five novemdecillion,
seventeen octodecillion,
thirty eight septendecillion,
ninety six sexdecillion,
five hundred twenty six quindecillion,
five hundred sixty three quattuordecillion,
one hundred sixty nine tredecillion,
five hundred eighteen dodecillion,
nine hundred sixty eight undecillion,
four hundred one decillion,
fifty four nonillion,
three hundred fifty nine octillion,
five hundred eighty septillion,
six hundred sixty four sextillion,
four hundred eleven quintillion,
seven hundred seventy seven quadrillion,
eight hundred five trillion,
eight hundred forty billion,
nine hundred forty four million,
seven hundred twenty one thousand dollars.

Can I have my points now?

Re:Versign should have to pay to register domain.

[loggerhead]

For those of you scoring at home:

nacturation - 0
darc - 2

This isn't really new.

[windows]

Forgive me if I'm being idiotic about this, but relatively recently, the .museum TLD went live. It's just like any other TLD except that domains that don't exist diect you to a page saying the domain doesn't exist and with a couple of links. It's not very different than Verisign's SIteFinder, but there's little to no outcry over this. I'm curious because a lot of the objections about SiteFinder should also be true about the .museum TLD. What's different here?

Re:This isn't really new.

[Tirel]

because .com and .net amount to 99% of the internet and nobody really cares about smaller tlds (ie, .nu and so on)

Re:This isn't really new.

[Aliencow]

Difference is that I never went to any .museum website, but that's different with .com and .net.
Maybe it's bad with .museum, but since I don't care, I don't cry about it.

Re:This isn't really new.

[LostCluster]

.com and .net are the two huge TLDs, so implementing wildcard sites on smaller TLDs just wasn't quite as outragious. Also, in the past, most wildcards were sites that only offered to register the non-existing domain at the monopoly registrar of that TLD.

The controversy on SiteFinder seems to be that they're offering query-based ads, which essentially says "It's against the rules to register the typo of your competitor, but we'll sell you an ad on the site that results from that typo."

Re:This isn't really new.

[SmallFurryCreature]

Oops good thing I checked before I commented.

Amazing you are right. I never knew this. That of course might be your answer. Who the fuck uses .museum anyway? (Yeah I know the obvious answer thank you) See this for all the domains on .museum. One company I maintain servers for has got more domains then this list. Anyway.

The outcry is not so much that they are cybersquatting. Well some are but that is not why the geeks are rebelling. The problem is that you used to be able to do a lot of usefull stuff by checking if a domain existed or not.

Now thanks to this you can't well not without rewriting your code. grrr.

I can only guess that nobody ever used a .museum url anyway :)

But yes it is exactly the same thing. Except for the scale difference. I guess you can't check against spam being send from a .museum domain either.

Good for finding this and pointing this out.

Re:This isn't really new.

[mistered]

The difference is nobody cares about .museum. A bunch of the cc TLDs have also been doing this for some time. Probably nobody thought this was a good idea either, but there was no outcry because most people probably never even noticed and of those who did, probably few cared.

Screw up .COM and .NET and people care.

Re:This isn't really new.

The difference is scale. It's like comparing stealing a candy bar to robbing a bank. Yes, .museum shouldn't be doing it either, but who ever use that anyway, and who's going to care?

Re:This isn't really new.

[bears]

Nothing. Well, nothing beyond nobody's very familiar with the .museum domain. There are several TLDs that do the same e.g. .nu and .cx. Again, not high enough profile.

Also, check out the .museum and .cx 'default' pages. Their presence is misguided, but plainly done with good intent. Verisign, OTOH, are obviously bent on at best bending DNS for their own financial gain.

Re:This isn't really new.

[aldoman]

So true. When I looked of the ~100 domains that were there, about half of them actually had sites on them, and the ones i clicked on just linked too .orgs, .com etc. .com, .net and maybe .org are the only domains that matter - apart from local ones such as a .co.uk, .ca, .us etc...

Re:This isn't really new.

[lbalbalba]

Actually, the IAB seems to be perfectly OK with this. It appears that the DNS "wildcard" mechanism has been part of the DNS protocol since the original specifications were written twenty years ago.

And the IAB seems to feel that " If you want to use wildcards in your zone and understand the risks, go ahead, but only do so with the informed consent of the entities that are delegated within your zone "

Check out the following URL for details:

http://www.iab.org/documents/docs/2003-09-20-dns -w ildcards.html

Re:This isn't really new.

[11223]

OK, to sum up the differences between this and the existing cases:

.museum is a limited-access domain and domains in this area don't really have commercial value. Thus, it's not unfair to "squat" on all the unused domains to provide this index. It might break DNS within the .museum TLD, but nobody really cares because nobody really visits the .museum domain.

WRT the other toplevel registries: all of those that have been mentioned so far are breaking DNS anyway. You don't think that all those people with .tv domains actually live in Tuvalu, do you? DNS has been under attack for some time now.

Re:This isn't really new.

[onomatomania]

It's not unique to .museum. A lot of the country-code top level domains do this, such as .tk, .us, and .nu. The outrage is that Versign did it for the entire .com/.net which is significantly more domains than all the country-code domains combined. And, they are not in a position of "owning" those domains, we just give them stewardship of them. In other words it shouldn't have been their decision to make. If the King of Tongo (or whoever controlls .to) wants all wildcards to go to a domain-for-sale page, then fine.

Re:This isn't really new.

[Sphere1952]

You could at least mention the name of the company you just screwed.

Re:This isn't really new.

[eht]

Significantly more domains? I'll use your example and add some basic math
2.22e+122 is an approximate number of domains in a tld based on some doamin naming rules I found in google and ignoring that a - can't be at the beginning and also ignoring that some people will want domain names less than 67 characters, which pushes these number up by a significant amount, but you get the idea .com = 3.67e67 .net = 3.67e67
total = 7.34e67
vs .tk = 3.67e67 .us = 3.67e67 .nu = 3.67e67
total =10.10e67

so actually if you could do this to .tk/.us/nu, you'd actually be doing it to 50% more than just .com/.net

How are there more domains in any tld than any other one? There may be more desirable ones in .com/.net, but there's not one more domain, and since i'll bet more domains are already taken in .com/.net, than there are in actuallity less domains that they are doing it to.

Re:This isn't really new.

I think he meant "more currently registered second-level domains", brainiac. And thus far, far more people likely to mistype or randomly type a domain name in said TLD, and thus be brought to a wildcard page.

Re:This isn't really new.

Mensa member, beware of the obscenely large head.

Re:This isn't really new.

God, what's up with your sig? Nobody likes a showoff...

Re:This isn't really new.

especially one who uses a throughly debunked test and scale. fucktard.

Re:This isn't really new.

[iCEBaLM]

Significantly more REGISTERED domains, not significantly more POTENTIAL domains.

i.e.: More people use .com/.net than all other country codes combined.

-- iCEBaLM

Re:This isn't really new.

Man, are you a moron? Do you think the only protocol that communicates on the internet is HTTP?

Re:This isn't really new.

[Reziac]

So I went there and randomly clicked a link, "castles.museum". It redirects to http://www.yorkcastlemuseum.org.uk/

Do they all redirect like that?? anyone know? (No, I'm not going to click every link to find out :)

Re:This isn't really new.

He's letting everyone know that, as a Mensa member, he's the type that pays people to tell him that he's smart.

I believe that says something about his intelligence.

Re:This isn't really new.

[Ark42]

There is a big difference here I think. Not every nobody can go around registering a .museum domain name. You have to actually have a museum.
*IF* .com required you to have a commercial organization with the same name as the domain (similar to the way .com.au works, or used to work) then it would be ok to have a wildcard to search the domains, but it should not involve advertising or tracking statistics, just a simple search of all the domains that DO exist.

Re:This isn't really new.

[Chester+K]

I can only guess that nobody ever used a .museum url anyway :)

I bet spammers will, if Verisign shuts off their SiteFinder service, since we've just showed them the way to get around all our filtering.

Re:This isn't really new.

You're a fag. I've got your IP address. Prepare to suck on my cock.

Re:This isn't really new.

[danielsfca2]

From invalid.museum:
----
[MuseDoma logo] invalid.museum is not in use

All names in .museum can be seen at http://index.museum

More information about .museum is available at http://about.museum
----
This is not really squatting in my definition because there is really no effort being made by MuseDoma (a nonprofit) to profit from invalid domains.

If VeriSign had implemented a page that just said, "invaliddomain123.com is not in use," it would be different. True, it would be rather pointless (which is why such a technique is not in widespread use in the .com, .net, and .org domains). However, the techies would just be saying it's dumb because it breaks error detection, instead of declaring that Verisign is more evil than Satan himself.

The difference is the shameless profitteering.

Re:This isn't really new.

The .museum page is helpful. It simply says the domain does not exist and lets you see all the .museum domains. It's also a smaller TLD. But the company who runs .museum doesn't make money off the service. I actually think the .museum page is helpful. I think it's quite useful. But to make money off your position of power is wrong.

Not a "best guess" system

[Crimplene+Prakman]

In common with the majority of internet protocols, DNS is not a best-guess system, it is a technically accurate way of transferring information, with correct failover mechanisms. From the article:

As a lookup system, the DNS is designed to provide authoritative answers to queries.

And later...

The DNS is not a search service, and presenting speculative mappings based on HTTP inputs is not the service that the registry is expected to provide.

And later still...

To restore the data integrity and predictability of the DNS infrastructure, the IAB believes it would be best to return the .com and .net TLD servers to the behavior specified by the DNS protocols.

That seems to wrap it up really. I doubt any further studies will find differently, unless Verisign follows the apparently accepted way of paying for a biassed study......

Re:Not a "best guess" system

[leviramsey]

Why not add a new DNS record type, the GUA record (for "GUess A"), which would return a speculative A record. ISPs that wanted to provide this service could then fallover to GUA records if A returns NXDOMAIN and so forth.

