Slashdot Mirror

← Back to Stories (view on slashdot.org)

ICANN Asks VeriSign To Stop DNS Wildcarding

Posted by timothy on from the public-trust-and-all-that dept.

MrClever writes "In this article over at the Sydney Morning Herald (AU), it looks as though ICANN may actually be doing something about the VeriSign changes to .com and .net TLD's. Apparently, while they have been noticably quiet, they have been reviewing community reaction and analysed data from a technical perspective. Here's hoping ICANN pull the plug on VeriSign's TLD administration rights!" And TALlama writes "RSS.com.com (dear $DIETY, will it ever stop?) is reporting that ICANN has asked VeriSign 'to voluntarily suspend the service' of wildcarding DNS, 'pending further study.' Calling it a 'service' is a little bit of a misnomer. If I punch people in the face, can I call that a service, too?"

37 of 221 comments (clear)

  1. This just in: by Anonymous Coward · · Score: 3, Funny

    Posters Ask Slashdot To Stop Dupe Posting

  2. ICANN asks Timothy to stop posting Dupes by DrSkwid · · Score: 5, Informative

    Apparently Timothy is a Dork

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
    1. Re:ICANN asks Timothy to stop posting Dupes by numark · · Score: 4, Informative

      Actually, this isn't a dupe. The previous article was simply saying that ICANN had issued a request to Verisign to take down SiteFinder until a committee was able to review the system. This article is saying that the committee made an official recommendation to ICANN to issue a request to Verisign to shut down SiteFinder permanently. A thin distinction, yes, but enough to warrant a new article.

      --
      Want Slashdot headlines on your site? Try SlashHead
  3. A service? by Steffen · · Score: 5, Funny

    "If I punch people in the face, can I call that a service, too?"

    Yes, because so many people need what you are selling.

    1. Re:A service? by Sindri · · Score: 5, Funny

      You punching some people at VeriSign would be a service to the internet community.

      --
      Sindri Traustason.
    2. Re:A service? by Tackhead · · Score: 4, Funny
      > You punching some people at VeriSign would be a service to the internet community.

      Shift your paradigm and e-leverage yourself into the 90s already.

      Punching VeriSign people in the face is a solution, not a service.

  4. VerySued.Com by millwall · · Score: 5, Funny

    (ICANN) has asked VeriSign to voluntarily suspend changes it made to domain name service zones that have resulted in most mistyped .com and .net domain names being redirected to its own site.

    I predict the most common misspelling of VeriSign.com will be VerySued.com
  5. 404 by Anonymous Coward · · Score: 5, Informative

    ICANN said it is investigating complaints over the wilcard service and asked VeriSign to pull it pending further study. The service effectively replaces the common "404 page not found error" that until now has been the default for absent Web addresses.

    404? A HTTP response from a DNS request? Please get your facts straight com.com...

    1. Re:404 by Lord+Azrael · · Score: 5, Informative

      i think you don't get it. you should see a 404 error only if you ask for a file on a server, which does not exist. but a 404 is not the answer a browser will return, if the domain does not exist

      the article makes this mistake again also in the last paragraph VeriSign is not alone in seeking to replace 404 errors. Microsoft has also directed users of its Internet Explorer Web browser to a Microsoft search page when typing unassigned domain names into the browser's URL bar.

      unassigned domain names != 404 errors

      who the hell wrote this article ?

      --
      Lord "not Gargamel's Cat!" Azrael
    2. Re:404 by gl4ss · · Score: 4, Informative

      no, the user would NOT get 404 from a site that doesn't exist(since it doesn't exist to give that 404 in the first place)

      a proxy/gateway could return that i guess, though it should return 502/504 rather than 404 which implies that a spesific page wasn't found on the server.

      as for the verisign sitefinder.. yesterday(or day before that) i used to get to them with purposedly wrongly typed addresses i tried, but not anymore(and no, it NEVER replaced 404 errors on existing servers, if they did that it would be a 'very nice trick' on behalf of them, since i can't figure out how they could do that with the current systems in use).

      --
      world was created 5 seconds before this post as it is.
  6. Re:What's wrong with domain forwarding? by rylin · · Score: 3, Insightful

    I prefer my spamfilters intact.
    I prefer that my redundant mailservers actually get used.

    Do some reading before trying to justify what's been done.

  7. infinite recursion by wadiwood · · Score: 4, Funny

    The sydney morning herald is not known for original reporting, everything is duplicated in the Melbourne Age for starters...

    Loop:

    Slashdot reports story, smh reports story, slashdot reports smh reporting (slashdot story), smh reports story again (cos Slashdot did).

    Repeat until servers full.

    --

    -- it must be true, it's on the internet.
  8. site finder is misleading by wadiwood · · Score: 5, Interesting

    For starters, sitefinder doesn't find the slashdot site!

    It isn't nearly as helpful or reliable as google (even if google is censored a bit).

    It causes me to download more stuff than I would if they didn't have the diversion abusing my bandwith and data allowances that I have to pay for.

    I can turn the msn search in IE off. I turned the sitefinder.verisign.com off by modifying my hosts file but that isn't easy for most of the customers I support.

