Slashdot Mirror
ICANN Asks VeriSign To Stop DNS Wildcarding
MrClever writes "In this article over at the Sydney Morning Herald (AU), it looks as though ICANN may actually be doing something about the VeriSign changes to .com and .net TLD's. Apparently, while they have been noticably quiet, they have been reviewing community reaction and analysed data from a technical perspective. Here's hoping ICANN pull the plug on VeriSign's TLD administration rights!" And TALlama writes "RSS.com.com (dear $DIETY, will it ever stop?) is reporting that ICANN has asked VeriSign 'to voluntarily suspend the service' of wildcarding DNS, 'pending further study.' Calling it a 'service' is a little bit of a misnomer. If I punch people in the face, can I call that a service, too?"
Posters Ask Slashdot To Stop Dupe Posting
What's been changed?
/.ers will start reading articles... maybe the trolls have all gone...
Perhaps
Apparently Timothy is a Dork
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
"If I punch people in the face, can I call that a service, too?"
Yes, because so many people need what you are selling.
how we always get the news late here? I swear...
In any case, it gives me the perfect opportunity to announce the start of my 'punch ICANNt do anything board directors in the face' service.
If the people you are punching are the one responsible at VeriSign for the SiteFinder "service", I would call it service for sure.
(ICANN) has asked VeriSign to voluntarily suspend changes it made to domain name service zones that have resulted in most mistyped .com and .net domain names being redirected to its own site.
I predict the most common misspelling of VeriSign.com will be VerySued.comWould you call it a service?
Shit! Theres this red vortex on my computer, get it away!
ICANN said it is investigating complaints over the wilcard service and asked VeriSign to pull it pending further study. The service effectively replaces the common "404 page not found error" that until now has been the default for absent Web addresses.
404? A HTTP response from a DNS request? Please get your facts straight com.com...
If I punch people in the face, can I call that a service, too?
If anyone asks for it, and/or likes it, yes. Even if someone asks you to punch someone else in the face, you'd still provide a service, just not to the punchee.
All errors in this comment are mine. Corrections are considered a derivative work, and punishable under copyright law.
I prefer my spamfilters intact.
I prefer that my redundant mailservers actually get used.
Do some reading before trying to justify what's been done.
The wildcard "service" is certainly causing problems for many admins. It's glad to know ICANN is doing something about it. Anyway, I personally think VeriSign will still stop this "service" anyway without ICANN intefering because of public pressure.
The sydney morning herald is not known for original reporting, everything is duplicated in the Melbourne Age for starters...
Loop:
Slashdot reports story, smh reports story, slashdot reports smh reporting (slashdot story), smh reports story again (cos Slashdot did).
Repeat until servers full.
-- it must be true, it's on the internet.
Could somebody be kind enough to explain what "wildcarding DNS" is?
--- Sigmentation Fault - Comments Dumped
For starters, sitefinder doesn't find the slashdot site!
It isn't nearly as helpful or reliable as google (even if google is censored a bit).
It causes me to download more stuff than I would if they didn't have the diversion abusing my bandwith and data allowances that I have to pay for.
I can turn the msn search in IE off. I turned the sitefinder.verisign.com off by modifying my hosts file but that isn't easy for most of the customers I support.
-- it must be true, it's on the internet.
Or perhaps that story actually linked to an article written in January, and this one is actually about a direct response. *gasp*
You're new hear aren't you? Its been in a decline for 5 years.
-AX
^I'm with stupid.^
Wake me up when it escalates to wrist-slapping.
One line blog. I hear that they're called Twitters now.
I did, but I thought it was just because I turned back on Timothy stories.
If hackers/spammers could compromise any TLD name server, wildcards or not, I think we could see a fair bit of disruption.
One line blog. I hear that they're called Twitters now.
hey look you did both whore
The IAB has issued a set of guidelines for the us of DNS wildcards.
Essentially, they say it's a very bad idea, but you can do it with the informed consent of all delegates in your zone.
You must be new here. /., we take pride in pointing out spelling mistakes ;)
At
</Flamebait>
Well lets hope for once ICANN actually does something rather than just letting people get away with it. Of course ICANN isn't that well respected but more so that Verisign
Rus
Cheap UK and US VPS
Unregistered domains now return a plain, comforting error page instead of SiteFinder. Which is nice.
