Slashdot Mirror
VeriSign Responds To ICANN's SiteFinder Advisory
dmehus writes "VeriSign's Naming and Directory Services division has written to ICANN President and CEO Paul Twomey regarding the recent advisory concerning VeriSign's DNS wildcard redirection service. In the letter, VeriSign's Rusty Lewis says that they are open to independent and objective technical concerns expressed by various Internet bodies; they have formed their own "independent" panel of industry leading experts to produce its own, separate report; and they will not voluntarily suspend SiteFinder. It's a very terse response, and frankly, I'd have expected more from them. Slashdot readers are encouraged to visit ICANNWatch for in-depth, expert discussion on this and other issues."
From the letter to ICANN:
As to your call for us to suspend the service, I would respectfully suggest that it would be premature to decide on any course of action until we first have had an opportunity to collect and review the available data.
Well, I think that the world would have appreciated the same level of consideration before the system was ever even implemented in the first place.
Unilateral Military Action.
In case you are not a doubleplusgood duckspeaker, here is a helpful translation of Verisign's letter to ICANN.
.com and .net zones.
Dear Paul:
Translation: Dear meddlesome twit:
This will respond to the ICANN Advisory concerning VeriSign's Deployment of DNS Wildcard Service dated 19 September 2003.
We're about to tell you where you can stick your "advisory".
In the footsteps of several other registries that have done the same, we recently deployed a wildcard in the
Verisign has no problem being just as sleazy and underhanded as any of our competitors.
This was done after many months of testing and analysis and in compliance with all applicable technical standards.
Marketing sees dollar signs, and legal says we can get away with it.
All indications are that users, important members of the internet community we all serve, are benefiting from the improved web navigation offered by Site Finder.
None of the lusers who installed "The Internet" on their computers has a clue that we've even done anything.
These results are consistent with the findings from the extensive research we performed.
They are, however, clicking the pretty buttons, just like we hoped they would.
We are, of course, very interested in any objective technical information ICANN may have received concerning the service and would welcome the opportunity to work with you to review such data. To that end, we have reached out to schedule meetings... of leading experts in the field.
Let's have a meeting. Then another. Then another. Then, we'll codify the new de facto "standard".
As to your call for us to suspend the service, I would respectfully suggest that it would be premature to decide on any course of action until we first have had an opportunity to collect and review the available data.
We're going to get our way, because we can, and there's nothing you can do about it. Weenie.
After completing an assessment of any operational impact of our wildcard implementation, we will take any appropriate steps necessary.
And if we don't get our way, we'll pay off anyone we need to.
I look forward to continuing to work with you on this issue.
Kiss our ass.
Best Regards,
See you in Hell,
Russell Lewis
Executive Vice President, General Manager
VeriSign Naming and Directory Services
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
The same "independent" panel of industry leading experts recommends SCO's Linux license and conducted a study showing that Windows is indeed cheaper than Linux and BSD.
1f u c4n r34d th1s u r34lly n33d t0 g37 l41d
I think it's time for ICANN to look for someone else to run the NET and COM TLDs. Not only are they unwilling to suspend SiteFinder after an enormous public outcry and a direct request from ICANN, but they didn't even bother telling anyone they were going to do this in the first place ahead of time. This is absolutely terrible, and I hope ICANN finds someone else to manage these TLDs
We'll know if these "negotiations" fall apart if "www.icannwatch.org" suddenly displays SiteFinder.
I watched C-beams glitter in the dark near the Tannhauser gate.
Okay, so I can see and understand the effect wildcarding had on the domains, and why it's bad thing.
.net and .com domains? If not, who can?
I'm also familar with the basic structure of the DNS network. However, I'm not familar with the regulatory system.
Can someone explain who regulates who gets to control what domains? Can ICANN revoke Verisign's control of the
-Ryan
AUWYHSTOT (Acronyms are Useless When You Have to Spell Them Out Too)
Which ones?
.ws, for one: try this. I think many other countries' 2-letter codes do the same, especially if the country has sold their national online identity for cold, hard cash.
dot
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
of SiteFinder is the fact that non-English speakers no longer receive an error message in their own language, but are confounded with some bizarre English language site which certainly wasn't where they were trying to get to.