Re:Good

[SmallFurryCreature]

Simple shoot marketing.

IAB response isn't

[Frater+219]

"The Internet Architecture Board issued this response to an ICANN inquiry about Verisign's SiteFinder service."

Actually, if you read that article you will find that it is dated January 25 and is a response to another Verisign screwup. That one was similar to the present one, but had specifically to do with "internationalized" domain names -- DNS records for strings with characters above ASCII position 127.

Historians find it important to check the dates of events and documents, so they can know which ones could possibly be responses to which other situations. For instance, an American comedian telling anti-French racial jokes in August 2001 could not possibly be responding to the French objection to Bush's war. Similarly, a document released January 25 2003 cannot be a response to a situation that arises the following September. Time just doesn't work that way.

Re:IAB response isn't

[Hayzeus]

Perhaps you're correct -- but you've clearly -- and unreasonably -- ommitted the possibility of time travel. C'mon -- let's give the editors the benefit of the doubt!

Re:IAB response isn't

[loucura!]

French isn't a race, though. It's a country. So, French jokes aren't "racial"[sic].

Re:IAB response isn't

The link in the posting is to an older statement. The offical IAB statement on this is this one, issued yesterday.

Mark Handley, IAB.

Re:IAB response isn't

[beebware]

Erm, the French are a "race" of people that either were born in or have similar ties to a country called France.

Re:IAB response isn't

[loucura!]

That's absurd, that means that Canadians are a race, Americans are a race which leads to an interesting notion of hyphenated races, where you have Asian-Americans, which are a race-race, and that's absolutely stupid.

The defininition of race requires that they be from the same stock, and sorry, that means that national populations don't qualify, because they're not all related.

Re:IAB response isn't

[replicant108]

Just as a war planned in July 2001 cannot possibly be a response to an event that took place in September.

Oh, wait a minute...

Re:IAB response isn't

[smallpaul]

Thanks for the explanation of causality and the description of how historians use it. Most people don't understand very well that time moves only forward but your description made it clearer. ;)

Re:IAB response isn't

No, the French could be a race--Gauls, perhaps. But, a different race than Saxons, certainly.

You're conflating terms of nationality with terms of ethnic background. In English, we often use the same words for both concepts. For instance, when I say "English" I could mean an Englishman, a language or a citizen of England.

You're trying to be pedantic, but you're failing.

Re:IAB response isn't

[loucura!]

But, black-Frenchman aren't Gauls, nor Saxons. So, again, the assertion that French or English is a race is absurd.

Sneaky

[Unleashd]

Anyone else notice the lack of advanced notice that verisign gave ... well the world. I just can't immagine that they thought it through at all. If they wanted to do it you would think that they would have notified ICANN ahead of time or put up some sort of notice

Re:Sneaky

[Alioth]

They did tell the IAB about it at least. The IAB told them it was not a good idea and why it wasn't a good idea (RFC violations etc). They went ahead and did it anyway, despite being told not to by the IAB.

Re:Sneaky

It isn't about notice, it is about abuse of the system. Windows click kiddies and drunken management at Verisign screwed up alot of things and violated their fuciary responsibility to it's customers and the Internet.

ICANN should find another TLD for .com and .net and dump Verigreedy. Basterdising the internet protocols like DNS should be not tollerated.

But lets see if Verigreedy greases the right palms. I for one hope there is enough guts at the ICANN and IETF to slam Verisign for this.

Re:Sneaky

[Roger_Explosion]

Oh they thought it through. They knew the implications perfectly well. They didnt tell anyone because they knew no-one would stand for it :)

Old IAB response

[zjbs14]

People keep quoting that IAB response, but if you look at the date and actually read it, you'll see it's from back in January. And it was in response to Verisign's proposed wildcarding of only domains that contained non-ASCII characters, not all domains. Their point was that wildcarding based on a character set was against standards.

So I guess Verisign interpreted that as "we better wildcard everything then."

Right, then!

[moehoward]

We won't have any of this "advertising" on the Internet. The Internet is surely doomed if we allow it.

Re:Right, then!

[Neophytus]

If I plastered my ads on your website without your permission you wouldn't like it, would you? They are placing adverts on 'websites' they don't own. It has lasted so long because nobody owns them.

Re:Right, then!

[aldoman]

Advertising on the internet is a MASSIVE area. It is just being totally abused by people, and thats why it brings so little $$$ home. Look at google adwords, they are customized too perfection just for you - google is making a fortune off them.

However, banner ads have always been used as a 'small TV' where you blast out the same ad over and over. Internet advertising would work extremly well if someone tracked you and your movements, hell if you saw an ad with 'Hey Mr. Jones, look at this Ford you have been searching the web for. It's only $15,000 here!' I'm sure we'd be seeing clickthrus of at least 5%. But of course that would be invading your privacy, so the internet will always be a poor source for advertising unless you start tracking everything your audience does and analyzes it well.

Re:Right, then!

Oh, so you mean that's the reason they haven't been sued yet? Duh! Damn, well, leave it to Americans to find SOMETHING to sue for.

Yes.

Where is democracy? oh...we don't live in one. We live in corporate dictatorship.

IAB comments not about current fiasco

[Jibber]

The url linked to the IAB comments are talking about the Internationalization of the root DNS servers, they are not talking about the "new" implementation of the sitefinder re-direction taking place.

Please note that the dates on those messages are from January 25, 2003.

Nothing new about those at all. Please check the url's submitted before posting inaccurate information.

Jib

Re:IAB comments not about current fiasco

[Tony+Hoyle]

That's because the slashdot editors didn't check the story... nothing new there.

The correct link is here

Get the latest version of BIND

[AchmedHabib]

Get the latest version of BIND to block that Verisign junk. go here
Now all it needs is support for the Evil-Bit in TCP/IP

Re:Get the latest version of BIND

[Baki]

I just installed it, together with the lines:

zone "com" { type delegation-only; };
zone "net" { type delegation-only; };

in /etc/named.conf.

Works very well, the solution was really elegant.

I think it shall be installed very quickly by all ISP's, just in case and even if verisign stops and undoes their criminal move. Just in case...

new: surf to www.fuckthemverisignbastardz.com

at last i can surf to all those hate pages and give a big shit on those idiots in this world

todays link is:

http://www.fuckthemverisignbastardz.com

muahahahaha

I really hope they take it down..

[Aliencow]

Because for now, All our inexistant bases are belong to them.

Re:I really hope they take it down..

... "+1, Insightful"?

Re:I really hope they take it down..

"+1, Insightful"?

Yep, he said "bases" instead of "base" and still got a +1 insightful out of it. I despair for the future of our society.

Re:I really hope they take it down..

[Reziac]

I find your tagline particularly insightful here.. [g]

BIND and soundex

[Tirel]

instead of the verisign sitelooker page, I suggest that BIND (the software that runs 60% of the DNS) should be enhanced in several ways: The most important one, IMHO, is to compute a list of close matches and present these choices to the user. They may use the Soundex algorithm or some other tricks to see if characters are transposed, if one characters is wrong, if one is missing, etc. If well implemented, this would solve 60% of the problem. The remaining 40% is due to the fact that people sometimes doesn't actually mistype a known address... they type a dead wrong address, such as "amazonbookstore.com" instead of "amazon.com". In this case, BIND should split up the phrase into separate word (in this case "amazon book store" and redirect to a search engine with those words as parameters. The big question in this case is: which search engine? I think that one should be able to choose, in one way or another. If not, Google would be my choice ;-)

Re:BIND and soundex

[Nuclear+Elephant]

IMHO, this should be left up to the browser software and not the DNS server..otherwise you end up with the same scenario with ISPs using it as an advertising gimmick. I believe MSIE performs a search on what you type in. I don't see why all browsers couldn't be outfitted to do something like this.

Remember, web browsers aren't the only thing that use BIND. You certainly don't want BIND suggesting possible matches to an SMTP server to deliver your private mail =). The solution would be best served at the client software end IMHO.

Re:BIND and soundex

[gmack]

Well for starters DNS can't reliably tell what's a web browser and what is from something else and a lot of queries come from non human sources. So if in the future they came up with something that does what soundex tries (and fails) to do reliably this is still way too low a level to implement a feature like that.

A web browser plugin would be a much better place to implement this so it can either be replaced or turned off according to the user's wishes.

Re:BIND and soundex

[rlawley]

I agree- this should definitely be on the client end. Otherwise you end up breaking things without realising, such as the spam filters in this incident. Having a search in the browser (most importantly, one that you can disable/customise like in IE) is a much better way of doing things.

Re:BIND and soundex

[Kevin+DeGraaf]

I suggest that BIND (the software that runs 60% of the DNS) should be enhanced in several ways: The most important one, IMHO, is to [blah]

I have a better suggestion. The most important BIND enhancement is: to give a damn about security. No, wait, how about: to stop obfuscating the simple concept of Internet naming, leading everyone to believe that the DNS is somehow difficult to comprehend. Or: to abandom the demonstrably-stupid AXFR protocol. Or: ad nauseum.

Actually, all things considered, perhaps the most important BIND enhancement would be to disappear, and for everyone to start using real DNS software.

similar to verisign nonsense...

This has been happening for months at least, similar to what verisign do with .net and .com but wider ranging:

$ ping anything.zzzzz
PING ds1.domainspa.com (67.96.63.112) 56(84) bytes of data.

What the hell is that? It doesn't do it on every isp I've tried, but more than one. It can be any invalid tld or even a valid tld with a non-existent domain or hostname.

Re:similar to verisign nonsense...

[Tirel]

yep, i use Broadwing Communications ISP and get the exact same thing..

maybe our isp decided that if verisign can do it, so can they?

i'm thinking of switching right now...

Who will they sell it to?

[U6H!]

After the world has accepted the site finder, they will probably rent the wildcard to MSN. I'm sure that would be worth a lot of money.

