Slashdot Mirror

← Back to Stories (view on slashdot.org)

ICANN Asks VeriSign To Stop DNS Wildcarding

Posted by timothy on from the public-trust-and-all-that dept.

MrClever writes "In this article over at the Sydney Morning Herald (AU), it looks as though ICANN may actually be doing something about the VeriSign changes to .com and .net TLD's. Apparently, while they have been noticably quiet, they have been reviewing community reaction and analysed data from a technical perspective. Here's hoping ICANN pull the plug on VeriSign's TLD administration rights!" And TALlama writes "RSS.com.com (dear $DIETY, will it ever stop?) is reporting that ICANN has asked VeriSign 'to voluntarily suspend the service' of wildcarding DNS, 'pending further study.' Calling it a 'service' is a little bit of a misnomer. If I punch people in the face, can I call that a service, too?"

22 of 221 comments (clear)

  1. ICANN asks Timothy to stop posting Dupes by DrSkwid · · Score: 5, Informative

    Apparently Timothy is a Dork

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
    1. Re:ICANN asks Timothy to stop posting Dupes by numark · · Score: 4, Informative

      Actually, this isn't a dupe. The previous article was simply saying that ICANN had issued a request to Verisign to take down SiteFinder until a committee was able to review the system. This article is saying that the committee made an official recommendation to ICANN to issue a request to Verisign to shut down SiteFinder permanently. A thin distinction, yes, but enough to warrant a new article.

      --
      Want Slashdot headlines on your site? Try SlashHead
  2. 404 by Anonymous Coward · · Score: 5, Informative

    ICANN said it is investigating complaints over the wilcard service and asked VeriSign to pull it pending further study. The service effectively replaces the common "404 page not found error" that until now has been the default for absent Web addresses.

    404? A HTTP response from a DNS request? Please get your facts straight com.com...

    1. Re:404 by Lord+Azrael · · Score: 5, Informative

      i think you don't get it. you should see a 404 error only if you ask for a file on a server, which does not exist. but a 404 is not the answer a browser will return, if the domain does not exist

      the article makes this mistake again also in the last paragraph VeriSign is not alone in seeking to replace 404 errors. Microsoft has also directed users of its Internet Explorer Web browser to a Microsoft search page when typing unassigned domain names into the browser's URL bar.

      unassigned domain names != 404 errors

      who the hell wrote this article ?

      --
      Lord "not Gargamel's Cat!" Azrael
    2. Re:404 by DJPenguin · · Score: 1, Informative

      Nope - 404 is when you have the correct server, but the page is missing. If you can't resolve the server in the first place, you won't get a HTTP error at all - it's up to the browser / os to give an error.

    3. Re:404 by gl4ss · · Score: 4, Informative

      no, the user would NOT get 404 from a site that doesn't exist(since it doesn't exist to give that 404 in the first place)

      a proxy/gateway could return that i guess, though it should return 502/504 rather than 404 which implies that a spesific page wasn't found on the server.

      as for the verisign sitefinder.. yesterday(or day before that) i used to get to them with purposedly wrongly typed addresses i tried, but not anymore(and no, it NEVER replaced 404 errors on existing servers, if they did that it would be a 'very nice trick' on behalf of them, since i can't figure out how they could do that with the current systems in use).

      --
      world was created 5 seconds before this post as it is.
    4. Re:404 by Anonymous Coward · · Score: 1, Informative

      It's wrong for another reason too: MS isn't doing the same thing by any distance as what Verisign is shoving down throats.

      Enter a mistyped URL, and you'll still get (or should get, if it weren't for Verislime) a 'domain not found' in IE, as long as the syntax is close enough to that of a real URL.

      What IE does is direct you to a search engine if you omit the "http://" and/or enter multiple space-separated words, i.e. if what you enter is clearly no URL in the first place. They even make an exception for stuff that /looks/ like an URL, i.e. "www.somedomain.com" doesn't need the "http://" part to be recognized and handled properly.

      What they do is more akin to providing a shortcut to a search engine, as if you could look something up on google without opening google's start page first.

      There's another shortcut they provide: enter any word in the address bar and hit CTRL-Enter instead of just enter: IE will prepend 'http://www.' and append '.com' to what you typed. I see that as the opposite of what Verislime has invented.

  3. finally... by Anonymous Coward · · Score: 1, Informative

    The wildcard "service" is certainly causing problems for many admins. It's glad to know ICANN is doing something about it. Anyway, I personally think VeriSign will still stop this "service" anyway without ICANN intefering because of public pressure.

  4. Re:Wildcarding? by Molt · · Score: 5, Informative

    Okay, in simple terms..

    DNS is the method of resolving names to IP addresses, it's what turns 'www.slashdot.org' into 66.35.250.151, or 'www.google.com' into 216.239.59.99

    Wildcarding DNS is when instead of saying 'www.slashdot.org is 66.35.250.151' you effectively say 'Everything is 66.35.250.151' and so any domain you're asked to resolve goes to Slashdot's IP address.

    What VeriSign have done is to add a final rule to their list, saying 'Anything not in the above is 64.95.110.11' (Or whatever the IP is of their SiteFinder service). This has the result that any DNS request that formerly would have returned an 'Unable to resolve' message now thinks it's resolved correctly to the IP address.

