Slashdot Mirror
VeriSign Responds To ICANN's SiteFinder Advisory
dmehus writes "VeriSign's Naming and Directory Services division has written to ICANN President and CEO Paul Twomey regarding the recent advisory concerning VeriSign's DNS wildcard redirection service. In the letter, VeriSign's Rusty Lewis says that they are open to independent and objective technical concerns expressed by various Internet bodies; they have formed their own "independent" panel of industry leading experts to produce its own, separate report; and they will not voluntarily suspend SiteFinder. It's a very terse response, and frankly, I'd have expected more from them. Slashdot readers are encouraged to visit ICANNWatch for in-depth, expert discussion on this and other issues."
Which ones?
.ws, for one: try this. I think many other countries' 2-letter codes do the same, especially if the country has sold their national online identity for cold, hard cash.
dot
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
.cc is one .cx another
Here is something interesting: Check out the Terms of Service:
http://sitefinder.verisign.com/terms.jsp
Is there anyway I can turn this service off? I disagree with the terms.
Ted
Fantasy remains a human right; we make in our measure and in our derivative mode... -- JRR Tolkien
If your domain registration site is using a DNS lookup to check if a domain is registered, it is a very poor domain registration site. There is no guarantee that if a domain is registered, there are nameserver records for it anywhere except the gTLD root nameservers.
Registrars should be using the SRS system provided by VeriSign Naming and Directory Services to check if a domain is registered. This is the same system that they use to register domains with the registry (run by VNDS). This system can and does provide a definite yes or no as to whether a domain may be registered.
Love VeriSign or hate it, but get your facts straight.
"The details of my life are quite inconsequential..."
I don't think I've seen this posted before, but some people may find it interesting. Here's the contracts between ICANN and Verisign for .com and .net (.org is there also, but it no longer applies).
See, two days ago this was a technical issue that only a handful of nerds cared about. Two months from now it's going to be "Verisign, the organization granted a monopoly on control of the entire Internet and insists on defyingthe rest of the Internet community." People who never even heard of DNS will come away from this thinking that Verisign means shady.
Save us all the time and dozens of inevitable Slashdot stories (+ dupes) and dump the thing.
It was Network Solutions (a company that was absorbed by Verisign) that created the concept of paying for domain names in the first place... there was a day when domains were free to the end users.
Hey, if you feel strongly about this issue, you can reach them directly. Just call 703 925 6999. That's the direct line for VeriSign Naming and Directory Services. I tried to get Rusty on the line, but they're on the East coast and he had already left the office.
I just spoke with a nice secretary lady whom told me that she was 'sad to hear' that I, "an investor", was going to sell my "2000 shares" of Verisign first thing in the morning due to their horrible wildcard DNS policies.
When I asked why they are doing this, she told me it was a "marketing decision" and that "somebody in the marketing department" thought it up.
She said that I was the first person she had heard complain about it, though she had read somewhere that it was "controversial".
If anybody has any success getting through to these people, post any interesting tidbits you find out. Thanks.
# wrote sig.txt, 23 lines, 31337 chars
I think it's interesting how ICANN is coming at this situation. I think you have to realize how much money VeriSign makes ICANN. I'd dare to say that over 70% of all of ICANNs revenue is generated from VeriSign.
So It's sort of the same situation that we are in with Middle Eastern Oil. We're trying to tell them, 'Hey, make it cheaper and give us more' but we cant strong arm them. 'cause if they up and leave we're left high and dry.
If VeriSign were to be revoked their registrar status, ICANN would stand to lose millions.
Why do you seek to portray Verisign as such a sleazy company?
If you ever had a domain with them, you'd think they're sleazy too.
I spent months trying to transfer a domain away from them, and when I finally thought I'd be able to do it, they told me "You can't transfer your domain when there are less than 30 days to the renewal date" - essentially, they made me pay $35 for 4 more days. Luckily, easyDNS is nice enough to honor the remaining time on your domains.