Who cares about .museum?

[next_permutation]

The difference is that virtually no one uses the .museum TLD. There have been complaints about the wildcards used for .cc, .nu and other TLDs. But it's only when they start playing games with .com and .net that people notice, because this affects everyone.

Verisign should patent this

[astrashe]

Verisign should patent this.

Then if ICANN wants to run a similar service, or award it to someone else in exchange for payments, Verisign can take all the money in licensing fees.

I mean, why not pimp this out all the way. It's not like ICANN wouldn't take the idea and exploit it for fees now that Verisign has suggested it. It's not like ICANN is accountable to anyone, and those fees would allow them to fly private jets to private islands in the pacific to have their meetings. I'll bet they wouldn't even have to show anyone their books.

They could even put spyware in the pages that come back from non-existent domains. Let's get Gator involved with this. There's a sleazy buck to be made, so you gotta have Gator involved.

It's obvious to everyone who thinks about it that the real problem with the net is that there isn't enough advertising.

Re:Verisign should patent this

you're kidding .. right? i mean this is sarcasm, right?

At some point we seem to have crossed the line between creating and enhancing standards for global intercommunication, and turned much of the internet infrastructure into a series of bad latenight television commercials .. keep in mind that this is from the same company that thought everyone would want to pay even more money to register a domain in tuvala (.tv), and touted the inter-registry protocol that alternate registries had to license and deal with as a wonderful innovation (ever really look at the mess this was? .. oh wait, is it actually the same code and under-educated developers?) I'm glad Cricket left and moved to Iceland .. I would too if I had to deal with those losers everyday.

Re:Verisign should patent this

[Kindaian]

Not patentable...

It uses an already published features only... in a way that brokens DNS as we know it...

Why all this fuss about Verisign ?

[Krapangor]

What's wrong with this redirection ?
They only redirect when the domainname is misspelled. You would get an error in this case anyways.
And I doubt that anyone could confuse this sitefinder with the page he searched for.
I think all this fuss about sitefinder is just negative propaganda generated by some competitors of VS aiming for VS's market share.

Re:Why all this fuss about Verisign ?

You're not being serious, right ?

Read the IAB response (even if it is for another similiar situation) to understand that there any many things where we depende on correct (not guesses) responses from the DNS ! Especially when it's not an human being asking but, for example, a mail server ...

Re:Why all this fuss about Verisign ?

[chipwich]

You miss the point. The very organization that was supposed to judiciously handle infrastructure has intentionally involved themselves in a clear conflict of interest.

Wouldn't you have a problem if all misdialed telephone numbers were intentionally directed to "Telemarketers Inc" so that a telemarketer could politely inform you that you misdialed while trying to sell you some Viagra?

Netster (or any other sleazy site-finder service), J-Lo, or your grandma should all should have the same right to demand that the practice stop (though in practice, this take money). If you believe in "rule-of-law" then you should realize that it applies equally to everyone. Netster has filed the lawsuit because they have a financial interest at stake, but regardless of how we feel about Netster, that doesn't make Verisign's behavior any more savory.

Now how can I go about redirecting those misdialed telephone numbers to my telemarketing firm???

Re:Why all this fuss about Verisign ?

[jafiwam]

Yes an error will occur. However the error has useful information content. For example, an error on the domain in the return address on email can be an indicator the email is spam.

If you've ever helped somebody with computer stuff, you'll know that the first thing you need to ask for is complete and exact error message wording.

Imagine a world where all computers simply put out "error, but here is a nice picture" any time something went wrong. Troubleshooting would be nearly impossible in that world....

Re:Why all this fuss about Verisign ?

[squiggleslash]

Because if there's an error, we want to know that it's an error.

Creating an IP for a misspelt or expired domain (the latter is where the major problems start) can cause all manner of problems. It breaks email to locations where a bad domain is in the MX list; it breaks any application that tries to verify a domain a user has entered - for example, an email client that tries to detect problems with addresses before it sends the email, or even web browsers that try to provide friendlys way of reporting errors.

One problem is that it breaks a lot of anti-spam systems. Spammers can go back to making up domains, and anti-spammers will feel even more justified in introducing more draconian and likely-to-get-false-positives systems as a result.

Essentially, Verisign's actions have just made the internet less reliable. And at what benefit? So that people with older browsers (IE does an MSN search, recent Mozillas do Googles, for bad domains anyway) can get redirected to a not particularly intelligent search engine?

Re:Why all this fuss about Verisign ?

[djroute66]

Goto a command prompt / xterm and ping or nslookup any host. Anything that doesn't exist.

For example:
ping fjdklsajfdsa.fdjklsafjdsa.com

Thanks to verisign this no-name domain resolves to SiteFinder. (64.94.110.11)

Re:Why all this fuss about Verisign ?

[gerardrj]

You mean like "General protection fault: reboot" with the little exclimation icon?

Re:Why all this fuss about Verisign ?

[mrjohnson]

Because spam has been getting through the filters at my company.

And because I have hundreds of messages queued on my mail server waiting to be delivered to what should be non-existent domains because verisign also broke smtp.

Re:Why all this fuss about Verisign ?

[Reziac]

Great, now you've gone and given Verizon and SBC ideas... actually, one has to wonder why they don't do exactly this (unless there are regulations that prohibit such behaviour?) They could easily direct wrong numbers to, say, a recorded message imploring you to subscribe to their overpriced long distance services (worded so as to convince the unwary that otherwise, their long distance service will be cut off!), and with a few well-guided touches of the keypad, you'd be slammed^H^H^H^H^H^H signed up.

Considering that I am convinced that Verisign intended to harvest typoes for possible domain-squats, I see no real difference in the two behaviours (except that *so far*, the phone thing is just tinfoil-hat fodder).

Re:Why all this fuss about Verisign ?

[jeremyp]

DNS is used for a lot more than telling your web browser to get its pages from.

It's a fundamental misuse of the protocol.

Re:Why all this fuss about Verisign ?

[NoMaster]

As hundreds have said before, in response to questions just like yours, it's the wrong thing to do in a technical sense.

What should happen :

1. Machine requests DNS lookup on non-valid name.
2. Query travels all the way up to root servers (or something says "yup, I'm the authorative source on that domain").
3. Response comes back saying "no such domain" (NXDOMAIN)

What happens now that Versign have fucked with things :

1. Machine requests DNS lookup on non-valid name.
2. Query travels all the way up to root servers.
3. Response comes back saying "yup, here it is! Oh, BTW, the name you asked for is actually an alias for http://sitefinder.verisign.com/"

The second response might be considered useful to you, as a human being, but it's of no use to a machine which is expecting either a "yes, and here's the details" or a "no" response to determine if a name is valid. The only way to get around it (for a machine) is to do something extra to interpret the result to see whether it's a real valid result, or a faked valid result. Which, cleverly enough, is what the various hacks and patches are doing...

(Except the BIND patch. That's clever ;-). But it's still nasty, and I feel it itself breaks the spirit [if not the letter] of DNS. But it's better than leaving Verisign polluting user expectations of DNS...)

Real world example : what if you, as a multi-national monopolist abuser, write a browser, and decide that if somebody mis-types a domain name you want them re-directed to your ad-riddled search engine? If you wrote it expecting that invalid names would return a NXDOMAIN response, your grand plans for world domination on the back of banner-ad revenue have just gone down the toilet - because Verisign have just hijacked it...

IAB response: URL correction

[lbalbalba]

The url pointing to an IAB response in the story posted actually is about an other issue that happened somewhere in January. It was in response to Verisign's proposed wildcarding of only domains that contained non-ASCII characters, not all domains.

However, the IAB has issued a response to the current issue at the following URL.

http://www.iab.org/documents/docs/2003-09-20-dns -w ildcards.html

Please update the link in the story, thanks.

You should care...

1) A lot of spam detection relies on DNS lookups of the from line.

2) Many spam filters are broken by the fact that now all DNS lookups return valid answers.

3) Noticed any increase in spam lately? I have.

Re:You should care...

[randomdef]

I think this deserves to be modded up, because i've certianlly noticed an increase also.

verisign... who?

[Tirel]

$ sudo pfctl -sn | grep 64
rdr on tun0 inet proto tcp from any to 64.94.110.11 -> 127.0.0.1

Re:verisign... who?

[gmack]

That only blocks the sitefinder page but doesn't solve the problem of the lack of a dns error.

Just upgrade bind.. it's easier and more reliable.

The one upside to all of this is that it forced ISC to add a feature that can now be used on all of the other stupid TLDs that do the same thing.

Petition Site (new link!)

[GeorgeK]

I'm glad the IAB took that position. Hopefully Verisign will do the right thing....but, given their history, they probably won't.

We started a petition on Tuesday, and it got more than 16,000 signatures, before the site apparently got Slashdotted or something. We had to move it to a new server, with backups of the first 10K signatures. The new link is:

Stop Verisign DNS Abuse Petition

We also made announcements here and here, including having sent a hardcopy of the first 10,000 signatures to ICANN via FedEx. Thanks for all the support!

Real IAB Response

[bigal123]

The response in the orignal article links to something old. Here is the IAB's offical reponse. The bottom has a whole section on "Principles, Conclusions, and Recommendations" Good reading http://www.iab.org/documents/docs/2003-09-20-dns-w ildcards.html

Re:Real IAB Response

[lbalbalba]

And according to that response, the IAB actually seems to be perfectly fine with this. It appears that the DNS "wildcard" mechanism has been part of the DNS protocol since the original specifications were written twenty years ago.

And the IAB seems to feel that " If you want to use wildcards in your zone and understand the risks, go ahead, but only do so with the informed consent of the entities that are delegated within your zone ".

Re:Real IAB Response

[Fzz]

You're quoting somewhat out of context. The next few lines read:

Generally, we do not recommend the use of wildcards for record types that affect more than one application protocol. At the present time, the only record types that do not affect more than one application protocol are MX records.

