ICANN Asks VeriSign To Stop DNS Wildcarding

MrClever writes "In this article over at the Sydney Morning Herald (AU), it looks as though ICANN may actually be doing something about the VeriSign changes to .com and .net TLD's. Apparently, while they have been noticably quiet, they have been reviewing community reaction and analysed data from a technical perspective. Here's hoping ICANN pull the plug on VeriSign's TLD administration rights!" And TALlama writes "RSS.com.com (dear $DIETY, will it ever stop?) is reporting that ICANN has asked VeriSign 'to voluntarily suspend the service' of wildcarding DNS, 'pending further study.' Calling it a 'service' is a little bit of a misnomer. If I punch people in the face, can I call that a service, too?"

This just in:

Posters Ask Slashdot To Stop Dupe Posting

Re:This just in:

[bheerssen]

In other news, posters ask slashdot posters to stop posting dupe posts posting dupes.

ICANN asks Timothy to stop posting Dupes

[DrSkwid]

Apparently Timothy is a Dork

Re: ICANN asks Timothy to stop posting Dupes

[mgebbers]

But now it's even easier to find slashdot dupes ... Slashdot dupes first match is sla...

oh

never mind

Re:ICANN asks Timothy to stop posting Dupes

[numark]

Actually, this isn't a dupe. The previous article was simply saying that ICANN had issued a request to Verisign to take down SiteFinder until a committee was able to review the system. This article is saying that the committee made an official recommendation to ICANN to issue a request to Verisign to shut down SiteFinder permanently. A thin distinction, yes, but enough to warrant a new article.

A service?

[Steffen]

"If I punch people in the face, can I call that a service, too?"

Yes, because so many people need what you are selling.

Re:A service?

[Sindri]

You punching some people at VeriSign would be a service to the internet community.

Re:A service?

[Tackhead]

> You punching some people at VeriSign would be a service to the internet community.

Shift your paradigm and e-leverage yourself into the 90s already.

Punching VeriSign people in the face is a solution, not a service.

Don't you hate it

how we always get the news late here? I swear...

VerySued.Com

[millwall]

(ICANN) has asked VeriSign to voluntarily suspend changes it made to domain name service zones that have resulted in most mistyped .com and .net domain names being redirected to its own site.

I predict the most common misspelling of VeriSign.com will be VerySued.com

Re:VerySued.Com

[kosmonaut+pirx]

VerySigh...

404

ICANN said it is investigating complaints over the wilcard service and asked VeriSign to pull it pending further study. The service effectively replaces the common "404 page not found error" that until now has been the default for absent Web addresses.

404? A HTTP response from a DNS request? Please get your facts straight com.com...

Re:404

[Lord+Azrael]

i think you don't get it. you should see a 404 error only if you ask for a file on a server, which does not exist. but a 404 is not the answer a browser will return, if the domain does not exist

the article makes this mistake again also in the last paragraph VeriSign is not alone in seeking to replace 404 errors. Microsoft has also directed users of its Internet Explorer Web browser to a Microsoft search page when typing unassigned domain names into the browser's URL bar.

unassigned domain names != 404 errors

who the hell wrote this article ?

Re:404

[gl4ss]

no, the user would NOT get 404 from a site that doesn't exist(since it doesn't exist to give that 404 in the first place)

a proxy/gateway could return that i guess, though it should return 502/504 rather than 404 which implies that a spesific page wasn't found on the server.

as for the verisign sitefinder.. yesterday(or day before that) i used to get to them with purposedly wrongly typed addresses i tried, but not anymore(and no, it NEVER replaced 404 errors on existing servers, if they did that it would be a 'very nice trick' on behalf of them, since i can't figure out how they could do that with the current systems in use).

Re:What's wrong with domain forwarding?

[rylin]

I prefer my spamfilters intact.
I prefer that my redundant mailservers actually get used.