    --

    -- it must be true, it's on the internet.
  9. Re:finally... by Nightlily · · Score: 4, Interesting

    Honestly I don't think VeriSign will stop this "service" because of public pressure alone. I used to have my domains registered at VeriSign but I was tired of never being able to get a password for the web administrative interface.

    VeriSign is a great service if you're not planning on making any changes to your domain information. A few years ago I needed to update my name. VeriSign "offered" (the free version was in small print and out of the way) the service to have my name change rushed for over $100.

    I suspect ICANN is stepping in due to public pressure, not VeriSign.

  10. A dup is okay... by AndroidCat · · Score: 5, Funny
    After all, when Verisign pays no attention to ICANN's asking them to stop, ICANN will ask them again--maybe even notorized! That'll sure bring Verisign to their knees, oh yeah.

    Wake me up when it escalates to wrist-slapping.

    --
    One line blog. I hear that they're called Twitters now.
    1. Re:A dup is okay... by mustrum_ridcully · · Score: 5, Interesting

      Well if more companies behaved like this maybe the world would be a better place (well not for lawyers admittedly).

      I've lost count the number of times i've seen people in /. write "why didn't they just ask x to stop y". Well now somebody has.

      What if SCO just asked for its code not to be used instead of sending the lawyers in?

      Or Apple records asked Apple computers to stop selling music?

      etc...

  11. Re:Wildcarding? by Molt · · Score: 5, Informative

    Okay, in simple terms..

    DNS is the method of resolving names to IP addresses, it's what turns 'www.slashdot.org' into 66.35.250.151, or 'www.google.com' into 216.239.59.99

    Wildcarding DNS is when instead of saying 'www.slashdot.org is 66.35.250.151' you effectively say 'Everything is 66.35.250.151' and so any domain you're asked to resolve goes to Slashdot's IP address.

    What VeriSign have done is to add a final rule to their list, saying 'Anything not in the above is 64.95.110.11' (Or whatever the IP is of their SiteFinder service). This has the result that any DNS request that formerly would have returned an 'Unable to resolve' message now thinks it's resolved correctly to the IP address.

    The stink this is causing with spam mail is that a lot of anti-spam measures rely on being able to weed out mail from made up domains simply by checking if the domain resolves correctly.

    DNS is actually a *lot* more complex than this, but I think that'll do to explain what's going on here.

    --
    404 Not Found: No such file or resource as '.sig'
  12. IAB Issues DNS Wildcard Guidelines by FlukeMeister · · Score: 5, Informative

    The IAB has issued a set of guidelines for the us of DNS wildcards.

    Essentially, they say it's a very bad idea, but you can do it with the informed consent of all delegates in your zone.

  13. Re:Wildcarding? by Fzz · · Score: 4, Informative

    The IAB statement in response to Versign has a lot of technical background on DNS wildcards, what they are, and what the problems with their use are.

  14. Tis Done by Anonymous Coward · · Score: 3, Informative

    Unregistered domains now return a plain, comforting error page instead of SiteFinder. Which is nice.

  15. .nu? by admbws · · Score: 4, Informative

    NuNames, the provider of domain names for the island of Niue, has been doing this for a long time. Is ICANN ask them to stop too?

    1. Re:.nu? by Microlith · · Score: 5, Insightful

      Unlike other TLDs, namely several country codes, .com and .net have a number of resellers.

      TLDs with a monopoly really can't be told what to do, because there's no one competing with them in the first place.

      With VeriSign doing this on .com and .net, they're unfairly leveraging their position to the exclusion of other registrars. They are in effect conveying the message that they run the web.

    2. Re:.nu? by bluGill · · Score: 3, Interesting

      Well, they shouldn't but .nu belongs to Niue, and so long as the proxy for the people (goverment) doesn't mind I don't have a problem with that they do. If I lived on Niue I would have a problem with it, but I belive in letter other people do stupid things. However .com and .net belong to the internet as a whole, and that means everyone needs to agree with what happens there. (Note, everyone in the wolrd, .us belongs to the USA, and those in other countries shouldn't be concerned about the stupid things .us is doing, while those in the US should)

      This is the way I live my life: Don't harm anyone but yourself and I'll leave you alone. I won't agree with what you do, and speak against it, but so long as it doesn't harm others I don't care.

      I have no clue how the goverment of Niue is overall, having never heard of them before. If they are "Evil", I might help those in the country to change things, but that is a completely different story and has nothing to do with domain naming.

  16. They may ask.. but... by Anonymous Coward · · Score: 5, Interesting

    If we all add this command:

    iptables -I INPUT -j REJECT 69.94.0.0/15

    maybe that will get Verisign's attention ;p

    Afterall theres nothing they can do about people blackholing them for a good long while until they say they are sorry. As a penalty they should lower the prices of their domain registration, to something competitive.

    1. Re:They may ask.. but... by gmack · · Score: 4, Informative

      You need to think about what that will do to other service since all the world is not http. With this change smtp will now attempt to retransmit until it times out instead of hitting verisign's fake mail server that will reject the message immediatly. The average timeout is 5 days.. that's 5 days of added load to your mail server for every email to a mistyped domain.