For zones which do delegations, we do not recommend even wildcard MX records. If they are used, the owners of zones delegated from that zone must be made aware of that policy and must be given assistance to ensure appropriate behavior for MX names within the delegated zone. In other words, the parent zone operator must not reroute mail destined for the child zone without the child zone's permission.

We hesitate to recommend a flat prohibition against wildcards in "registry"-class zones, but strongly suggest that the burden of proof in such cases should be on the registry to demonstrate that their intended use of wildcards will not pose a threat to stable operation of the DNS or predictable behavior for applications and users.

We recommend that any and all TLDs which use wildcards in a manner inconsistent with this guideline remove such wildcards at the earliest opportunity.

I can tell you that the IAB is not perfectly fine with this.

Fzz

Re:Real IAB Response

[Progman]

Exactly, please explain when and where did Verisign obtain the informed consent of the entities that are delegated within the .com and .net zones, which are all the .com and .net domains. I own several, I don't remember consenting, much less being informed.

Re:Real IAB Response

[lbalbalba]

True, VeriSign didnt actually ask anyone's permissions to do this. But the IAB doesn't force anyone to ask permission, they just recommend it.

But then again, if this all is actually in full conformance with all of the related RFC's, they dont really need to ask anyone's permission now do they ? If we feel that the rfc's are wrong, then we should attempt to modify the rfc's, instead of attacking the people that are conforming to them.

Re:Real IAB Response

[lbalbalba]

Well, as you have already quoted the response also read :

" ...
We hesitate to recommend a flat prohibition against wildcards in "registry"-class zones ... "

And, as this behaviour actually appears to be fully in conformance with all related rfc's it appears that they *can't* actually prohibit it, either.

To me, it appears that the problem is just that the specification resulted in unforeseen consequences (and as we all know, if scientists can be counted on for anything, it's for creating unforeseen consequences) so if we do not view this behaviour as desirable then we should submit a new rfc.

A great hack..

[mindstrm]

except, this type of thing is not the responsibility of the DNS.

The fact that we tend to use DNS as an index of everything, and that humans can't get over "Www." is OUR problem, not a problem with DNS. DNS is a precise lookup service... we'd just like it to function as it always has, thanks.

DNS wasn't put here to look up websites, it's far more fundamental than that.. and if people are too lazy to learn how to use a web browser right.. tough cookies for them. We should not be mangling DNS in order to do it.

DNS is about a LOT more than just you looking up a web address, and to break it now is absurd.

If you want a feature like you suggest, you build it at the application level, into the web browser... you don't mess with the fundamental protocols involved.

Re:A great hack..

[Joe+U]

What you suggest is actually available.

If you have a browser that supports the Google Toolbar, try this:

Install the Google Toolbar
Turn off your address bar.
Type whatever you want into the toolbar, URLs automatically resolve, non-URLs get searched on.

Re:A great hack..

[Nuclear+Elephant]

Complete with integrated blogging and privacy issues.

Re:A great hack..

[Joe+U]

Well, the privacy part is obvious. If you want to trust all your browsing to a third party, then you will have to trust that third party.

Doesn't matter if it's Verisign, (Microsoft on Windows systems, obviously, Apple on MacOS, etc..), Google or your ISP. All of them have ways to track your browsing habbits.

Re:A great hack..

[Nuclear+Elephant]

Google is the scariest IMHO. They retain every single query, ip address, and timestamp, but they won't say what it's used for. At least we know Verisign is going to use it for shamless advertising.

Re:A great hack..

I'm guessing the data is being saved for two mice trying to take over the world.

Re:A great hack..

[joe_plastic]

Well you could write up an RFC with an optional extension to request close matches. There already exist NXT records for use in DNSSEC. I believe that the added it so that you could send these records to prove where gaps were without having the private key stored in the name server etc etc. For the amazonbookstore problem the browser could ask for the NXT record and use the results to build up a list of near lexicol ordering domains. If course the squaters might register amazona ... amazonz. What you want with soundex or whatever would best met with a extension maybe a request of QW(quess what) that returns results that are best quess of what you meant. There are problems of defining what maximum return size is, how to choose google over altavista DNS severs, etc. And I think most DNS severs would not turn on QW resolves because of possible resource usage. Antway at best you need new request type or use NXT request type, istead of neutering error codes.

Re:A great hack..

[cygnusx]

Except that if you type in URLs like "www.cbc.ca" into the google toolbar, the browser goes directly to the cbc.ca website (as proved by my firewall logs), and does NOT go through google.

Or try typing "http://www.chaoszone.org/nosuchpage" into the toolbar, you'll see no referer information is passed. The google toolbar BHO asks IE to connect to the URL directly.

Give google at least a little credit for trying to do things right: using the toolbar as a 'enhanced' address bar is perfectly safe. For now, at least.

Re:A great hack..

[Nuclear+Elephant]

I'm sure they'll fix that "bug" now that someone's told them about it =) Seriously though, I appreciate your zeal for the google toolbar, but I'm not about to switch to Windows any time soon.

Re:A great hack..

[cygnusx]

> I appreciate your zeal for the google toolbar

:-) anything that blocks popups in IE reliably deserves to be sainted IMO. (other options exist too, but the toolbar's the best.) And no, I do *not* use it as an address bar, though yes, I am guilty of using Windows.

Re:A great hack..

[bill_mcgonigle]

DNS wasn't put here to look up websites, it's far more fundamental than that.. and if people are too lazy to learn how to use a web browser right.. tough cookies for them. We should not be mangling DNS in order to do it.

Let's try that again, using mail as a counter-example:

DNS wasn't put here to look up mail exchangers, it's far more fundamental than that.. and if people are too lazy to learn how to use a mail client right.. tough cookies for them. We should not be mangling DNS in order to do it.

I'm not sure where the difference lies, but maybe I'm missing something. I think the web has proven itself by now, and I'd actually prefer to have WWW records in my zone files, rather than having to manage round-robin A records, CNAMEs, load-balancers, content swtiches and the like.

Up-to-Date IAB comment

[buelba]

The messages referenced in the article are from January and concern a different (equally stupid) Verisign proposal. The IAB's comments on Verisign's current actions can be found here.

Shouldn't we be outraged by email implications?

[mentaiko]

Much more than their capturing of all port 80 traffic, I am irritated by what has happened to email.

Every time I send a message with a typo in the domain name, my message goes straight to Verisign's email servers. Though they are kind enough to send a bounce back to me, in the meantime they have the ability to

• Read my entire message
• Stick my name and email address into their database for marketing and resale

Shouldn't this be the main concern?

Re:Shouldn't we be outraged by email implications?

It's worse than that, their mailserver just accepts the from and to addresses, with no error messages, then disconnects you with an uninformative message at the beginning of the data section. there is absolutely no reason for it to wait for the email addresses before disconnecting you, other than to harvest them. Also, they ignore their own recommendation of giving an informative error indicating to the enduser that they had a typo.

Re:Shouldn't we be outraged by email implications?

[Rob+Kaper]

Well, that's just a side-effect of the broking "no MX record, use the A record" rule. What would be nice is a DNS where one can truly specify a purpose for the lookup in the domain as well, for example slashdot.org/http would return IP1:80 and slashdot.org/smtp could return IP2:25.

Hardcoding ports to services is one of the worst legacies of the Internet and it's a shame DNS never tackled that problem.

Re:Shouldn't we be outraged by email implications?

I don't understand why you think that hardcoding the apps to ports is so bad?

Re:Shouldn't we be outraged by email implications?

[Rob+Kaper]

The number of ports is extremely limited and it's not trivial how to "get one" for a service. Have you ever tried getting one assigned by IANA?

Almost every time a computer looks up a DNS record, it does so for a specific purpose in mind. Computers don't resolve at random, they do so because applications are looking for a HTTP service, SMTP service, MSN service, whatever. Including port information would greatly increase flexibility and allow administrators to allocate ports the way they see fit, and not IANA.

Re:Shouldn't we be outraged by email implications?

[dissy]

> Well, that's just a side-effect of the broking "no MX record, use the A record" rule.

Or what would be even better is if verisign would setup a wildcard MX to work the same as their wildcard A record, but return 127.0.0.1 as the only mail server.
Then your own mail server can reject it.

I'm not sure what the standard operation is if the IP returned by an MX is invalid, but I would suspect that some mail clients would fall back to using the A record instead of failing, so setting the MX to 0.0.0.0 or something may not be a solution.

Your own mail server however should reject mail sent to a domain it doesnt handle.

The error returned in the bounce will be confusing (I dont know what this domain is, vs this domain doesnt exist) but its technically true, as the domain now does exist.

Re:Shouldn't we be outraged by email implications?

The number of ports is extremely limited and it's not trivial how to "get one" for a service. Have you ever tried getting one assigned by IANA?

You don't need to 'get one' for your service. If it's a limited 'private space' type service you use whatever port you want.

OK, fine, but with your scheme you'll have to get IANA to assign you a 'service tag' instead of a port number. Then you need applications to agree to use the same tags for the same purpose. In fact, it doesn't solve any problems except scarcity (1 service per port, 1 port per service). And it introduces a MAJOR problem. What if you want to run two of something on the same IP address? How do you look THAT up?

If you think 65,000 ports isn't enough, then I don't know what the fuck you're doing. I've never run into a port collision between two different applications.

Re:Shouldn't we be outraged by email implications?

Hmm, I think what you're saying now. A browser would request xxx/http or xxx/http1 instead of xxx:80 or xxx:81, so the 'MAJOR problem' is kinda moot.

Still, the point stands. You're not solving anything by using service tags instead of ports except scarcity, which is not that big of an issue. In the over 10 years I've been on the Internet using and building and installing applications and services, I've never run into port collisions. Period. There are enough ports to go around to cover public services. The thousands of non-public services can use any damn port they want, as long as it doesn't conflic with an established public-facing service. It's not like everyone needs a unique port number all to themselves.