Do some reading before trying to justify what's been done.

infinite recursion

[wadiwood]

The sydney morning herald is not known for original reporting, everything is duplicated in the Melbourne Age for starters...

Loop:

Slashdot reports story, smh reports story, slashdot reports smh reporting (slashdot story), smh reports story again (cos Slashdot did).

Repeat until servers full.

site finder is misleading

[wadiwood]

For starters, sitefinder doesn't find the slashdot site!

It isn't nearly as helpful or reliable as google (even if google is censored a bit).

It causes me to download more stuff than I would if they didn't have the diversion abusing my bandwith and data allowances that I have to pay for.

I can turn the msn search in IE off. I turned the sitefinder.verisign.com off by modifying my hosts file but that isn't easy for most of the customers I support.

Re:finally...

[Nightlily]

Honestly I don't think VeriSign will stop this "service" because of public pressure alone. I used to have my domains registered at VeriSign but I was tired of never being able to get a password for the web administrative interface.

VeriSign is a great service if you're not planning on making any changes to your domain information. A few years ago I needed to update my name. VeriSign "offered" (the free version was in small print and out of the way) the service to have my name change rushed for over $100.

I suspect ICANN is stepping in due to public pressure, not VeriSign.

Re:Slashdot losing its edge?

[MrLizardo]

You're new hear aren't you? Its been in a decline for 5 years.

-AX

A dup is okay...

[AndroidCat]

After all, when Verisign pays no attention to ICANN's asking them to stop, ICANN will ask them again--maybe even notorized! That'll sure bring Verisign to their knees, oh yeah.

Wake me up when it escalates to wrist-slapping.

Re:A dup is okay...

[mustrum_ridcully]

Well if more companies behaved like this maybe the world would be a better place (well not for lawyers admittedly).

I've lost count the number of times i've seen people in /. write "why didn't they just ask x to stop y". Well now somebody has.

What if SCO just asked for its code not to be used instead of sending the lawyers in?

Or Apple records asked Apple computers to stop selling music?

etc...

Re:Another reason to stop it.

[AndroidCat]

If hackers/spammers could compromise any TLD name server, wildcards or not, I think we could see a fair bit of disruption.

Re:Wildcarding?

[Molt]

Okay, in simple terms..

DNS is the method of resolving names to IP addresses, it's what turns 'www.slashdot.org' into 66.35.250.151, or 'www.google.com' into 216.239.59.99

Wildcarding DNS is when instead of saying 'www.slashdot.org is 66.35.250.151' you effectively say 'Everything is 66.35.250.151' and so any domain you're asked to resolve goes to Slashdot's IP address.

What VeriSign have done is to add a final rule to their list, saying 'Anything not in the above is 64.95.110.11' (Or whatever the IP is of their SiteFinder service). This has the result that any DNS request that formerly would have returned an 'Unable to resolve' message now thinks it's resolved correctly to the IP address.

The stink this is causing with spam mail is that a lot of anti-spam measures rely on being able to weed out mail from made up domains simply by checking if the domain resolves correctly.

DNS is actually a *lot* more complex than this, but I think that'll do to explain what's going on here.

IAB Issues DNS Wildcard Guidelines

[FlukeMeister]

The IAB has issued a set of guidelines for the us of DNS wildcards.

Essentially, they say it's a very bad idea, but you can do it with the informed consent of all delegates in your zone.

Re:Wildcarding?

[Fzz]

The IAB statement in response to Versign has a lot of technical background on DNS wildcards, what they are, and what the problems with their use are.

Tis Done

Unregistered domains now return a plain, comforting error page instead of SiteFinder. Which is nice.

.nu?

[admbws]

NuNames, the provider of domain names for the island of Niue, has been doing this for a long time. Is ICANN ask them to stop too?

Re:.nu?

[Microlith]

Unlike other TLDs, namely several country codes, .com and .net have a number of resellers.

TLDs with a monopoly really can't be told what to do, because there's no one competing with them in the first place.