...that enough of a ruckus will be kicked up over this that someone will have the following bright idea:
.net, .com., and .org. Everyone's screwed. So much for the free, cooperative, works-of-our-own-free-will Internet. Thanks, Verisign.
Let's make this illegal!
Voila. Government steps in to take over
"A great democracy must be progressive or it will soon cease to be a great democracy." --Theodore Roosevelt
A quick look at fasilmile.com reveals that VeriSign invented it. Link
And the l33t shall inherit the 34r7h.
Here is something interesting: Check out the Terms of Service:
http://sitefinder.verisign.com/terms.jsp
Is there anyway I can turn this service off? I disagree with the terms.
Ted
Fantasy remains a human right; we make in our measure and in our derivative mode... -- JRR Tolkien
Dear Paul
After the extensive research of how IE directs bad names to MSN Search, we decided that we couldn't let the bastards at MS be only ones that makes money off of poor saps who can't type their URLs right.
We really don't give a rat's ass about what ICANN thinks but just to shut your whiney mouth off, I hires a review panel of leading experts in the field. They include Linux code reviewers from SCO, the guy who thought of domain parking for Register.COM, and the guy who invented One-Click shopping.
As to your call for us to suspend the service, I'd like to politely say "go fuck yourself" with the upmost respect ICANN's Chairman, Vint Cerf, and ICANN's Security and Stability Advisory Committee, Steve Crocker. Crocker, now that's a funny name, just like ICANN.
If you send any more letters, I will personally wipe my ass with it.
Go to hell,
Russell Lewis
Executive Vice President, General Manager
All Your Typos Are Belong To Us, Inc.
1f u c4n r34d th1s u r34lly n33d t0 g37 l41d
If your domain registration site is using a DNS lookup to check if a domain is registered, it is a very poor domain registration site. There is no guarantee that if a domain is registered, there are nameserver records for it anywhere except the gTLD root nameservers.
Registrars should be using the SRS system provided by VeriSign Naming and Directory Services to check if a domain is registered. This is the same system that they use to register domains with the registry (run by VNDS). This system can and does provide a definite yes or no as to whether a domain may be registered.
Love VeriSign or hate it, but get your facts straight.
"The details of my life are quite inconsequential..."
Why do you seek to portray Verisign as such a sleazy company?
Because they are and always have been.
Besides using the fact that they run the root servers to hijack all unused addresses, in the past they've sent misleading correspondance to domain name owners to get them to switch registrars to verisign when all they want to do is renew.
It was Network Solutions (a company that was absorbed by Verisign) that created the concept of paying for domain names in the first place... there was a day when domains were free to the end users.
If not, what better target for a lawsuit!
Hey, if you feel strongly about this issue, you can reach them directly. Just call 703 925 6999. That's the direct line for VeriSign Naming and Directory Services. I tried to get Rusty on the line, but they're on the East coast and he had already left the office.
I just spoke with a nice secretary lady whom told me that she was 'sad to hear' that I, "an investor", was going to sell my "2000 shares" of Verisign first thing in the morning due to their horrible wildcard DNS policies.
When I asked why they are doing this, she told me it was a "marketing decision" and that "somebody in the marketing department" thought it up.
She said that I was the first person she had heard complain about it, though she had read somewhere that it was "controversial".
If anybody has any success getting through to these people, post any interesting tidbits you find out. Thanks.
# wrote sig.txt, 23 lines, 31337 chars
I think it's interesting how ICANN is coming at this situation. I think you have to realize how much money VeriSign makes ICANN. I'd dare to say that over 70% of all of ICANNs revenue is generated from VeriSign.
So It's sort of the same situation that we are in with Middle Eastern Oil. We're trying to tell them, 'Hey, make it cheaper and give us more' but we cant strong arm them. 'cause if they up and leave we're left high and dry.
If VeriSign were to be revoked their registrar status, ICANN would stand to lose millions.
Why do you seek to portray Verisign as such a sleazy company?
If you ever had a domain with them, you'd think they're sleazy too.
I spent months trying to transfer a domain away from them, and when I finally thought I'd be able to do it, they told me "You can't transfer your domain when there are less than 30 days to the renewal date" - essentially, they made me pay $35 for 4 more days. Luckily, easyDNS is nice enough to honor the remaining time on your domains.