If you havent allready signed it, there's a petition at http://www.whois.sc/verisign-dns/ to encourage Verisign to rack-off.
if Verisign's contract is revoked ICANN wil just choose another registar and will still make their moeny..
Don't Tread on OpenSource
I am a Mac OS X user and recently read an interesting hint on the Mac OS X Hints website.
It appears that simply blocking sitefinder.versign.com leads to a rather unpleasant 'timeout' error in a browser: a long wait prior to a timeout is hardly better than an instant appearance of VeriSign's SiteFinder service.
However, one of the users, in the comments on the hint, noted that "[w]hen you type an incorrect URL, the Verisign DNS server actually returns an IP address, which is that of sitefinder-idn.verisign.com."
He continues, "Blocking the sitefinder-idn.verisign.com server in the manner recommended in this hint would save a fraction of a second but the main problem with this hint is that it suggests blocking the response when a far more efficient method would be to block the outgoing request. The system tells the browser that permission is denied for this request and the browser passes that information along immediately. Thus, the rule I use is:
sudo ipfw add 1170 deny tcp from any to 64.94.110.11 setup
I have been using this rule without any noticeable problems. Perhaps it might be of use to others?
The Department of Commerce, I think. Weren't they the ones that set up ICANNt in the first place?
The higher the technology, the sharper that two-edged sword.
BTW: Does anybody know what they're talking about when they claim that other TLDs have implemented something like SiteFinder?
Here: .ac .cc .cx .mp .nu .ph .pw .sh .td .tk .tm .ws .museum. (I posted something similar last time a similar story came up.)
GROGGS: alive and well and living in
I don't know about the effort they put into it... If you look at the previous articles about Sitefinder, a number of people pointed out a whole heap of cross-site scripting vulnerablities. While these cannot be used to compromise the server itself, they suggest that the site was coded up in a hurry and without much regard for security -- and that there will probably be other holes in the code.
Wouldn't it be great to see '0W|\|z3d By l337 H4XX0r d00dz' when you mistype a domain name? ;-)
I'm sure every script kiddie out there is itching to be the first to deface Sitefinder.
I signed up for a
As a network admin for a small ISP I found a simple work around.
/sbin/ifconfig eth0:1 64.94.110.11 netmask 255.255.255.255
/www/nodns
First I set up a webserver.
add to apache
<VirtualHost 64.94.110.11>
DocumentRoot
ServerName A.com
ErrorLog logs/nodnserror.log
CustomLog logs/nodns.log common
</VirtualHost>
Set up a webpage for this server.
on my cisco I set up the following route
ip route 64.94.110.11 255.255.255.255 xxx.xxx.xxx.xxx
where xxx.xxx.xxx.xxx is the real ip of my server.
https://www.godaddy.com/gdshop/pressreleases/veris ign_suit.asp?isc=&se=%2B&from%5Fapp=
Switch to an alternative root server such as this.
ISC.org has come out with a couple new versions of BIND (on several platforms) that makes the Verisign thing irrelevant.
.RU or .CX or whatever registrars do.
Essentially, here's how it works;
Rather than simply accepting any response from any root DNS server, the new version of bind only accepts an NS record (that states the authoritative DNS server) rather than an A Record (which maps a hostname or domain to an IP address). So the root servers can only do what they are supposed to do; tell your local DNS servers where to find the authoritative servers. Even if they are configured to do something differently, BIND responds by forwarding an NXDOMAIN back to the querying client. Esentially, if an IP address comes back from the server, the response from the browser then becomes "DNS Error".
This has several advantages:
- it doesnt matter what ICANN does or what Verisign does, responses to DNS queries happen as they should.
- the patch fixes ALL of the TLDs, so it doesnt matter what the
- it can be done on the ISP level. Though I have no proof, I think there are BIG ISPs out there that have done this already (Earthlink has been mentioned).