With VeriSign doing this on .com and .net, they're unfairly leveraging their position to the exclusion of other registrars. They are in effect conveying the message that they run the web.

Re:.nu?

[bluGill]

Well, they shouldn't but .nu belongs to Niue, and so long as the proxy for the people (goverment) doesn't mind I don't have a problem with that they do. If I lived on Niue I would have a problem with it, but I belive in letter other people do stupid things. However .com and .net belong to the internet as a whole, and that means everyone needs to agree with what happens there. (Note, everyone in the wolrd, .us belongs to the USA, and those in other countries shouldn't be concerned about the stupid things .us is doing, while those in the US should)

This is the way I live my life: Don't harm anyone but yourself and I'll leave you alone. I won't agree with what you do, and speak against it, but so long as it doesn't harm others I don't care.

I have no clue how the goverment of Niue is overall, having never heard of them before. If they are "Evil", I might help those in the country to change things, but that is a completely different story and has nothing to do with domain naming.

They may ask.. but...

If we all add this command:

iptables -I INPUT -j REJECT 69.94.0.0/15

maybe that will get Verisign's attention ;p

Afterall theres nothing they can do about people blackholing them for a good long while until they say they are sorry. As a penalty they should lower the prices of their domain registration, to something competitive.

Re:They may ask.. but...

[gmack]

You need to think about what that will do to other service since all the world is not http. With this change smtp will now attempt to retransmit until it times out instead of hitting verisign's fake mail server that will reject the message immediatly. The average timeout is 5 days.. that's 5 days of added load to your mail server for every email to a mistyped domain.

I suggest Installing the new version of bind instead.

Huh?

[batkins]

I'm still not having this problem. If I browse to http://notarealaddressatall2323.com, my browser just says "Looking up host" and then eventually returns an error.

I've never actually seen this happen. Is it possible that my provider (Earthlink) has blocked this in their own DNS servers?

Oops.

[Amorpheus_MMS]

>dear $DIETY, will it ever stop?

File not found. Bad command or deity.

What's the big deal?

[kasper37]

At first I was kind of pissed about what they did, but what is it really hurting? Anything that relies on a dns failure could easily be changed to accept a failure or a response involving that ip.

Although I know they will never release any stats on the kind of hits they are getting to that ip, it would be an interesting study. I would be interested to find out what the most misspelled domain is.

Re:What's the big deal?

The point of standards is that you can rely on them. The internet standards are decided on a lengthy consensus process, and at this point the basic protocols of the internet are only changed very slowly and for very good technical reasons. Thus, once you have implemented a service or component based on a standard protocol such as DNS, you can be happy and count on not needing to maintain the component any more. It would set a horrendous precedent if internet infrastructure could be changed at will for marketing reasons, with no repercussions. Suddenly *every* piece of software relying on internet would need a maintenance team ready to change them at a moment's notice. This costs a lot of money, especially for services that are ready, done and just work.

Re:What's the big deal?

[Progman]

What if my application already does different things depending on whether the service is misconfigured (DNS error) or just not responding (connection refused)? The Verisign move has merged different failures into one.

Re:What's the big deal?

[TCM]

Right, why have standards. At the next opportunity just change every piece of installed software to adapt to your marketing brainfart of the week.

Why the fuck was this even modded up?

Retard mods.

Re:What's the big deal?

[shamino0]

At first I was kind of pissed about what they did, but what is it really hurting?

For web pages, I couldn't care less. If I mistype a URL and get a search page instead of an error page, it's no big deal.

The problem is that this change doesn't just affect web pages. It affects every program that does a DNS lookup - which is almost everything.

This is not acceptable. If I mistype an address when sending mail, I want to get an immediate error back. I don't want a Verisign server to receive the message. And I don't want my mail server to keep on re-sending the message for five days (which is what will happen if they don't have a mail server at that address.)

If I use a spam filter that blocks mail that has bogus return addresses, it is now useless, because all addresses will now resolve as valid.