You package Kylix and Qixite for crissake. You aren't qualified to judge what's good.
For the spambots: brovienas@mailsurf.com
NuNames, the provider of domain names for the island of Niue, has been doing this for a long time. Is ICANN ask them to stop too?
If we all add this command:
;p
iptables -I INPUT -j REJECT 69.94.0.0/15
maybe that will get Verisign's attention
Afterall theres nothing they can do about people blackholing them for a good long while until they say they are sorry. As a penalty they should lower the prices of their domain registration, to something competitive.
Mais cltis
Well Americans would never agree to help suffering and dying people unless they think they are going to benefit. Like most fascist states America hates helping people in need. So in order to justify helping Africans, of all people, he has to make it sound like if he doesn't they will kill you. Sort of like how he turned some third world dictator into worse than hitler. heh.
I'm still not having this problem. If I browse to http://notarealaddressatall2323.com, my browser just says "Looking up host" and then eventually returns an error.
I've never actually seen this happen. Is it possible that my provider (Earthlink) has blocked this in their own DNS servers?
>dear $DIETY, will it ever stop?
File not found. Bad command or deity.
Have you seen the episode of Star Trek where they land on this planet that is so filled with people they're all outside the window shoulder to shoulder flailing. So some head guy on the planet steals some disease from the Enterprise to infect his planet so people will start dying... While suffering may not be necessary, death is absolutely necessary to stability. Even a -1 mongoloid like you should have watched the Lion King once, you fucking child.
Miilais caaliitis
that is, if i did a page that generated infinitely random addresses(like, 1000 at one go, then link back to itself) would the bots follow the addresses to there every time?
:)
i'm not saying that somebody with a popular page should do this.. but
world was created 5 seconds before this post as it is.
At first I was kind of pissed about what they did, but what is it really hurting? Anything that relies on a dns failure could easily be changed to accept a failure or a response involving that ip.
Although I know they will never release any stats on the kind of hits they are getting to that ip, it would be an interesting study. I would be interested to find out what the most misspelled domain is.
Of course you can sell your Punch in the Face services. Such services have traditionally gone under names such as
Now, this analogy actually does continue. You, as a sysadmin or someone writing a script that uses DNS, might not really like this service. Just like someone who is trying to take celebrity photographs might not like the Punch-in-the-Face service. But the fact is that this service is provided. And that there are a LOT of people who not only don't see this as a problem - but like it. Or at least think they do.
That is why Verisign thinks they can get away with this - the average person sees a benefit here and sees no drawbacks. The average person watching a boxing match also just sees the benefits and not the drawbacks. Until it is made clear why this isn't as good as it appears, nobody will care. Chances are, nobody will care anyway.
"If I punch people in the face, can I call that a service, too?"
Some people already offer this service.. Looks like you have some competition.
I don't understand why anti-spammers should be so upset by this. Why can't the software recognise that when an address ends up pointing to http://sitefinder.verisign.com, it obviously ain't legit?
Have any of you read the "terms of use"? http://sitefinder.verisign.com/terms.jsp What a load of bollocks - do they seriously want us to believe that being redirected without our control to some bogus directory site is a legally binding agreement?! Go fsck yourselves Verisign!
Forget thrust, drag, lift and weight. Airplanes fly because of money.
People who grew up on a farm will understand what I mean.
CEE5210S The signal SIGHUP was received.
Many spammers fake domain names. Spam filters check to see if the domain is real and will reject bogus emails. VeriSign broke that by making all domains valid.
In addition to web traffic, they are also intercept email traffic. So if you mistype an email address, they will get the email and keep it and you won't get a bounce.
The Register has an article about how VeriSign Broke My Printer.
The Register also reported that VeriSign is using Web Bugs.
-- Don't Tase me, bro!
Your parent gave a very good answer to my question (its parent) on what DNS wildcarding actually is, in contrast with the cryptographic descriptions I discovered while googling. So I personalle don't think there's a reason for modding down.
--- Sigmentation Fault - Comments Dumped
Well in Oz we have a 10% Goods and Services Tax (GST) - so technically you would have to give 10% to the government too.
