Slashdot Mirror

← Back to Stories (view on slashdot.org)

VeriSign Responds To ICANN's SiteFinder Advisory

Posted by simoniker on from the a-proper-mexican-standoff dept.

dmehus writes "VeriSign's Naming and Directory Services division has written to ICANN President and CEO Paul Twomey regarding the recent advisory concerning VeriSign's DNS wildcard redirection service. In the letter, VeriSign's Rusty Lewis says that they are open to independent and objective technical concerns expressed by various Internet bodies; they have formed their own "independent" panel of industry leading experts to produce its own, separate report; and they will not voluntarily suspend SiteFinder. It's a very terse response, and frankly, I'd have expected more from them. Slashdot readers are encouraged to visit ICANNWatch for in-depth, expert discussion on this and other issues."

16 of 464 comments (clear)

  1. Huh? by mrpuffypants · · Score: 5, Funny

    From the letter to ICANN:

    As to your call for us to suspend the service, I would respectfully suggest that it would be premature to decide on any course of action until we first have had an opportunity to collect and review the available data.

    Well, I think that the world would have appreciated the same level of consideration before the system was ever even implemented in the first place.

    1. Re:Huh? by rgmoore · · Score: 5, Insightful
      As to your call for us to suspend the service, I would respectfully suggest that it would be premature to decide on any course of action until we first have had an opportunity to collect and review the available data.
      That's an interesting thing for them to say, especially because earlier in the letter they said:
      All indications are that users, important members of the internet community we all serve, are benefiting from the improved web navigation offered by Site Finder.

      So which is it? Have they not yet had a chance to gather any data, or have they gathered the data and found that it's beneficial to users? Or, as seems most likely, are they just saying anything that they think will get ICANN off their backs for long enough for them to sell a bunch of registrations?

      --

      There's no point in questioning authority if you aren't going to listen to the answers.

    2. Re:Huh? by Anonymous Coward · · Score: 5, Informative

      I don't think I've seen this posted before, but some people may find it interesting. Here's the contracts between ICANN and Verisign for .com and .net (.org is there also, but it no longer applies).

    3. Re:Huh? by Leto2 · · Score: 5, Insightful

      msaulters, for completeness, since you seem to be intimately knowledgeable on the RFCs, can you paste the relevant sections from these three RFCs that apply to Verisign's wildcarding?

      --
      <grub> Reading /. at -1 is like driving through Cracktown in a convertible that is stuck in 1st
    4. Re:Huh? by trims · · Score: 5, Informative

      Section 4.3.1 of RFC 1034 pretty clearly states that the response to a name query is to be:

      If recursive service is requested and available, the recursive response to a query will be one of the following:
      • The answer to the query, possibly preface by one or more CNAME RRs that specify aliases encountered on the way to an answer.
      • A name error indicating that the name does not exist. This may include CNAME RRs that indicate that the original query name was an alias for a name which does not exist.
      • A temporary error indication.
      If recursive service is not requested or is not available, the non-recursive response will be one of the following:
      • An authoritative name error indicating that the name does not exist.
      • A temporary error indication.
      • Some combination of:
      • RRs that answer the question, together with an indication whether the data comes from a zone or is cached.
      • A referral to name servers which have zones which are closer ancestors to the name than the server sending the reply.
      • RRs that the name server thinks will prove useful to the requester.

      Now, the section thereafter goes on to talk about wildcards, so they are pretty much out of luck for saying that VeriSign isn't implementing the RFCs correctly. However, another portion of the RFC makes it very clear that wildcards are only for use within an entity's domain of control (that is, *.foo.com in DNS will not affect lookups under bar.com). The key here is that it is up to the OWNER of the domain in question as to the appropriateness of wildcards in DNS. VeriSign does NOT OWN THE .COM TLD. They merely ADMINISTER it for ICANN. Thus, there is a very good case for VeriSign being in breach of contract by failing to cary out the wishes of the OWNER of the .COM TLD. Which in this case is ICANN.

      Basically, I would be a bit more thorough before going to VeriSign, but afterwards, I'd still wack them over the head with the contract and force them to remove the wildcard.