- no routing, blocking or other stuff that could cause problems in the future is involved
- Joe Grandpa Internet User never needs to know, and doesnt notice anything different when the fix happens
I do not know about MS DNS Server, or other non-BIND DNS servers, but I am sure there will be patches or upgrades from your publisher.
If you run servers, go to ISC.org and read up about the upgrades. If you dont, check your publisher's web site. If you dont run DNS call or email your ISP and ask them to upgrade their BIND at their earliest conveneince.
Though I think it would be better if RFCs were binding, or if they were followed voluntarily... there is more than one way to get the right thing done.
Christmas Islands would be what you are thinking of.
Do the following really mean anything? SCSA MCP CCSA CCNA
--I'm not actually after an answer!
A wildcard GTLD was part of .museum's charter. Therefore it was approved and everything is fine. It was never part of the .com/.net GTLD contract and is not an authorized use of the domains.
Government steps in to take over .net, .com., and .org. Everyone's screwed. So much for the free, cooperative, works-of-our-own-free-will Internet.
You're posting from your AOL account, the one you just got with your first PC purchase. Am I right?
If I am not right, and you've been connected to the internet for more than six minutes, then how can you possibly not know that the dot-com and dot-net servers were run by the US government for over a decade prior to Verisign, and domains were free of charge, and none of this crap happened.
Far from everyone being screwed, the NSF ought to take it over again.
Edith Keeler Must Die
Follow the link to the contract, choose 'functional specification' and then jump down to 'Nameserver functional specifications' which I quote:
ICANN Please, Please, Please, Please, Please, PLEASE!!!! take that letter and offer to shove it up Verisign's ass gift-wrapped in their contract.
OR
<big giant cluebat>
You *THWAP* DON'T! *THWAP* BREAK *THWAP* THE R *THWAP* F *THWAP* C! *THWAP*
</big giant cluebat>
These people looked deep into my soul and assigned me a number based on the order in which I joined.
is that Ophidian P Jones is a troll who just posts other users' high karma posts from previous, related articles.
CAN THE MODS GET A FUCKING CLUE AND MOD THIS INTO THE GROUND?!
Christ almighty.
Fuck Beta. Fuck Dice
By email, phone, fax, telegram, or letter (or better, several of these), let them know what you think. These are the people who can give Verisign reasons to change their behavior.
Section 4.3.1 of RFC 1034 pretty clearly states that the response to a name query is to be:
Now, the section thereafter goes on to talk about wildcards, so they are pretty much out of luck for saying that VeriSign isn't implementing the RFCs correctly. However, another portion of the RFC makes it very clear that wildcards are only for use within an entity's domain of control (that is, *.foo.com in DNS will not affect lookups under bar.com). The key here is that it is up to the OWNER of the domain in question as to the appropriateness of wildcards in DNS. VeriSign does NOT OWN THE .COM TLD. They merely ADMINISTER it for ICANN. Thus, there is a very good case for VeriSign being in breach of contract by failing to cary out the wishes of the OWNER of the .COM TLD. Which in this case is ICANN.
Basically, I would be a bit more thorough before going to VeriSign, but afterwards, I'd still wack them over the head with the contract and force them to remove the wildcard.
-Erik
There are always four sides to every story: your side, their side, the truth, and what really happened.
I've spent a good amount of time this week trying to talk to end-users about this issue, and found there's a lot of background to fill in so people understand why they should care about this. Once you get through that, most have wanted to do something to at least prevent themselves from being affected. But it's a lot of work explaining the background over and over again. In some cases, to people who should know better, including CEOs of medium sized telcos. What I did do is put up a really short explanation of the problem and of three recourses-- the petition, the ISC patch for BIND, and reconfiguring a PC for using OpenNIC DNS servers. I'm open to revising and/or expanding it if people can provide more information that I've left out, although I've tried to keep it short. The item is here: What Is SiteFinder, And Why Should I Care? I did this primarily for my own clients, but it may be of use to others. YMMV.
The old fashioned way, use one of the registries/registrars or whois.