By making this change, Verisign has seriously crippled the usefulness of the internet.

Punch in the Face : Am improved analogy

[OpenYourEyes]

Of course you can sell your Punch in the Face services. Such services have traditionally gone under names such as

• Boxer
• Body Guard
• Actor

Now, this analogy actually does continue. You, as a sysadmin or someone writing a script that uses DNS, might not really like this service. Just like someone who is trying to take celebrity photographs might not like the Punch-in-the-Face service. But the fact is that this service is provided. And that there are a LOT of people who not only don't see this as a problem - but like it. Or at least think they do.

That is why Verisign thinks they can get away with this - the average person sees a benefit here and sees no drawbacks. The average person watching a boxing match also just sees the benefits and not the drawbacks. Until it is made clear why this isn't as good as it appears, nobody will care. Chances are, nobody will care anyway.

Terms Of Use

[BiggerIsBetter]

Have any of you read the "terms of use"? http://sitefinder.verisign.com/terms.jsp What a load of bollocks - do they seriously want us to believe that being redirected without our control to some bogus directory site is a legally binding agreement?! Go fsck yourselves Verisign!

Re:Terms Of Use

[ReverendRyan]

I emailed VeriSign about that issue, and here is what I got back:

Dear Ryan,

Thank you for contacting VeriSign Customer Service. Unfortunately there
is not a way to opt out of the Sitefinder service. The terms and
conditions apply to the web site navigation and the search
functionality, not to the Sitefinder service itself.

Please learn more about Sitefinder by visiting our FAQ's, we have also
provided some technical issues to be aware of:

http://www.verisign.com/nds/naming/sitefinder/fa q. html ...

It went on for another few pages, mostly marketing mumbo-jumbo with an occational technical explanation about why it wont effect email. (even tho it does, cause i tried =P)

It *is* "service."

[acceleriter]

People who grew up on a farm will understand what I mean.

Re:What's wrong with domain forwarding?

[Col.+Klink+(retired)]

Many spammers fake domain names. Spam filters check to see if the domain is real and will reject bogus emails. VeriSign broke that by making all domains valid.

In addition to web traffic, they are also intercept email traffic. So if you mistype an email address, they will get the email and keep it and you won't get a bounce.

The Register has an article about how VeriSign Broke My Printer.

The Register also reported that VeriSign is using Web Bugs.

GST

[quinkin]

"If I punch people in the face, can I call that a service, too?"

Well in Oz we have a 10% Goods and Services Tax (GST) - so technically you would have to give 10% to the government too.

Q.

Re:GST

[Horny+Smurf]

Assuming you have ten fingers,10% is 1 finger... and I know which one I'd give to the gov't.

Sign a petition, ho hum

[TequilaMonster]

Hi,

There's a petition available. Now I don't know exactly how effective it will be, but signing is more effective than not.

http://www.whois.sc/verisign-dns/.

rgds

Alan

Prediction: Verisign will claim IAB endorsement...

[dpbsmith]

...and hang tough.

After all, the IAB says here that "We must emphasize that, technically, this was a legitimate use of wildcard records that did not in any way violate the DNS specifications themselves."

If the decision-makers at Verisign cared about good engineering practice, they wouldn't have done what they did.

They probably regard their own actions as just "sharp business practice" and are probably patting themselves on the back for having found a loophole in the DNS specification that they can use for their own profit.

I don't think jawboning from ICANN, the IAB, or anyone else will have much effect. I don't see how anyone short of the Feds can stop them.

I mean, they have contracts with their SiteFinder advertisers. There's money at stake here.

BIND 8 patch for Verisign stupidity

[snowtigger]

There is an available patch for BIND 8:

This page provides a patch to BIND 8 to ignore the wildcard A record Verisign is now returning for unregistered .com/.net domains. It was cooked up over 10 minutes of pure anger and has not been properly tested; it would be better to be able to specify which IPs to ignore in the configuration file. Suggestions or improved patches are very much welcomed. (Note that this patch causes SERVFAIL results; NXDOMAIN would be better, but I'm not that well versed in the BIND code.)