      -Erik

      --
      There are always four sides to every story: your side, their side, the truth, and what really happened.
  2. Translation, for the doublespeak impaired by RobertB-DC · · Score: 5, Funny

    In case you are not a doubleplusgood duckspeaker, here is a helpful translation of Verisign's letter to ICANN.

    Dear Paul:
    Translation: Dear meddlesome twit:

    This will respond to the ICANN Advisory concerning VeriSign's Deployment of DNS Wildcard Service dated 19 September 2003.
    We're about to tell you where you can stick your "advisory".

    In the footsteps of several other registries that have done the same, we recently deployed a wildcard in the .com and .net zones.
    Verisign has no problem being just as sleazy and underhanded as any of our competitors.

    This was done after many months of testing and analysis and in compliance with all applicable technical standards.
    Marketing sees dollar signs, and legal says we can get away with it.

    All indications are that users, important members of the internet community we all serve, are benefiting from the improved web navigation offered by Site Finder.
    None of the lusers who installed "The Internet" on their computers has a clue that we've even done anything.

    These results are consistent with the findings from the extensive research we performed.
    They are, however, clicking the pretty buttons, just like we hoped they would.

    We are, of course, very interested in any objective technical information ICANN may have received concerning the service and would welcome the opportunity to work with you to review such data. To that end, we have reached out to schedule meetings... of leading experts in the field.
    Let's have a meeting. Then another. Then another. Then, we'll codify the new de facto "standard".

    As to your call for us to suspend the service, I would respectfully suggest that it would be premature to decide on any course of action until we first have had an opportunity to collect and review the available data.
    We're going to get our way, because we can, and there's nothing you can do about it. Weenie.

    After completing an assessment of any operational impact of our wildcard implementation, we will take any appropriate steps necessary.
    And if we don't get our way, we'll pay off anyone we need to.

    I look forward to continuing to work with you on this issue.
    Kiss our ass.

    Best Regards,
    See you in Hell,

    Russell Lewis
    Executive Vice President, General Manager
    VeriSign Naming and Directory Services

    --
    Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
  3. This is the last straw by ikewillis · · Score: 5, Interesting

    I think it's time for ICANN to look for someone else to run the NET and COM TLDs. Not only are they unwilling to suspend SiteFinder after an enormous public outcry and a direct request from ICANN, but they didn't even bother telling anyone they were going to do this in the first place ahead of time. This is absolutely terrible, and I hope ICANN finds someone else to manage these TLDs

  4. Bound to happen eventually by daeley · · Score: 5, Funny

    We'll know if these "negotiations" fall apart if "www.icannwatch.org" suddenly displays SiteFinder.

    --
    I watched C-beams glitter in the dark near the Tannhauser gate.
  5. Perhaps the biggest concern... by ikewillis · · Score: 5, Interesting

    of SiteFinder is the fact that non-English speakers no longer receive an error message in their own language, but are confounded with some bizarre English language site which certainly wasn't where they were trying to get to.

  6. Translated... by Bull999999 · · Score: 5, Funny

    Dear Paul

    After the extensive research of how IE directs bad names to MSN Search, we decided that we couldn't let the bastards at MS be only ones that makes money off of poor saps who can't type their URLs right.

    We really don't give a rat's ass about what ICANN thinks but just to shut your whiney mouth off, I hires a review panel of leading experts in the field. They include Linux code reviewers from SCO, the guy who thought of domain parking for Register.COM, and the guy who invented One-Click shopping.

    As to your call for us to suspend the service, I'd like to politely say "go fuck yourself" with the upmost respect ICANN's Chairman, Vint Cerf, and ICANN's Security and Stability Advisory Committee, Steve Crocker. Crocker, now that's a funny name, just like ICANN.

    If you send any more letters, I will personally wipe my ass with it.

    Go to hell,

    Russell Lewis
    Executive Vice President, General Manager
    All Your Typos Are Belong To Us, Inc.

    --
    1f u c4n r34d th1s u r34lly n33d t0 g37 l41d
  7. Re:The bottom line... by signe · · Score: 5, Informative

    If your domain registration site is using a DNS lookup to check if a domain is registered, it is a very poor domain registration site. There is no guarantee that if a domain is registered, there are nameserver records for it anywhere except the gTLD root nameservers.