Q.
Insert Signature Here
Hi,
There's a petition available. Now I don't know exactly how effective it will be, but signing is more effective than not.
http://www.whois.sc/verisign-dns/.
rgds
Alan
Tequila - drink of the gods.
...and hang tough.
After all, the IAB says here that "We must emphasize that, technically, this was a legitimate use of wildcard records that did not in any way violate the DNS specifications themselves."
If the decision-makers at Verisign cared about good engineering practice, they wouldn't have done what they did.
They probably regard their own actions as just "sharp business practice" and are probably patting themselves on the back for having found a loophole in the DNS specification that they can use for their own profit.
I don't think jawboning from ICANN, the IAB, or anyone else will have much effect. I don't see how anyone short of the Feds can stop them.
I mean, they have contracts with their SiteFinder advertisers. There's money at stake here.
"How to Do Nothing," kids activities, back in print!
There is an available patch for BIND 8:
.com/.net domains. It was cooked up over 10 minutes of pure anger and has not been properly tested; it would be better to be able to specify which IPs to ignore in the configuration file. Suggestions or improved patches are very much welcomed. (Note that this patch causes SERVFAIL results; NXDOMAIN would be better, but I'm not that well versed in the BIND code.)
This page provides a patch to BIND 8 to ignore the wildcard A record Verisign is now returning for unregistered
This patch was made against BIND 8.4.1.
..simply spellcheck their submissions before publication? Ispell catches $DIETY fine.
If you punch the verisign ppl in the face, you can bill me.
"If God created us in his own image we have more than reciprocated." - Voltaire
I've lost count the number of times i've seen people in /. write "why didn't they just ask x to stop y". Well now somebody has.
By George, you've got it! Why didn't Netscape just think to ask Microsoft to stop crushing it to death? Why didn't the RIAA just simply ask Napster to cut it out?
Who's the idiot who even invented civil court procedures? ALL WE EVER HAD TO DO WAS ASK!
:P
Does anyone have any problems with that?
Because it's evil. And this is comming from the guy who wrapped his neighbor's cat in shrinkwrap.
Their http://sitefinder.verisign.com is clean and nice page (much like Google).
It isn't very good. Even though Google isn't as good as it used to be, it's still better than this search engine that can't find Verisign.com, let alone any of the sites I actually WANT to find.
They provide people with nice search page.
No they don't. They provide us with a bad search page and a captive advertising audience on domains they don't own.
MS Internet Explorer does almost exactly the same.
It does? When I get an error, it gives me a page with a list of suggestions that don't work. No search engine.
Basically the people who are affected by this mostly are MS Internet Explorer users - they get non MSN based search instead of MSN one.
I don't get an MSN page to come up. Ever. There's an option for that, but it was turned off when I installed, and I never turned it on.
And even if they put some ads later, is there anything wrong with that?
That's like me putting my advertisements up on a billboard that was built, but hasn't been leased yet. The difference is, if I did that, I'd be in jail.
And you can easily disable this on you machine (/etc/hosts)
Easily for what proportion of the people on the internet who don't want this site?
To start with, only A records resolve to the Verisign servers. MX records don't resolve to anything.
However, most mail servers will try the A record if the MX record doesn't exist. Verisign have set up a server running Postfix which responds with: 550: Client host rejected: The domain you are trying to send mail to does not exist.
At this point, the mail server sends a bounce message and does not pass your e-mail to Verisign.
This is still broken, bad, wrong and evil, but they are not intercepting your mail. Yet.
Predictive text is shiv!
...one of you illiterate mongs don't like what a post says, doesn't make it flamebait!
Whoever down-modded me will have his/her stomach grilled in Hell!
Once Verisign quits doing it, I revert to the damned MSN page every time there's a type-o.
Why isn't anyone bitching about MS?
...complete with amusing photographs of "stolen" tradenames. www.somenonexisting.ph
If you go this site that we forced you to go to, then, by default, you agree to our terms. BULL SHIT!
Note, however, that they do get to keep the from address that you send them.
Predictive text is shiv!