In the end though, it's entirely arbitrary whether you're using port numbers or service tags. All the principles are the same, and, ultimately, computers are better at dealing with numbers than strings.

Re:Shouldn't we be outraged by email implications?

[Bronster]

in the meantime they have the ability to
Read my entire message

Actually, they don't (yes, I've tested this by telnetting to the SMTP port).

They accept the envelope sender and receiver, then reject the DATA command.

Re:Shouldn't we be outraged by email implications?

[smeenz]

christ.. I thought they were only resolving A entries, but no.. they are doing MX ones as well ! What *possible* reason could they have for claiming to be a valid mail exchange for any mistyped domain ? The fact that they then bounce the reply suggests that they don't want to claim to be that, so other than leeching valid email addresses.. I can't think of any purpose for doing this.

Re:Shouldn't we be outraged by email implications?

[smeenz]

doh.. should have read the other replies first and realised that it is indeed using the A record when the MX doesn't exist.

Mod Parent Up!

Mod Parent Up

Re:Versign should have to pay. Follow the Money

Your right
If you look at TLD Sponsorship contracts on the ICANN site you'll see that some of the things a TLD Sponsors must do are...
Produce an accurate count of domains.
Pay a per-domain fee to ICANN.

Follow the money baby

gTLD's and ccTLD's are different

[sabri]

Indeed. This is not new. But there are differences:

The .museum gTLD was a new gTLD. If you implement a wildcard from the start of a gTLD, that is something the community can take into account when developing systems around it. (this does not mean I agree with doing so).

Some people also mention some ccTLD's like .tk and .nu doing the same. There is however a fundamental difference between a gTLD and a ccTLD. A gTLD is operated (or at least should be) under control of the community and should be more strict in following the RFC's. A ccTLD is operated by a country or representatives of a country. If Tokelau and Nieu wish to break the RFC's, it's their problem. It is the responsability of their government to correctly operate the ccTLD and if they fail to do so, to bad for them as the world will eventually turn it's back on them.

It's not about the money

[efti]

The outrage about Verisign's move has nothing to do with whether or not they're making money on it and everything to do with breaking a system people rely on. It does add oil to the fire that they have commercial motives for doing so, but the point is that DNS is expected to behave a certain way and they have arbitarily changed it without asking anyone (IETF, ICANN, etc). And this broke a lot of systems that relied on DNS's expected behaviour.

And of course there's the principle that as guardians of a tld (and effectively a monopoly), they should not abuse their position -- not that they haven't proven it already that they are simply incapable of doing so. ICANN should really have a "three strikes and you're out" system to deal with practices like this.

Too charitable.

The IAB was far more charitable with its reply than I would have been. This wildcarding was a patently scummy thing for Verisign to do--abuse of a trust granted to them for financial gain.

You are right

[MobyDisk]

You are right, this decision must apply unilaterally.

1) We need to make sure that our argument against Verisign isn't the CONTENT of the Verisign page - if so, they will just remove the ads or something. The problem here is that it breaks the DNS specification (see the IAB response for why).

2) What happens when all the spammers start using .museum so that their DNS always resolves and the spam gets through?

Re:You are right

[joe_plastic]

If spamers start using .museum or other two-letter country code TLDs then spam filters can use a white list of TLD that return proper responces. If the domain isn't in the list then you can up it's score; plus it will save you the need to do a real domain lookup.

It's even worse

http://any-site-called-google.com/

VeriSign Power Play

[johnthorensen]

Something that seems to be mildly overlooked here, in my opinion, is that this has the power to give VeriSign "ownership" of the web in many users' minds.

If my mom tries to go to http://www.gooodhousekeeping.com and gets a VeriSign message and a search box, well it doesn't take much of that before she starts thinking that VeriSign == The WWW, because VeriSign is who always tells her what she typed wrong and where she should be going.

What this comes down to is a company trying to "brand" the web. In many ways, Google has been successful at this, but they have actually played fair and achieved what they have on the basis of merit. VeriSign is ABUSING their power to brand the web as their own.

It should be patently obvious by now that VeriSign 's modus operandi is one of deceit and trickery. Evidence the fake "renewal" cards they have sent out in the past to "slam" DNS registrants much like the shady phone companies have tried to do with your long-distance.

Damn, it's ridiculous that people even try to get away with this sort of crap these days...will someone with the power to please stop this?

-JT

Fixing the problem

[bruns]

Well, one thing interesting I discovered - Earthlink appears to have patched their DNS servers so they return NXDOMAIN now instead of sitefinder. Cheers to a big ISP taking charge :)

Re:Fixing the problem

[Reziac]

[removes sitefinder.verisign.com from my HOSTS file -- which was a good workaround; goes off and checks typo behaviour] Yep, sure seems ELN has done so. Not only that, but it returns the No-DNS response VERY quickly. Kudos to Verisign for speeding up my browsing experience! ;)

Re:Fixing the problem

Maybe I should switch, Time Warner has been assive to both the Microsoft RPC infections and this.

Penalty appropriate?

You know, it's not as though Verisign did this by accident. The specs for DNS are freely available. Verisign appears to have knowingly and willingly violated them, and violated the trust that was placed in them by the Dept. of Commerce.

This does not appear to be "oops", this appears to be a knowing, willful abuse of trust.

At the very least, I think it would be appropriate for the Dept. of Commerce to issue a very hefty fine against Verisign. If a fine is not feasable, then a lawsuit is in order.

This is not "boys will be boys." If there's no penalty for a knowing, willful abuse of trust, we're going to have to deal with a lot more abuse in the future.

Down Goes Their Reputation

[simon13]

A week ago I saw Verisign as a highly respectable registry and provider of all sorts of security products and verification. Then these recent events occur and their reputation in my mind has gone terribly sour.

Maybe it's just the bias I've learned from the Slashdot community, but they now just seem so imcompetent; maladroit? So much for the whole "trust" thing. I haven't given them my business in the past, but now it's looking significantly less likely. (Although they probably end up with some financial gain regardless of where I purchase domain names, correct?)

Now they just join the list of organisations that just leave a bad taste: SCO, RIAA, and now... VeriSign! (I'm sure there's many more.)

Re:Down Goes Their Reputation

[snofla]

You forgot ICANN.

Re:Down Goes Their Reputation

[Reziac]

Verisign isn't engaging in anything that's so out of line for them. They're already thoroughly infamous for "slamming" domain names by way of sending out scare-tactic letters to make people think that unless they registered with *Verisign*, they would lose their domain. GoDaddy.com had a scan of the physical letter online for a while, but offhand I can't find the link.

Re:Down Goes Their Reputation

Yep, a week ago you could buy a cert and hope it will last.

The question now becomes will it last long enough to get another cert rom a dufferent agency.

Given Verisign has about ticked off every techi on the planet (except for slime spammers) I would say Verisign jobs and lovivity are at a real and long term risk.

Future of Verisign?

[trainsnpep]

...and is carefully reviewing the terms of the .com and .net Registry Agreements.

Do you suppose that this means Verisign may be removed from its post of managing .com and .net DNS?

Re:Future of Verisign?

[pigscanfly.ca]

While that would be nice , it is more likely that they might stipulate that verisign must conform to RFCs to continue to hold on to the .com and .net registry.

It used to be free (while tooth faires flew above)

[Nightlight3]

Also verisign makes it money by selling domain names. Recall that they used to be free at one point.

Assuming you're young enough to buy into a theory calling government services "free."

ICANN: "I ain't dead yet"

One of my namesakes commented about ICANN's reaction:

Ask? How about demand.

Agreed. But ICANN has at least taken a public position (which is more than some of us expected) and on the right side, even.

There's an interesting op-ed piecein El Reg about the way that ICANN is being reconstructed. (Brits like myself would immediately recognise what's being described as a Quango[*].) The point is, ICANN's new directors are approaching this as a political and diplomatic problem - not surprising as this is what they are familiar with. Their public statement that they have asked Verisign to "voluntarily suspend the service until the various reviews now underway are completed" is - how to put it? - the sort of advice that Verisign would be reckless to ignore.

(BTW, I imagine that the digital certificate side of Verisign is mad as hell about the actions of the cowboys in the name-service unit. Think about it for a moment: would you trust a certificate of identity that was issued by a company that has changed the behaviour of the nameservers it runs under contract for the most important top-level domain on the internet, so that they return invalid results, in the hope of making a few quick bucks?)

* Quango: acronym for Quasi-Autonomous Non-Government Organisation. In case it's not obvious, the term was invented with extreme ironical intent.

How Verisign could keep SiteFinder

Verisign collects a fee for every domain that is registered in the .com and .net space by anyone other than Verisign. I believe ICANN also gets a small fee.

Therefore, Verisign should pay a fee to ICANN and to all the other registrars (the other registrars could split the money with their customers) for all the domains they are now servicing.

If Verisign paid ICANN and the other Registrars and all of us that have registered domains a fee for all the possible combinations of domains that Verisign is now answering requests for, I think most wouldn't mind letting them keep the SiteFinder service.

Re:How Verisign could keep SiteFinder

[Ice_Balrog]

You realise that number of possible domains is infinate, don't you?


On the other hand, Verisign paying $ (that infinity, if your browser doesn't render it correctly); isn't such a bad idea...

correct URL for IAB response

[shostiru]

I believe you want the 2003-09-20 IAB response to Verisign (written 2003-09-19). It's reasonably thorough in listing all the problems caused by wildcards.

An enemy of an enemy

[epukinsk]

Am I the only one who would rather have VeriSign control this spillover page than Microsoft? For 90% of the world, Microsoft controls it now, right?

It's either a money-grubbing domain name registrar that could be ousted if need be or a convicted monopolist that can't.* I'll take the former, thank you.

Erik

*At least not until people stop buying Windows. But that's a few years out yet.