If you havent allready signed it, there's a petition at http://www.whois.sc/verisign-dns/ to encourage Verisign to rack-off.
Dear verisign,
The recent update to BIND contains a feature you should be aware of.
In 1 month, every lookup for any domain registered directly with verisign will fail with %0.1 probability.
The probability will increase by %0.1 per day until the wildcard issue is resolved or until verisign becomes useless as a registrar.
We look forward to a prompt and amicable resolution.
Best wishes,
The Internet.
Doing any sleazy thing one can imagine just because their lawyers think they can probably get away with it is not an appropriate way to do business - or an honorable one.
And "just doing what they needed to do to survive" is the same excuse the Donner Party used.
I am a Mac OS X user and recently read an interesting hint on the Mac OS X Hints website.
It appears that simply blocking sitefinder.versign.com leads to a rather unpleasant 'timeout' error in a browser: a long wait prior to a timeout is hardly better than an instant appearance of VeriSign's SiteFinder service.
However, one of the users, in the comments on the hint, noted that "[w]hen you type an incorrect URL, the Verisign DNS server actually returns an IP address, which is that of sitefinder-idn.verisign.com."
He continues, "Blocking the sitefinder-idn.verisign.com server in the manner recommended in this hint would save a fraction of a second but the main problem with this hint is that it suggests blocking the response when a far more efficient method would be to block the outgoing request. The system tells the browser that permission is denied for this request and the browser passes that information along immediately. Thus, the rule I use is:
sudo ipfw add 1170 deny tcp from any to 64.94.110.11 setup
I have been using this rule without any noticeable problems. Perhaps it might be of use to others?
ICANN can revoke their authorization last I heard. They are pretty much push-overs for corporations so I don't see any top down remedies to this blatent miss-representation of their powers.
On second thought, here is my idea: Have Verisign pay ICANN for every bogus returned DNS request, since technically Verisign has registered billions of domains, I'd say that ICANN is entitled to a mightly large chunk of Verisign revenues. More than the service is worth? One can only hope.
Bye!
If one looks at the newsgroups as historically how something like this works, the .museum TLD is a highly restrictive, highly controlled domain. It's entire purpose is for respected institutions to be listed. So, them having a master index and a reply indicating an invalid domain makes sense, since the entire domain listing easily scrolls through a few screens only. It would be the equivalent of a comp or sci newsgroup; highly structured groups with moderation and content rules.
.com is the tld equivalent of alt., where anyone can create and post anything, without moderation, without structure. Attempting to impose structure, in the form of sitefinder, is stupid in this instance, since the organizations represented in .com are usually for-profit or attempting to jockey for position. If I have a business, do I now have to register every possible combination of my domain to keep idiots from being redirected to a customer of mine because they paid verisign to add them to the referral page for a misspelling of my domain name? I also have to worry about verisign giving precedence to domains registered through them in the recommended sites, and if I have a godaddy.com-registered domain, will I end up being denied business that would normally have realised that they made a typo, to fix it and come to me?
This is the real problem that I have with sitefinder. It being in the hands of a commercial organization who has exhibited a systematic behaviour of putting profit before anything else will only exploit this situation. They will start selling placement on messed up domain entries, they will start denying domains registered through other registrars the same regular placement as their own, and they will destroy what had been a fairly free and open system.
I'd recommend that if Verisign doesn't immediately stop this insanity that we write to our legislators and demand that control of the TLDs that versign manages be removed and handed to ICANN to deal with directly.
Do not look into laser with remaining eye.
BTW: Does anybody know what they're talking about when they claim that other TLDs have implemented something like SiteFinder?
Here: .ac .cc .cx .mp .nu .ph .pw .sh .td .tk .tm .ws .museum. (I posted something similar last time a similar story came up.)
GROGGS: alive and well and living in
Has anyone noticed that they are tracking the clickthroughs of the search results. (Note: google does not do this)
They are building a huge database of behavior. It is tied to your ip address. I wonder what their policy is on releasing that information to the government? (they originally were government chartered)
Hell. I wonder if they were put up to it by the Department of Homeland Securiy.