So, what happens when Verisigns gets its website hacked again? I would think that this would be a prime target for anyone who wnats to get attention. It's just a matter of time.....
From Joseph Heller's Catch-22:
"If dropping bombs on the enemy was not a special service, he reflected aloud frequently with the martyred smile of sweet reasonableness that was his loyal confederate in every dispute, then he could not help wondering what in the world was."
-Gen. Peckem
Hackers could crack the DNS servers. The Internet could be seriously screwed. Better switch to Linux.
Yeah, that follows.
(Score: -1, Stupid)
ICANN has no teeth. VeriSign is a 12,000,000 pound garilla, and might just take the TLD away from ICANN, not the other way around.
Actually they intercept any traffic that attemts to resolve .net and .com addresses against their DNS servers. This could break all sorts of things, internet search engines, FTP clients, IRC server networks and clients, some mirroring services, and the list goes on. This move by Verisign represents a major change in the basic functioning of the internet, and many of the repercussions may not be completely apparent for some time. For instance, what is the additional cost of transfering relatively big (in bytes) webpages as opposed to efficient error responses?
(Score: -1, Stupid)
Those who think you can not make a buck hitting people have not watched the old 80's and 90's televangelists 'heal' people by hitting them in the head. And to complete the financial transaction, these 'healed' people give the evangelist money for the priviledge of being hit while up on stage!
Then there is always the bouncer at your local bar. He provides a service that frequently involves punching people.
Never meddle in the affairs of dragons,
for you are crunchy and good with catsup.
Marzipan!
... (punches-in-the-face).
YOU ARE THE OFFICIAL WINNER OF _ONE_MILLION_
THAT'S RIGHT! Come outside right now to colled your ONE MILLION (punches-in-the-face). I'm hiding in the bushes.. I mean.. uh..
(-:
I fired off a quick email to verisign.
.com domain name and was redirected to your 'Site Finder' service, I have since done a search for some background information on this and have seen that various parties have made technical objections to this service. Many of these addressed concerns that are similar to mine when I was presented with your service, but I will not add to that discussion.
For your enjoyment:
To: websitesupport@verisign.com
Subject: Site Finder Terms of Use
I do not know if this is the right address to send this message, as I was unable to find contact information on your 'Site Finder' page.
If this is not the correct address to send coresspondece on this subject, kindly forward it to the appropriate address or send me the correct address.
Today I mistyped a
My reason for contactig you are my concerns with respect to the 'Terms of Use' (http://sitefinder.verisign.com/terms.jsp) that I was presented with.
I would like clarification on the following issues:
1. Why would these apply to me when I have not entered into an agreement with you before mistyping the domain?
2. What constitutes 'commercial use' as mentioned in section 2 of your 'Terms of Use'?
3. Where can I find on the information on agreements w.r.t. commercial use of the 'Site Finder' service as mentioned in section 2?
In light of the above concerns and the terms presented in:
Section 6, which implies you can can change any part of these terms, without prior notice. (Including section 3 'COST OF THE VERISIGN SERVICES')
Section 14, which implies that use of the service implies agreement to these 'Terms of Use'
I kindly request you to provide me with information on how I should proceed to stop Verisgn from providing me with this service until the above points are clarfied and I expressly agree to be bound by these 'Terms of Use'.
Kind regards,
Anonymous
Have you seen the episode of Star Trek where
Your ideas and priciples on suffering and death by selection is based on one science fiction television episode? I guess there really are people stongly influenced by what they watch on TV.
Bad boys rape our young girls but Violet gives willingly.
Thanks for that "Cute" picture, I just hurled all over the keyboard!
Electronic Music Made Using Linux http://soundcloud.com/polyp
I had checked this last week, I early last week SiteFinder was enabled and by Friday it had gotten blocked by Earthlink.
Verisign is providing a "service" to Internet users in much the same way.
Yes.
And if you happen to be a statuesque woman in black leather and stiletto heels, you'll likely get paid a decent chunk of change to do it too!
Yeah? well, the article itself is -1 redundant. That was the point.
Just remember what a rooster does to a hen is considered "servicing". I think in that sense, we've all been "serviced" by verisign.
The previous has been a secret message to my comrades.