Re:An enemy of an enemy

[Taloon]

Microsoft is just doing this at the browser level though. For example, if you send an email to a misspelled domain, it would never go to Microsoft's servers, however now, it would go to Verisign servers, and who knows what they're going to do with those addresses.

This breaks much more than just Microsoft's spillover page. Hurting the entire internet is not a good price to pay for sticking it to Microsoft just a little bit.

Re:An enemy of an enemy

[huge]

There is a big difference, Microsoft presents search page for incorrectly type domain names in URLs. I think that the URL is the key here.

In this case Microsoft got it right, they only redirect you to their search page if you type incorrect URL in web browsers address bar - not when you try to resolve any domain name.

IMHO, VeriSign approach is sadly suggesting that DNS is only used by browsers and email.

VeriSign sticks with redirect service

[JRHelgeson]

09/19/2003 VeriSign said Thursday that it would respond to technical complaints over its recent move to redirect Internet users who enter nonexistent or misspelled domain names to its Web site, but it said it would not pull the plug on the service. Criticism has been growing over the company's surprise decision to take control of unassigned .com and .net domain names, which has confused antispam utilities and drawn angry denunciations of the company's business practices from frustrated network administrators. "There is a lot of fiction about the actual technology and the service," VeriSign spokesman Brian O'Shaughnessy said. "What we are doing is trying to determine fact and fiction and we're doing so by reaching out to the technology community and helping them to understand exactly what is fact and fiction." VeriSign would not disclose what changes it might make to address technical complaints about its SiteFinder service. O'Shaughnessy said the service has been embraced by end users. "We've seen nothing but very positive results from the Internet community," he said. "Usage is extraordinary. Both individual users and enterprises are giving very positive feedback." VeriSign's new policy is intended to generate more advertising revenue from additional visitors to its network of Web sites. But the change has had the side effect of rewiring a portion of the Internet that software designers always had expected to behave a certain way. That can snarl anti-spam mechanisms that check to see if the sender's domain exists, complicate the analysis of network problems and possibly even pollute search engine results. Because VeriSign will become a central destination for mistyped e-mail and Web traffic, its move also raises serious privacy questions. In response, the Internet's technical community has developed a patch to BIND, the workhorse utility that implements the Domain Name System protocols. It's designed to counteract VeriSign's change by blocking traffic to its SiteFinder site and returning the same "domain not found" error message as before. When asked why VeriSign did not inform the Internet's technical organisations of the change in advance, O'Shaughnessy replied: "There's not much I can add except to say that our testing and the resources we've applied toward this have been in accordance with prevailing industry standards for new products and services." Neither the Internet Corporation for Assigned Names and Numbers (ICANN), which in principle oversees VeriSign's actions as a domain name registrar, nor the U.S. Department of Commerce, which has a contract with VeriSign that grants it a government-granted monopoly over .com and .net, has responded to repeated requests for comment since Tuesday. O'Shaughnessy said there's no need for any outside organisation to get involved. "There's some religiousness that's been brought to bear here besides the technical reality," he said. "We're fully compliant with every RFC," O'Shaughnessy said in reference to the technical standards that govern the Internet. Original article: http://www.zdnet.com.au/newstech/ebusiness/story/0 ,2000048590,20278764,00.htm

Verisign's response is predictable ...

"no".

VeriSign sticks with redirect service

[JRHelgeson]

I forgot to preview... DOH!

Original Article

VeriSign said Thursday that it would respond to technical complaints over its recent move to redirect Internet users who enter nonexistent or misspelled domain names to its Web site, but it said it would not pull the plug on the service. Criticism has been growing over the company's surprise decision to take control of unassigned .com and .net domain names, which has confused antispam utilities and drawn angry denunciations of the company's business practices from frustrated network administrators.

"There is a lot of fiction about the actual technology and the service," VeriSign spokesman Brian O'Shaughnessy said. "What we are doing is trying to determine fact and fiction and we're doing so by reaching out to the technology community and helping them to understand exactly what is fact and fiction."

VeriSign would not disclose what changes it might make to address technical complaints about its SiteFinder service.

O'Shaughnessy said the service has been embraced by end users. "We've seen nothing but very positive results from the Internet community," he said. "Usage is extraordinary. Both individual users and enterprises are giving very positive feedback."

VeriSign's new policy is intended to generate more advertising revenue from additional visitors to its network of Web sites. But the change has had the side effect of rewiring a portion of the Internet that software designers always had expected to behave a certain way. That can snarl anti-spam mechanisms that check to see if the sender's domain exists, complicate the analysis of network problems and possibly even pollute search engine results. Because VeriSign will become a central destination for mistyped e-mail and Web traffic, its move also raises serious privacy questions.

In response, the Internet's technical community has developed a patch to BIND, the workhorse utility that implements the Domain Name System protocols. It's designed to counteract VeriSign's change by blocking traffic to its SiteFinder site and returning the same "domain not found" error message as before.

When asked why VeriSign did not inform the Internet's technical organisations of the change in advance, O'Shaughnessy replied: "There's not much I can add except to say that our testing and the resources we've applied toward this have been in accordance with prevailing industry standards for new products and services."

Neither the Internet Corporation for Assigned Names and Numbers (ICANN), which in principle oversees VeriSign's actions as a domain name registrar, nor the U.S. Department of Commerce, which has a contract with VeriSign that grants it a government-granted monopoly over .com and .net, has responded to repeated requests for comment since Tuesday.

O'Shaughnessy said there's no need for any outside organisation to get involved. "There's some religiousness that's been brought to bear here besides the technical reality," he said. "We're fully compliant with every RFC," O'Shaughnessy said in reference to the technical standards that govern the Internet.

Registry/registrar changes

[Todd+Knarr]

Frankly I think ICANN should formally seperate the registrars and the root DNS registry. Make these changes to the rules:

1. The root DNS registry operator may not themselves be a DNS registrar, nor may they have any affiliation with or organizational ties to one. The registry operator receives a fee per domain for operating the registry, there should be no incentives other than this fee affecting their operation of the registry. It's too critical to the rest of the Internet. If those fees alone aren't enough to make it worthwhile for any company to run the registry, then perhaps the registry shouldn't be run by a company.
2. The registry operator may not run a publically-accessible root nameserver (but they may run one for purposes of transfering root zone data to root nameserver operators, so long as it is not listed in the root hints file). That would make it so that changes in the root zones such as adding wildcard records could, at least in principle, be filtered out by the root server operators before reaching the Internet at large.
3. No one entity may, either directly or through affiliated entities, control more than 3 root nameservers or 25% of the root nameservers, whichever is less. That would hopefully insure enough variety in root nameserver operators that bad changes (eg. the wildcards addition or things that required specific non-standard DNS server software) would be rejected by at least one operator.

Re:Registry/registrar changes

[Reziac]

Good thoughts; have you suggested it to whomever is in charge??

I think that's a good general observation, tho -- anyone who is in charge of a Public Good should not be allowed to run a side business that profits directly from behaviours of said Public Good which could be configured to abuse said Public Good, or limit how others can legitimately use said Public Good.

IOW, don't let anyone run a public service that they could hijack to their own sole benefit.

Re:Registry/registrar changes

[dissy]

> Frankly I think ICANN should formally seperate the registrars and the root DNS registry.

I think i know what you are saying, but you are using the wrong terms which makes your post a tad confusing for those of us that deal with DNS alot.

This isnt a comment on the content of your post, which i aggree with and is a good idea. I just wanted to let you know for future comments.

The registars and root servers ARE seperate right now (Thus the main point of confusion of your post)

Verisign doesnt run the root servers at all nor can make changes to them. Each root server is run by a company (Thou most arnt companys but groups that just do it. MIT i believe runs one, as does a lot of .edu sites. ISC runs one too which is the group that makes Bind)

Root servers list the TLDs like com, net, org, us, uk, etc.
The root servers are pointing com. and net. to the gTLD servers (global top level domain) which for com and net happen to be verisigns gTLD servers.

The root servers are doing nothing wrong, and havent changed for quite some time, as they only deal with top levels.

Verisign (and all the registrars) run gTLD or ccTLD (global or country-code TLD) servers. Its these servers we are having the problem with.

If one replaces root-servers with gtld-servers in your post, it makes sense.
Just wanted to point that out before you got flamed for it ;)

Re:Registry/registrar changes

[Dahan]

Frankly I think ICANN should formally seperate the registrars and the root DNS registry.

But they're already separate. The root DNS servers are:

a.root-servers.net. 198.41.0.4 (Network Solutions, Inc.)
b.root-servers.net. 128.9.0.107 (Information Sciences Institute)
c.root-servers.net. 192.33.4.12 (Performance Systems International Inc.)
d.root-servers.net. 128.8.10.90 (University of Maryland)
e.root-servers.net. 192.203.230.10 (National Aeronautics and Space Administration)
f.root-servers.net. 192.5.5.241 (Internet Software Consortium, Inc.)
g.root-servers.net. 192.112.36.4 (Defense Information Systems Agency)
h.root-servers.net. 128.63.2.53 (U.S. Army Research Laboratory)
i.root-servers.net. 192.36.148.17 (Royal Institute of Technology (Sweden))
j.root-servers.net. 192.58.128.30 (VeriSign Global Registry Services)
k.root-servers.net. 193.0.14.129 (LINX, Telehouse, London)
l.root-servers.net. 198.32.64.12 (Exchange Point Blocks)
m.root-servers.net. 202.12.27.33 (The University of Tokyo)

Verisign runs the .com and .net TLD name servers, not the root servers (well, they run two of the root servers, but not all of them). The .com and .net servers are:

a.gtld-servers.net. 192.5.6.30
b.gtld-servers.net. 192.33.14.30
c.gtld-servers.net. 192.26.92.30
d.gtld-servers.net. 192.31.80.30
e.gtld-servers.net. 192.12.94.30
f.gtld-servers.net. 192.35.51.30
g.gtld-servers.net. 192.42.93.30
h.gtld-servers.net. 192.54.112.30
i.gtld-servers.net. 192.43.172.30
j.gtld-servers.net. 192.48.79.30
k.gtld-servers.net. 192.52.178.30
l.gtld-servers.net. 192.41.162.30
m.gtld-servers.net. 192.55.83.30

Those are all run by Verisign Global Registry Services.

