ICANN, IAB Ask VeriSign to Suspend SiteFinder

dmehus writes "ICANN issued an advisory late today concerning VeriSign's controversial SiteFinder service. The advisory requests that VeriSign voluntarily suspend SiteFinder until various independent and objective reviews, which are now underway, have been completed. Interested parties should see the advisory for more details." I think most people here can agree it was a bad idea, although it's not generating revenue for most of us either. ICANN isn't alone here either. Nuclear Elephant writes "The Internet Architecture Board issued this response to an ICANN inquiry about Verisign's SiteFinder service."

This isn't really new.

[windows]

Forgive me if I'm being idiotic about this, but relatively recently, the .museum TLD went live. It's just like any other TLD except that domains that don't exist diect you to a page saying the domain doesn't exist and with a couple of links. It's not very different than Verisign's SIteFinder, but there's little to no outcry over this. I'm curious because a lot of the objections about SiteFinder should also be true about the .museum TLD. What's different here?

Not a "best guess" system

[Crimplene+Prakman]

In common with the majority of internet protocols, DNS is not a best-guess system, it is a technically accurate way of transferring information, with correct failover mechanisms. From the article:

As a lookup system, the DNS is designed to provide authoritative answers to queries.

And later...

The DNS is not a search service, and presenting speculative mappings based on HTTP inputs is not the service that the registry is expected to provide.

And later still...

To restore the data integrity and predictability of the DNS infrastructure, the IAB believes it would be best to return the .com and .net TLD servers to the behavior specified by the DNS protocols.

That seems to wrap it up really. I doubt any further studies will find differently, unless Verisign follows the apparently accepted way of paying for a biassed study......

IAB response isn't

[Frater+219]

"The Internet Architecture Board issued this response to an ICANN inquiry about Verisign's SiteFinder service."

Actually, if you read that article you will find that it is dated January 25 and is a response to another Verisign screwup. That one was similar to the present one, but had specifically to do with "internationalized" domain names -- DNS records for strings with characters above ASCII position 127.

Historians find it important to check the dates of events and documents, so they can know which ones could possibly be responses to which other situations. For instance, an American comedian telling anti-French racial jokes in August 2001 could not possibly be responding to the French objection to Bush's war. Similarly, a document released January 25 2003 cannot be a response to a situation that arises the following September. Time just doesn't work that way.

Old IAB response

[zjbs14]

People keep quoting that IAB response, but if you look at the date and actually read it, you'll see it's from back in January. And it was in response to Verisign's proposed wildcarding of only domains that contained non-ASCII characters, not all domains. Their point was that wildcarding based on a character set was against standards.

So I guess Verisign interpreted that as "we better wildcard everything then."

Get the latest version of BIND

[AchmedHabib]

Get the latest version of BIND to block that Verisign junk. go here
Now all it needs is support for the Evil-Bit in TCP/IP

Real IAB Response

[bigal123]

The response in the orignal article links to something old. Here is the IAB's offical reponse. The bottom has a whole section on "Principles, Conclusions, and Recommendations" Good reading http://www.iab.org/documents/docs/2003-09-20-dns-w ildcards.html

Re:So who gets the money ?

[warkda+rrior]

DNS is not distributed, it is hierarchical. The queries travel up the tree (where the client first queries the ISP which is a leaf in the DNS tree), until the reach the top level DNS. Someone has to be at the top and manage the top level DNS. Of course, it does not have to/should not have to be Verisign...

Re:I'd love to have been a fly on the wall...

[squiggleslash]

No, not at the DNS level. At the DNS level, NXDOMAIN should be returned for domains that do not exist. www.sjnnasdfdfjksdfdndajkadjndks.com is NOT a valid name for a machine in Verisign and should never be resolved to a machine in Verisign. If you misuse wildcards to point domains at machines they're not valid for, then it becomes impossible to automatically detect errors.

While theres some legitimacy in saying "I want every email ending in .isp.net to get directed to mail.isp.net so that all my customers can have subdomains, so I'll use a wildcard for that" despite that resulting in misspellings going to that machine too, there's no such excuse with the Verisign grab. Verisign's wildcard never matches legitimate sites, and it's at such a high level that third parties will regularly be inconvenienced. It's worth noting that every paper I've read on wildcards specifically advises against using them if possible.

I have one domain at work I maintain that uses one, and we only use it because we know that if we have to get our technical services people and the DNS server company we contract the thing out to to change it for each additional subdomain we add, then it's going to get messy. I'm not happy about it, and if I could manage the name server directly, I'd do that instead.