      I suggest Installing the new version of bind instead.

  17. Oops. by Amorpheus_MMS · · Score: 3, Funny

    >dear $DIETY, will it ever stop?

    File not found. Bad command or deity.

  18. Punch in the Face : Am improved analogy by OpenYourEyes · · Score: 4, Interesting

    Of course you can sell your Punch in the Face services. Such services have traditionally gone under names such as

    • Boxer
    • Body Guard
    • Actor

    Now, this analogy actually does continue. You, as a sysadmin or someone writing a script that uses DNS, might not really like this service. Just like someone who is trying to take celebrity photographs might not like the Punch-in-the-Face service. But the fact is that this service is provided. And that there are a LOT of people who not only don't see this as a problem - but like it. Or at least think they do.

    That is why Verisign thinks they can get away with this - the average person sees a benefit here and sees no drawbacks. The average person watching a boxing match also just sees the benefits and not the drawbacks. Until it is made clear why this isn't as good as it appears, nobody will care. Chances are, nobody will care anyway.

  19. Re:What's the big deal? by Anonymous Coward · · Score: 5, Insightful

    The point of standards is that you can rely on them. The internet standards are decided on a lengthy consensus process, and at this point the basic protocols of the internet are only changed very slowly and for very good technical reasons. Thus, once you have implemented a service or component based on a standard protocol such as DNS, you can be happy and count on not needing to maintain the component any more. It would set a horrendous precedent if internet infrastructure could be changed at will for marketing reasons, with no repercussions. Suddenly *every* piece of software relying on internet would need a maintenance team ready to change them at a moment's notice. This costs a lot of money, especially for services that are ready, done and just work.

  20. Re:What's wrong with domain forwarding? by Col.+Klink+(retired) · · Score: 4, Informative

    Many spammers fake domain names. Spam filters check to see if the domain is real and will reject bogus emails. VeriSign broke that by making all domains valid.

    In addition to web traffic, they are also intercept email traffic. So if you mistype an email address, they will get the email and keep it and you won't get a bounce.

    The Register has an article about how VeriSign Broke My Printer.

    The Register also reported that VeriSign is using Web Bugs.

    --

    -- Don't Tase me, bro!

  21. Sign a petition, ho hum by TequilaMonster · · Score: 3, Informative

    Hi,

    There's a petition available. Now I don't know exactly how effective it will be, but signing is more effective than not.

    http://www.whois.sc/verisign-dns/.

    rgds

    Alan

    --
    Tequila - drink of the gods.
  22. Prediction: Verisign will claim IAB endorsement... by dpbsmith · · Score: 4, Interesting

    ...and hang tough.

    After all, the IAB says here that "We must emphasize that, technically, this was a legitimate use of wildcard records that did not in any way violate the DNS specifications themselves."

    If the decision-makers at Verisign cared about good engineering practice, they wouldn't have done what they did.

    They probably regard their own actions as just "sharp business practice" and are probably patting themselves on the back for having found a loophole in the DNS specification that they can use for their own profit.

    I don't think jawboning from ICANN, the IAB, or anyone else will have much effect. I don't see how anyone short of the Feds can stop them.

    I mean, they have contracts with their SiteFinder advertisers. There's money at stake here.

    --

    "How to Do Nothing," kids activities, back in print!

  23. BIND 8 patch for Verisign stupidity by snowtigger · · Score: 4, Informative

    There is an available patch for BIND 8:

    This page provides a patch to BIND 8 to ignore the wildcard A record Verisign is now returning for unregistered .com/.net domains. It was cooked up over 10 minutes of pure anger and has not been properly tested; it would be better to be able to specify which IPs to ignore in the configuration file. Suggestions or improved patches are very much welcomed. (Note that this patch causes SERVFAIL results; NXDOMAIN would be better, but I'm not that well versed in the BIND code.)

    This patch was made against BIND 8.4.1.

  24. A Service? by Woy · · Score: 3, Funny
    If I punch people in the face, can I call that a service, too?

    If you punch the verisign ppl in the face, you can bill me.

    --
    "If God created us in his own image we have more than reciprocated." - Voltaire
  25. It's better than MS by WogboTheFrogGod · · Score: 3, Insightful

    Once Verisign quits doing it, I revert to the damned MSN page every time there's a type-o.

    Why isn't anyone bitching about MS?

    1. Re:It's better than MS by kindbud · · Score: 3, Insightful

      Because MS didn't foobar DNS to do it. They did it in the application, which is where this sort of service belongs. If you don't like the way IE does this, you can turn it off, or use a different browser. Can't turn off VRSN's fuckup.

      --
      Edith Keeler Must Die
  26. Verisign Hack by cybrangl · · Score: 3, Interesting

    So, what happens when Verisigns gets its website hacked again? I would think that this would be a prime target for anyone who wnats to get attention. It's just a matter of time.....

  27. Re:GST by Horny+Smurf · · Score: 4, Funny

    Assuming you have ten fingers,10% is 1 finger... and I know which one I'd give to the gov't.