Re:Registry/registrar changes

[pod]

The root DNS registry operator may not themselves be a DNS registrar

You seem to be confused with the terms. There is no such thing as a DNS Registrar. There are Root DNS Server Operators and there are Domain Registrars. You can't register DNS.

I think what you're getting at is that neither a domain registrar nor a TLD zone operator should run a root DNS server. And I would agree with that. I would go even further, and say that the three entities should be separated. Right now, Verisign runs a domain registry, controls the .com and .net TLDs, AND has a root DNS server.

Re:Registry/registrar changes

[Todd+Knarr]

I just haven't been too intimate with the actual servers in the last couple of years. When I was, the root servers really did serve up the .com/.net/.org zones directly. I think you're right, I should have said gTLD and ccTLD servers.

Re:Versign does have to pay. Follow the money

If you look at TLD Sponsorship contracts on the ICANN site you'll see that some of the things a TLD Sponsors must do are...
Produce an accurate count of domains.
Pay a per-domain fee to ICANN.

Reposted cuz the format of these forums sux

Six words...

[zjbs14]

The web is not the internet.

they are just asking

[john_uy]

Recognizing the concerns about the wildcard service, ICANN has called upon VeriSign to voluntarily suspend the service until the various reviews now underway are completed.

They are just asking for VeriSign to voluntarily suspend SiteFinder. In other words, they are not imposing anything to VeriSign and they can still continue the service. I think in this case, ICANN is helpless with what VeriSign is doing. This will go on even after ICANN has made the "necessary" studies.

Re:they are just asking

I suspect ICANN does not have the guts.

Incorrect ARB response

"The Internet Architecture Board issued this response to an ICANN inquiry about Verisign's SiteFinder service."

The posted link & response are related to the IDN redirection changes VeriSign made months ago.

This is not a response to the current SiteFinder service. Doh!

Lily Tomlin said it all..

[geoff+lane]

"We don't care. We don't have to. We are Verisign"

I knew it..

[mlerner]

Verisign is evil, taking over the internet!!

Do they think DNS if just for HTTP?

[linuxperformer]

DNS is looked up for a thousand purposes besides HTTP. This is going to break a lot of programs I guess. It would have been less offending if they were doing this just for www.{*}.com lookups.

Re:Do they think DNS if just for HTTP?

[Progman]

They can't. DNS is a delegated system. When you resolve www.somedomain.com, your DNS resolver queries the server authoritative for .com, which hands out the adress(es) of the servers authoritative for somedomain.com. Your resolver then queries that server for www.somedomain.com. Verisign's serves the .com zone, so it only sees a query for somedomain.com.

Re:Do they think DNS if just for HTTP?

[litewoheat]

If a software enginner wrote something that will break when it gets garbabe then that person needs to step away from the computer and go get a marketing job.

Here is how you can express your frustration

[thepacketmaster]

while [ 1 ]; do wget -T 10 www.verisign-sucks-ass.com; sleep 1; done;

Duplicity

[gerardrj]

I do applaud the ISC for patching BIND to eliminate this issue, but at the same time I am suspicious of another of their patches/features to DNS servers calle "views".
Views seem (to me) that they will cause similar effects to that of wild cards in the root domains: that answers will not exactly be consistent or authoratiative depending on what you ask and where you ask it.
In my opinion any use of the "views" functions of BIND are better handled by sub-domains.
somesystem.mycompany.com would be used by all people outside the company, those inside would be on a different (sub)domain such as somesystem.intranet.mycompany.com.

For example: an employee uses a laptop at work and the resolver returns 10.5.10.1 for the name www.mycompany.com. When that employee connects to the same DNS server from outside (working from a hotel) the resolver returns 66.35.250.151 for the same name.
Now... the internal http server was runnung intranet specific services that are not on the public http server, what can the exec do? Now sure, you can say that this would only be used by those in the know who have already worked out all of this, but the point is, that it makes the DNS system return different results to different people, there is no one true correct answer any more. That is wrong.

Granted, I've not throughly researched what exactly views do in BIND, but it certainly on the face seems to be covered by at least several of the points mentione in the letters we've read from ICANN and the IAB, as well as numerous others here on /.

robots.txt

[Krashed]

Any site that sitefinder "helps" you with has a robots.txt file that disallows all agents. I am trying to access an old site of mine that was archived on the WaybackMachine and it won't let me access the old information now. Verisign must be stopped at all cost.

Lets stop complaining and get involved

[iamwahoo2]

With all the complaining we do here on slashdot about what companies do to OUR internet, we seem to do very little to protect our claim to this digital property. ICANN apparently encourages public involvement and I suggest that we all try to get involved in this and other internet organizations. ICANN also allows the public to participate in their meetings, supposedly via video conference. http://www.icann.org/participate/

Where is the Opt-Out Function?

[maleficarum]

Among my other big problems with the whole thing, is the following line in their Terms of Use, section 10:

Sole Remedy.
Your use of the Verisign services is at your own risk. If you are dissatisfied with any of the materials, results or other contents of the Verisign services or with these terms and conditions, our privacy statement, or other policies, YOUR SOLE REMEDY IS TO DISCONTINUE USE OF THE VERISIGN SERVICES OR OUR SITE.

Great.. and exactly HOW do *I* as the defined "user" do that?!

When did I consent to verisign that I wanted to use their free service? and how would I tell them I don't WANT to use it?
Anybody?!

Re:Where is the Opt-Out Function?

Try reading.

The TOS states that you mistyped your query. It says that you can either re-submit your query using the same system you used originally (that is, type it into your web browser, presumably), OR you can use Verisign's search service. The TOS only applies if you go ahead and actually use the service.

If you don't agree to use the service... retype your query.

I agree that Verisign's move was bad, but I'm really getting tired of people beating the TOS horse to death when, as the TOS is actually written, it is a non-issue.

Here ya go

[gerardrj]

For those who have upgraded/patched BIND to allow for the "type delegation-only" zones, here is a listing of all known publicy accessible TLDs configured for such operation.
Simply put this in your named.conf, or use the new "include" operation and store these in a separte file.

Due to the lameness of the lameness filter I can't post the list here. Get it from here This is a plain text file signed with GPG.

My web server should be able to handle the load since it's only a 16KB text file. Feel free to mirror it elsewhere.

Re:Here ya go

[newt]

Your list has a bug - .de shouldn't be delegation-only.

See http://www.isc.org/products/BIND/delegation-only.h tml

- mark

Re:Here ya go

[gerardrj]

Indeed. Apparently .museum should also be exempt from delegation only. That page seems to suggest that there may be other TLD root servers that will resolve rather than refer, and that this is desirable and trusted. Does anyone know how to determine this? Is it mostly just the smaller and newer domains like "museum", "aero", etc?

I've removed those two from the list.

Re:It used to be free (while tooth faires flew abo

Free as in Free to the Applicant.

You and 99% of all readers should have been able to interpret what I meant by "free".

Idiot.

At least 15 different TLDs are doing this

[Gnavpot]

In a quick search I found 12 two-letter TLDs doing the * thingy:
.ac, .cc, .cx, .mp, .nu, .ph, .pw, .sh, .td, .tk, .tm and .ws

Including .com, .net and .museum this makes 15 TLDs.

The search was done using this very clumsy one-liner:
for b1 in a b c d e f g h i j k l m n o p q r s t u v w x y z ; do for b2 in a b c d e f g h i j k l m n o p q r s t u v w x y z ; do host asqerdfqewrd.$b1$b2 >> dom.txt.slet; done; done

(I wonder if there is a character equivalent for 'seq 1-27'.)

Re:At least 15 different TLDs are doing this

Well, not much shorter is:

seq 26 | perl -ne 'printf("%c",96+$_)'

Re:It used to be free (while tooth faires flew abo

[dissy]

> > Also verisign makes it money by selling domain names. Recall that they used to
> > be free at one point.

> Assuming you're young enough to buy into a theory calling government services
> "free."

Why assume that?
Its free as in $0 /year.
When you were done with a domain, you sent in a form to deactivate it. Same form you sent in to register it in the first place.

I cant remember when this change over happened exactly, but it was the early 90's.
(I want to say 1993 but my memory is very shaky there.. shouldnt be hard to look up if you care)

Then they started charging $50/year until the late 90's when they lowered that price to $35/year.

They also for the longest time, starting when they first charged money for domains, that a domain must be paid for atleast for 2 years.
I think NetSol may still do this (I havent used them in forever)

It was the alternate registration services that first started allowing 1 year registrations.

Oh by the way. All of this was from InterNIC, who was appointed after the ArpaNet became the Internet, so it had very little (Read: none at all) to do with a government service at this point.

Even the government service on arpanet before DNS was free.
You simply emailed the guys with the master internet-hosts file.
They add your records (host to IP)
Then you wait about a week for everyone on the internet to download the new file and update their machines with it (Yes it was a totally manual process)

Implementation Changes...

[pabl0]

This appeared on the NANOG list about an hour ago. Seems they are at least addressing some of the problems that this has caused with mail services. Please don't go flaming this person's e-mail address. Consensus on list is that he's a "good guy making the best of a bad situation".

Unfortunately, despite the fact that they say they aren't collecting e-mail addresses, for the community at large the issue is we now have to trust them to continue to honor that promise. Considering their actions in implementing SiteFinder in a most irresponsible fashion, I'm not sure that trust would be well placed.