Rich
Check out Alexa and their graph about VeriSign's jump... 1,920% jump in a day (also look at their rating, lol).
These guys have always been sneaky. Remember when they sent out the "nameless" re-register postcards? I guess scum never changes....
They can't tax a volunteer service, can they? 10% of $0 is, well, $0...
Apparently if any of your companies Intellectual property uses Verisigns DNS they own all your patents now relating to it once youve been re-directed to their sitefinder site accoding to their terms of agreement.
Except as otherwise set forth herein, all right, title and interest in and to all, [snip] (vi) all other intellectual property, proprietary rights or other rights related to intangible property which are used, developed, comprising, embodied in, or practiced in connection with any of the VeriSign services identified herein ("VeriSign Intellectual Property Rights") are owned by VeriSign or its licensors, and you agree to make no claim of interest in or ownership of any such VeriSign Intellectual Property Rights.
The full text is here http://sitefinder.verisign.com/terms.jsp
Under the 11) Ownership section.
This was a real question from a job interview! Q: What area of programming do you consider yourself not to be good in?
apparently AOL webmail is haivng some issues at the moment, and what comes up on my screen instead of an error message? Whoops! The file you were looking for on webmail.aol.com was not found, but here; look at our ads for email services. The company is called netidentity, and brags of being a verisign secure site....now THATS pure hijacking. The adddress bar still claims its veiwing http://webmail.aol.com/ the clear impression here to the uninformed would be that AOL was encouraging you to buy email services from these people.....
sure enough, Webmail comes back online and away goes netidentity. AOL should have a LOT of really bored lawyers sitting around waiting for things like this. "As soon as our mail server has an issue you redirect them to another service selling email address that YOU own?......could you repeat that?"
speaking of fat, smelly gorillas, how is your mom?
Doing fine. Last I heard, she was out sleeping with your sorry assed pervert dad with a bottle of Ripple. By the way, didn't I see you down on the corner gettin' out of some red-neck's pick-up with your FLY DOWN?
PLEASE!!!
-- This space for rent.
That is pretty much a given. I would not say that it comes as a surprise.
You think it's lame now, but just wait until 10 years into the future when they're still using the same godawful Slashcode with the same eye popping color scheme. Then we'll all be laughing
so, we can send emails to *@*.com and it should make its way to Verisign. Should make spamming fun.
Msn uses wildcarding, I see that whenever I type in a wrong domain. Ultrasw in tucson does wildcarding in association with a service called "almighty search", and I do not even get to see verisign's sitefinder. DNS providers besides verisign use wildcarding, should their domains be taken away also? If VeriSign were to have its domains taken away, what company would satisfy the apperant concern with commercial companies making money?
Just some food for thought,
Bailey.
but not just a punch, then you aren't "helping" them out. of course, if you direct them to a place they don't want to go, is that still a service? It is if you say it is, and they don't have a choice in the matter. Right now Verisign is really providing a free map (dns) to your destination, but if you lookup a place that doesn't exist they try to tell you someplace else to go rather than just staring blankly. the problem that I have with this isn't the principal, it's the execution. Their servers are obviously not handling the traffic well, which caues those previously quick errors to come back very very slowly. One of their big todo's for this project was to create a consistent user experience. At this they have most assuredly failed. Well, I guess I am also a bit biased because my company bid on certain parts of this project and we didn't win. So, down with Microsoft! Oops, I mean Verisign!
That's funny and prophetic. Mod this guy UP!
I found it amusing that you must agree to their terms to use their service. So if you mistype a URL on the internet you are agreeing to their terms?
We should figure out how to challenge the validity of their terms since you never actually intend to visit their page, this could possibly be used as a precedent for those click through apps that install spyware like gator and the rest, especially since most are unaware of what that dialog box actually means.....
running all your Crashbot's, DoS, DDoS, portscanners, nmap etc. on
www.trytocrashthis.com
Seems they need heavy attacks on this machine for test purposes.
www.uncrashableserver.com
is another server that needs some stress.