This patch was made against BIND 8.4.1.

A Service?

[Woy]

If I punch people in the face, can I call that a service, too?

If you punch the verisign ppl in the face, you can bill me.

Re:What's wrong with domain forwarding?

[smellystudent]

So if you mistype an email address, they will get the email and keep it and you won't get a bounce.

Wrong.

To start with, only A records resolve to the Verisign servers. MX records don't resolve to anything.
However, most mail servers will try the A record if the MX record doesn't exist. Verisign have set up a server running Postfix which responds with: 550: Client host rejected: The domain you are trying to send mail to does not exist.
At this point, the mail server sends a bounce message and does not pass your e-mail to Verisign.

This is still broken, bad, wrong and evil, but they are not intercepting your mail. Yet.

It's better than MS

[WogboTheFrogGod]

Once Verisign quits doing it, I revert to the damned MSN page every time there's a type-o.

Why isn't anyone bitching about MS?

Re:It's better than MS

[rudy_wayne]

To get rid of it:

1. In Internet Explorer, go to the "Tools" menu and select "Internet Options..."
2. Click on the "Advanced" tab
3. Scroll down to the section "Search from the Address Bar"
4. Select the radio button labelled "Do not search from the Address Bar"
5. Click the "OK" button to dismiss the dialog
6. Test using a URL like http://www.dsafgwadbee.co.uk [dsafgwadbee.co.uk], as this will avoid the Verisign thing (which only applies to .com and .net TLDs)
7. You should now get a standard IE "The page cannot be displayed" notification, with "Cannot find server or DNS error" at the bottom

or

1. Don't use MSIE

See, wasn't that easier?

Re:It's better than MS

[kindbud]

Because MS didn't foobar DNS to do it. They did it in the application, which is where this sort of service belongs. If you don't like the way IE does this, you can turn it off, or use a different browser. Can't turn off VRSN's fuckup.

Re:It's better than MS

[Chester+K]

Once Verisign quits doing it, I revert to the damned MSN page every time there's a type-o.

Why isn't anyone bitching about MS?

First off, people do bitch about that behavior of IE.

Second off, that is a feature of Internet Explorer, the application. It does not violate any RFCs, nor does it adversely affect any critical Internet infrastructure. It's not a part of Windows' TCP stack or anything silly like that. Also, you can turn it off or even redirect it to any other site you want.

It's not the same ballpark as Verisign's SiteFinder "service", which does violate RFCs, adversely affects critical Internet infrastructure, and can not be avoided or opted-out of.

Verisign Hack

[cybrangl]

So, what happens when Verisigns gets its website hacked again? I would think that this would be a prime target for anyone who wnats to get attention. It's just a matter of time.....

Re:What's wrong with domain forwarding?

[bheerssen]

Actually they intercept any traffic that attemts to resolve .net and .com addresses against their DNS servers. This could break all sorts of things, internet search engines, FTP clients, IRC server networks and clients, some mirroring services, and the list goes on. This move by Verisign represents a major change in the basic functioning of the internet, and many of the repercussions may not be completely apparent for some time. For instance, what is the additional cost of transfering relatively big (in bytes) webpages as opposed to efficient error responses?

Yes you can call punching people a service

[LordWoody]

Those who think you can not make a buck hitting people have not watched the old 80's and 90's televangelists 'heal' people by hitting them in the head. And to complete the financial transaction, these 'healed' people give the evangelist money for the priviledge of being hit while up on stage!

Then there is always the bouncer at your local bar. He provides a service that frequently involves punching people.

Re:What's wrong with domain forwarding?

[Richy_T]

I assume that several people out there have submitted "honeypot" addresses to this server and are keeping an eye on whether they start receiving spam on these misappropriated addresses. But is anyone keeping a public website documenting such so that the rest of us can be informed if/when it occurs?

Rich