Date: Sat, 20 Sep 2003 14:01:39 -0400
From: Matt Larson
To: nanog@nanog.org
Subject: VeriSign SMTP reject server updated

Folks,

One piece of feedback we received multiple times after the addition of
the wildcard A record to the .com/.net zones concerned snubby, our
SMTP mail rejection server. This server was designed to be the most
modest of SMTP implementations and supported only the most common
sequence of SMTP commands.

In response to this feedback, we have deployed an alternate SMTP
implementation using Postfix that should address many of the concerns
we've heard. Like snubby, this server rejects any mail sent to it (by
returning 550 in response to any number of RCPT TO commands).

We would like to state for the record that the only purpose of this
server is to reject mail immediately to avoid its remaining in MTA
queues throughout the Internet. We are specifically not retaining,
nor do we have any intention to retain, any email addresses from these
SMTP transactions. In fact, to achieve sufficient performance, all
logging has been disabled.

We are interested in feedback on the best way within the SMTP protocol
to definitively reject mail at these servers. One alternate option we
are considering is rejecting the SMTP transaction by returning a 554
response code as described in Section 3.1 of RFC 2821. Our concern is
if this response effectively causes most SMTP servers to bounce the
message, which is the desired reaction. We are researching common
SMTP servers' handling of this response code; at least one popular
server appears to requeue mail after receiving 554. Another option is
remaining with the more standard SMTP sequence (returning 250 in
response to HELO/EHLO), but then returning 550 in response to MAIL
FROM as well as RCPT TO.

I would welcome feedback on these options sent to me privately or the
list; I will summarize the former.

Matt

Are we having fun yet?

Re:It used to be free (while tooth faires flew abo

[87C751]

Then they started charging $50/year until the late 90's when they lowered that price to $35/year.

Not quite. Once NetSol began charging for domains, it was always $35 a year, but initially NetSol required a 2-year term plus a $30 setup fee to register a domain. That persisted at least into 1996, when I registered my first one.

Re:It used to be free (while tooth faires flew abo

[dissy]

Hmm.. I do know there was a period where it was $50/year.
I paid $100 to register and $50 twice for two renewals before they lowered their price, at which time i paid $35 on the next statement.

Maybe they were adjusting it and i missed the 35/yr w/ 30 setup.
I didnt register alot of domains myself, but I worked at an ISP from 1995 till 2002 and never once heard of the pricing plan you outline.
Doesnt mean it didnt happen and you arnt correct, I just find it strange no customer complained about it (As they did for each other time they changed their pricing)

Re:It used to be free (while tooth faires flew abo

OK, at the risk of repeating myself, you seem to be under the delusion that government services are free.

Let me disambiguate. The only reason domains and DNS used to be 'free' is because the government run the services. These services were in fact paid for by you, and by people who never even heard of the Internet, in the form of taxes. Is this clear enough for you now? Do you propose turning over any other businesses and industries into the hands of 'the people'?

Re:It used to be free (while tooth faires flew...

[Nightlight3]

> Assuming you're young enough to buy
> into a theory calling government services "free."

Why assume that?
Its free as in $0 /year.

If you wish to call government bought computers and government paid employees "free" then it was "free." Otherwise, the current system simply makes the immediate beneficiary of the service pay for it instead of spreading the cost over all the taxpayers -- a more fair and less wasteful scheme.

Re:It used to be free (while tooth faires flew abo

[Cramer]

Jez, you people need to defrag your brain...

Domain names were never free. You were simply never charged for them. The NSF entrusted Internic with running the domain service. They were allowed to charge for domain registrations (and actually claimed to do so) but didn't do so for years. When they did start charging, they only billed the initial cost (2 years up front) and never sent bills for renewals. As I recall, domains were 100$ per year then. Increasingly greeder people have been running the system ever since -- the cost of running DNS for .com and .net is an insignificant fraction of the money collected for domain registration and renewal. Network Solutions (Verisign) is just pissed off that they don't get to set the price for domains and collect their billions every year. (35$/yr x how many million domains?)

(Internic started charging only after the costs began to exceed the amount NSF was paying them.)

Re:BIND and soundex... DUH, NO

[IBitOBear]

DNS isn't the web. There is no "user" just sitting there to be queried for virtually any of the transactions.

Are you going to pay an outsourcing company in india big bucks to sit and preview each of the spam attempts that pass through your ISPs email system to check if there is a SOUNDEX match to each mention of a DNS-resolved element?

Hyperbole? Mayhaps, but well deserved.

OK, so you go to this site, say "slashdot.org" but you type "slsahdot.org". The site has 70 graphics and insets on the page, all targeted by "relative" links. So, you will want to have the DNS support in your computer pop up the same "did you mean slashdot?" dialog box 71 times?

Remember that the DNS system isn't *IN* the browser. So the fact that you told the DNS system which IP address you wanted (by picking ithe right one out of the SOUNDEX list) it has no means of going back into the browser and telling it to stop asking for what you asked for.

You basically have violated the first principle of design. You asked "couldn't we just (something)" without even understanding the most basic divisions of labor/effort and therefore, the implications of your proposed action.

You presumed that since you only directly interract with the system in one way, that being your browser, that all interractions with all people (including yourself) using the system follow a similarly interractive model.

Or even simpler: which "search engine" should get to pick where I go to validate the security for this web page before I send my credit card information off?

Or even simpler: "Ikea" or "Ike & Leah", either way, I expect if I send them my credit card info, I'll get a nice floor lamp.

Or even simpler: when Bank of America sends your electronic funds transfr for your mortgage off to "your" mortgage company, do you want it to be "guessing" between ranked alternatives as to which bank gets your money?

The mind boggles.

"I think the phone book, when you open it, should decide which numbers to give you because all these people are the same."

Not here.

[PCM2]

I'm on Earthlink DSL in San Francisco (nee Mindspring) and I'm still getting Verisign.

Re:Not here.

[bruns]

Check your name servers - the ones I have are 207.69.188.186/187.

Re:Not here.

[bruns]

Ugh, amazing. The Earthlink DNS servers are resolving sitefinder now. UGH

The link is wrong, the correct link is

[cerberusti]

http://www.iab.org/documents/docs/2003-09-20-dns-w ildcards.html

This is the actual IAB Commentary on Verisigns recent activity. The link the article gives is not correct.

Money?

[rabtech]

To the people whining and moaning about money, shut up.

Verisign gets $6 per year PER DOMAIN from all of its registrars. That means godaddy, tucows, register.com, and all the others pay Verisign $6 for every single domain registered in the .com and .net spaces. That is a LOT of cash and more than enough to cover the bandwidth and server bills.

This is also why you won't see domain name registering services ever drop below $6-10. They must pay the $6 fee, and also have enough left over to make a profit.

check this site out

http://verisign-sitefinder-should-not-exist.com

Block VeriSquat? Check.

[danielsfca2]

The other day it looked like Comcast had blocked SiteFinder. Today, though, I had it come up once, and I knew it was time to add it to my router's block list. So far on the list (which blocks any URL containing these strings):

sitefinder.verisign.com
<off-topic>gator.com
whenu
goatse
kazaa.com
ezula
toptext
cydoor

Of course, I'm running MacOS X, so I don't have to worry about those cheesy spyware apps, I have to protect my bandwidth, and save my clueless Windoze roommates from themselves. :-) </off-topic>

Brad Verd - DNS Operational Loser Manager

What a fscking redneck, whitetrash, brown-nosed, backcountry, sleazy, divorced arsehole this guy is. They should fire this guy and put someone in there who can actually read an RFC, understand DNS internals, and won't spend all his time chasing skirt around the office while showing off his own vagina . What a bunch of losers we've got running the biggest tld - run away to .org or make your own big-ass host files yourselves!

Blah!

[Roger_Explosion]

God dammit, what pisses me off most is even if verisign stop today ( and I am convinced they will be forced to stop in the next week or so ), a lot of damage has already been done. They've harvested *millions* of mistyped domains, run statistical software over it, and harvested the most profitable. They have done the same thing with emails, and have generated vast lists pertaining to certain interest groups, and will sell them on to large marketting concerns. Verisign's own site states that they monitor all traffic to their servers. URGE TO KILL...*RISING*!

64.94.110.11 being returned for VALID DOMAINS!!

[bduncan]

I'm wondering if anyone else has been having similar problems with Verisign this week. I made a simple change to add a new nameserver to the existing five nameservers for six domains I administer. Everything looked fine; their web interface confirmed the changes.

The next morning, all h*ll broke loose, as the root nameservers were now returning the infamous 64.94.110.11 on these valid domains!! Checking the whois database revealed that the nameserver addition had not taken place, but the previous five nameservers were still there and still valid. Checking with the Verisign web interface showed the same five nameservers. Nevertheless, the root nameservers were acting as though these domains did not exist!!

I have 46 domains registered with Verisign and have been using Network Solutions for ten years. This qualifies me as a "VIP" client I guess. So I've been calling the VIP hotline for two days now and have five trouble tickets, to no avail. They can see the problem, they admit that it's a Verisign problem, but all they can say is that it may take five to seven days to fix!!

I've spoken with people who say they are in Pennsylvania and they can't talk directly to the engineers because "they're in Virginia". And I've spoken with people in Virginia who say they can't talk with the engineers because they're in Pennsylvania!

Meanwhile, whois is returning valid information while the root domain servers are just serving up the wildcard. I'm stuck and being held hostage by Verisign...

Anyone else in the same boat??

Analysis of the JavaScript

Has anybody analysed the JavaScript to determine what it does, not really got a lot of patience for this sort of thig, but it strikes me that all these dynamic pages have tonnes of script in them.

What also worries me is this script could be changed at any time to carry out other funtions and we probably would not be aware of it.

There is a slashdot user...

[pr0ntab]

who copied and pasted your post above into
A new verisign thread and got +5.

FYI, plagarism by trolls is alive and well.

fully compliant with every RFC

Gee, time to write a new RFC then.

what I want to know is...

if you fed ex'd it to the wrong address, would it still end up there?