Apparently timothy is CowboyNeal on speed:
2 2/ 0515243&mode=thread&tid=126&tid=134&tid=172&tid=18 8&tid=192&tid=93. pl?sid=03/09/22/04 43224&mode=thread&tid=126&tid=95h dot.org/article.pl?sid=03/09/22/01 13236&mode=thread&tid=126&tid=153&tid=172&tid=185& tid=990 3/09/22/ 0243255&mode=thread&tid=127&tid=186&tid=20 91 /23 30232&mode=thread&tid=106&tid=117&tid=155&tid=185& tid=99/ 09/21/22 46209&mode=thread&tid=109&tid=158&tid=185&tid=187& tid=99/ 09/21/21 21248&mode=thread&tid=111&tid=126&tid=158&tid=95&t id=99
/. homepage)
http://books.slashdot.org/article.pl?sid=03/09/
http://yro.slashdot.org/article
http://yro.slas
http://games.slashdot.org/article.pl?sid=
http://yro.slashdot.org/article.pl?sid=03/09/2
http://yro.slashdot.org/article.pl?sid=03
http://ask.slashdot.org/article.pl?sid=03
(all on current
No, I'm New Here
Verisign have set up a server running Postfix which responds
Hmm, I was about to reply and say you're wrong, it's not Postfix - but then I checked, and they've changed it! When the service was first deployed, it was using a custom script that didn't even understand SMTP, it was just waiting for a certain number of lines, then displaying an error. It seemed to me that this script probably wasn't sophisticated enough to harvest e-mail addresses. Now that they're using a real SMTP server, though, I'm not so sure. They could very well be harvesting sender e-mail addresses (which are sent to Verisign before the error message is given).
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
To quote:
Don't forget to vote yay/nay on the Verisign CEO's performance for Forbes Magazine (Makes you wonder what all those corporate investors would think if his rating sucked)
Forbes Magazine CEO Performance Survey
At any time VeriSign may modify or terminate these terms of use, its websites and the VeriSign Services and may at any time discontinue your use of the VeriSign Services without any notice to you, and without liability to you, any other user or any third party. Please review these Terms of Use from time to time so that you will be aware of any changes. Your continued use of the VeriSign Services constitutes your agreement to all such terms, conditions, and notices.
Trust me, I won't sue! (BTW - is it actually possible to *not* continue to use this service without either being required to 1) spell everything correctly or 2) not surf the web? Admins can do it but lay users certainly can't)
-Sean
They filed suit against Verisign accusing Verisign of misuse of their registry position with their Site Finder service.
Link to the press release is here
I disable sigs...do you?
Since the IAB is no longer technical and is now the marketing arm of the ICANN brand of root zone , they need to come to grips with what "the consent of the Internet community" means in this context.
It is assumed that this consent is the same sort of deal that put the ICANN board in place, seeing as how the givernments single requirement of ICANN was an elected board.
So, here's how this would work. ICANN would immediately tell NSI to stop and whine to commernce when they don't who will strong arm NSI behind the scenes to discontinue wildcarding until ICANN can complete a study.
NSI, citing the part of their agreement with ICANN that says they can't apply a policy unevenely to NSI, protsts citing no consensus of the Internet community.
ICANN forms a committee to study this and the aervice will not be resumed until the committee is finished.
In 7 years and finally under pressure from congrrss ICANN is asked to finish it's study and determine the consensus of the internet community.
ICANN concludes the study, reasoning only the IAB, ICANN, ISOC and IANA may vote. Any related I* organization may also. They vote to suspend the service.
NSI points out this contravenes the ICANN bylaws and compains to commerce. ICANN changes its bylaws and commerce tells NSI to get lost.
ICANN issues a press release on a friday afternoon that it has minifested the will of the internet community and the suspension of the service is permanent. NSI buys Google.
The internet community itself doesn't even care as it's been using google for DNS for 5 years now and have ever since they switched away from the ICANN root zone.
If I punch people in the face, can I call that a service, too?
Of course. Hit them in the nose and let blood. They should be thankful!
Have you read my journal today?
Hey people, where or how could we know how many queries/searches do VeriSign and Microsoft get with sitefinder and with IE???? Because with it, i think they can intercept all 404, malformed URL, non-registered domains and DNS errors!! It's interesting looking for it, because the money they already make (microsoft) or will make(VeriSign) is the real reason of all it.....