At the very least, it will prove to be an invaluable, and highly marketable database.
Hit them where it hurts, in the bottom-line. Complaining to everyone may get this fixed, but patching your nameserver and then going after the back-end may also get results.
If you check out Verisigns traffic page at Alexa (http://www.alexa.com/data/details/traffic_details ?q=&url=http://www.verisign.com), you can see why they aren't easily giving up their sitefinder project.
Not really. You posted anonymously, I didn't. Nothing against you (since I have no idea who you are, obviously), but I set very little stock by anything posted without a name. I understand that there are reasons to post anonymously, such as to not bring down the wrath of an employer. However, there's still the concept of if you won't even sign your name to what you've said, how much can it be worth? Additionally, a lot of moderators take the tact of never moderating AC posts up. And you also started your post with a personal insult, which a lot of people automatically view as flamebait.
Either way, the important thing is that someone got modded up to point out how wrong that guy was. And that he got modded down.
-Todd
"The details of my life are quite inconsequential..."
ISC.org has come out with a couple new versions of BIND (on several platforms) that makes the Verisign thing irrelevant.
.RU or .CX or whatever registrars do.
Essentially, here's how it works;
Rather than simply accepting any response from any root DNS server, the new version of bind only accepts an NS record (that states the authoritative DNS server) rather than an A Record (which maps a hostname or domain to an IP address). So the root servers can only do what they are supposed to do; tell your local DNS servers where to find the authoritative servers. Even if they are configured to do something differently, BIND responds by forwarding an NXDOMAIN back to the querying client. Esentially, if an IP address comes back from the server, the response from the browser then becomes "DNS Error".
This has several advantages:
- it doesnt matter what ICANN does or what Verisign does, responses to DNS queries happen as they should.
- the patch fixes ALL of the TLDs, so it doesnt matter what the
- it can be done on the ISP level. Though I have no proof, I think there are BIG ISPs out there that have done this already (Earthlink has been mentioned).
- no routing, blocking or other stuff that could cause problems in the future is involved
- Joe Grandpa Internet User never needs to know, and doesnt notice anything different when the fix happens
I do not know about MS DNS Server, or other non-BIND DNS servers, but I am sure there will be patches or upgrades from your publisher.
If you run servers, go to ISC.org and read up about the upgrades. If you dont, check your publisher's web site. If you dont run DNS call or email your ISP and ask them to upgrade their BIND at their earliest conveneince.
Though I think it would be better if RFCs were binding, or if they were followed voluntarily... there is more than one way to get the right thing done.
It may seem like a lot of effort, but, if everyone who hates this service just sends them a few words saying so, by email, by putting the following list of every address they have into their send line, they wont have an email system at all :) And it might be just a little fun too!
Here they are :) All 1 line, with , inserted, so you can just copy and paste it :)
consultingsolutions@verisign.com, websitesales@verisign.com, verisales@verisign.com, clientpki@verisign.com, internetsales@verisign.com, paymentsales@verisign.com, dnssales@verisign.com, digitalbranding@verisign.com, vts-mktginfo@verisign.com, channel-partners@verisign.com, premiersupport@networksolutions.com, authenticode-support@verisign.com, objectsigning-support@verisign.com, enterprise-sslsupport@verisign.com, vps-support@verisign.com, webhelp@verisign.com, practices@verisign.com, renewal@verisign.com, vts-csrgroup@verisign.com, info@verisign-grs.com
*There's Klingons on the starboard bow, scrape em off Jim!*
If selfless people existed, we might discuss what they could produce. That said, there are many generous people who are also intelligent and hard working that have made huge contributions to the computing world. As a result of them, we have the Internet, Web sites, Linux, and various less-well-known projects and products.
I call bullshit on this one. Verisign is being greedy and abusing their stewardship. They don't own .com or .net, but they are making decisions for all of us that do own a part of it. If my $35.00 doesn't go to support those "willingly-provided" DNS servers, then why did I pay it? The solution is to roll back the clock 14 days and not have this "Service" implemented. If Verisign wants typos to drive traffic, they should do what everyone else is forced to do, and buy a browser.
"Murphy was an optimist" - O'Toole's commentary on Murphy's Law