    The stink this is causing with spam mail is that a lot of anti-spam measures rely on being able to weed out mail from made up domains simply by checking if the domain resolves correctly.

    DNS is actually a *lot* more complex than this, but I think that'll do to explain what's going on here.

    --
    404 Not Found: No such file or resource as '.sig'
  5. IAB Issues DNS Wildcard Guidelines by FlukeMeister · · Score: 5, Informative

    The IAB has issued a set of guidelines for the us of DNS wildcards.

    Essentially, they say it's a very bad idea, but you can do it with the informed consent of all delegates in your zone.

  6. Re:Wildcarding? by Fzz · · Score: 4, Informative

    The IAB statement in response to Versign has a lot of technical background on DNS wildcards, what they are, and what the problems with their use are.

  7. Tis Done by Anonymous Coward · · Score: 3, Informative

    Unregistered domains now return a plain, comforting error page instead of SiteFinder. Which is nice.

    1. Re:Tis Done by Anonymous Coward · · Score: 1, Informative

      Maybe on your ISP, but I still see it.

  8. .nu? by admbws · · Score: 4, Informative

    NuNames, the provider of domain names for the island of Niue, has been doing this for a long time. Is ICANN ask them to stop too?

  9. Re:infinite recursion by Anonymous Coward · · Score: 1, Informative

    Both papers are owned by the same person and run in different cities.

  10. Re:What's wrong with domain forwarding? by Col.+Klink+(retired) · · Score: 4, Informative

    Many spammers fake domain names. Spam filters check to see if the domain is real and will reject bogus emails. VeriSign broke that by making all domains valid.

    In addition to web traffic, they are also intercept email traffic. So if you mistype an email address, they will get the email and keep it and you won't get a bounce.

    The Register has an article about how VeriSign Broke My Printer.

    The Register also reported that VeriSign is using Web Bugs.

    --

    -- Don't Tase me, bro!

  11. Sign a petition, ho hum by TequilaMonster · · Score: 3, Informative

    Hi,

    There's a petition available. Now I don't know exactly how effective it will be, but signing is more effective than not.

    http://www.whois.sc/verisign-dns/.

    rgds

    Alan

    --
    Tequila - drink of the gods.
  12. BIND 8 patch for Verisign stupidity by snowtigger · · Score: 4, Informative

    There is an available patch for BIND 8:

    This page provides a patch to BIND 8 to ignore the wildcard A record Verisign is now returning for unregistered .com/.net domains. It was cooked up over 10 minutes of pure anger and has not been properly tested; it would be better to be able to specify which IPs to ignore in the configuration file. Suggestions or improved patches are very much welcomed. (Note that this patch causes SERVFAIL results; NXDOMAIN would be better, but I'm not that well versed in the BIND code.)

    This patch was made against BIND 8.4.1.

  13. Re:They may ask.. but... by gmack · · Score: 4, Informative

    You need to think about what that will do to other service since all the world is not http. With this change smtp will now attempt to retransmit until it times out instead of hitting verisign's fake mail server that will reject the message immediatly. The average timeout is 5 days.. that's 5 days of added load to your mail server for every email to a mistyped domain.

    I suggest Installing the new version of bind instead.

  14. Re:What's wrong with domain forwarding? by smellystudent · · Score: 2, Informative
    So if you mistype an email address, they will get the email and keep it and you won't get a bounce.
    Wrong.

    To start with, only A records resolve to the Verisign servers. MX records don't resolve to anything.
    However, most mail servers will try the A record if the MX record doesn't exist. Verisign have set up a server running Postfix which responds with: 550: Client host rejected: The domain you are trying to send mail to does not exist.
    At this point, the mail server sends a bounce message and does not pass your e-mail to Verisign.

    This is still broken, bad, wrong and evil, but they are not intercepting your mail. Yet.
    --
    Predictive text is shiv!
  15. Re:It's better than MS by Chester+K · · Score: 2, Informative

    Once Verisign quits doing it, I revert to the damned MSN page every time there's a type-o.

    Why isn't anyone bitching about MS?

    First off, people do bitch about that behavior of IE.

    Second off, that is a feature of Internet Explorer, the application. It does not violate any RFCs, nor does it adversely affect any critical Internet infrastructure. It's not a part of Windows' TCP stack or anything silly like that. Also, you can turn it off or even redirect it to any other site you want.

    It's not the same ballpark as Verisign's SiteFinder "service", which does violate RFCs, adversely affects critical Internet infrastructure, and can not be avoided or opted-out of.

    --

    NO CARRIER
  16. Re:Terms Of Use by ReverendRyan · · Score: 2, Informative

    I emailed VeriSign about that issue, and here is what I got back:

    Dear Ryan,

    Thank you for contacting VeriSign Customer Service. Unfortunately there
    is not a way to opt out of the Sitefinder service. The terms and
    conditions apply to the web site navigation and the search
    functionality, not to the Sitefinder service itself.

    Please learn more about Sitefinder by visiting our FAQ's, we have also
    provided some technical issues to be aware of:

    http://www.verisign.com/nds/naming/sitefinder/fa q. html ...

    It went on for another few pages, mostly marketing mumbo-jumbo with an occational technical explanation about why it wont effect email. (even tho it does, cause i tried =P)