    Registrars should be using the SRS system provided by VeriSign Naming and Directory Services to check if a domain is registered. This is the same system that they use to register domains with the registry (run by VNDS). This system can and does provide a definite yes or no as to whether a domain may be registered.

    Love VeriSign or hate it, but get your facts straight.

    --
    "The details of my life are quite inconsequential..."
  8. Is it accessible to the blind? by effer · · Score: 5, Insightful

    If not, what better target for a lawsuit!

  9. Reach these idiots directly by SlapAyoda · · Score: 5, Informative

    Hey, if you feel strongly about this issue, you can reach them directly. Just call 703 925 6999. That's the direct line for VeriSign Naming and Directory Services. I tried to get Rusty on the line, but they're on the East coast and he had already left the office.

    I just spoke with a nice secretary lady whom told me that she was 'sad to hear' that I, "an investor", was going to sell my "2000 shares" of Verisign first thing in the morning due to their horrible wildcard DNS policies.

    When I asked why they are doing this, she told me it was a "marketing decision" and that "somebody in the marketing department" thought it up.

    She said that I was the first person she had heard complain about it, though she had read somewhere that it was "controversial".

    If anybody has any success getting through to these people, post any interesting tidbits you find out. Thanks.

    --
    # wrote sig.txt, 23 lines, 31337 chars
  10. Sign the petition by AlanWay · · Score: 5, Informative

    If you havent allready signed it, there's a petition at http://www.whois.sc/verisign-dns/ to encourage Verisign to rack-off.

  11. Re:Check out the TOS by delta407 · · Score: 5, Interesting
    Is there anyway I can turn this service off? I disagree with the terms.
    I've been discussing this with Verisign for a week now, and Verisign legal is supposed to get back to me on that exact question.

    From the Terms of Service:
    10. Sole Remedy.
    YOUR USE OF THE VERISIGN SERVICES IS AT YOUR OWN RISK. IF YOU ARE DISSATISFIED ... YOUR SOLE REMEDY IS TO DISCONTINUE USE OF THE VERISIGN SERVICES OR OUR SITE.
    My question to Verisign was "I'm dissatisfied. What does 'to discontinue use of the Verisign services' mean? I can move many domains to other TLDs, pull the Verisign root certificates from a few hundred workstations, cancel a PayFlow account that handles a few hundred thousand dollars per month, and have my clients cancel several thousand dollars worth of SSL certificates. Is that what you want me to do?"

    Again, no response as yet. :-)
  12. Re:I'm lost, please help. by ScottSpeaks! · · Score: 5, Insightful
    There are a variety of problems with this.
    • The most fundamental one from a systems-management standpoint (and the internet itself is one huge systems-management nightmare) is that DNS lookup is a core function that affects a lot more than just web browsing. You don't change such a core function without thoroughly testing the impact of such a change. At the very least, the co-operative nature of the internet requires that you at least tell everyone you're going to do it. And when people complain that you've just broken something, you damn well better put it back the way it was.
    • A case in point: A lot of anti-spam software uses DNS look-ups to identify bogus return addresses. Since DNS for .com and .net is no longer returning "not found" for bogus domains, this function is now failing.
    • Various legislatures and/or courts have passed/interpretted laws to forbid "squatters" from registering other people's trademarks (or typos of them) for themselves. Verisign has effectively just "registered" every unregistered/mistyped trademark and pointed it to their web site. For example, there's a local business who hasn't registered their name (a trademark) as a domain name. If someone asks for (thisbusinessname).com, Verisign will direct them to a web site (theirs) which instead suggests several other web sites. For the right price, a competitor of this business can have their web site listed here. This is no different from a competitor or unauthorised squatter registering the domain name... which they could be successfully sued for doing. The fact that Verisign is now profiting from the use of trademarks it does not own puts it on very shaky legal ground.
    • This is a classic case of abuse of monopoly power. In much the same way that (for example) the US FCC licenses broadcasters to use the public airwaves in ways consistent with the public good, Network Solutions (now owned by Verisign) was assigned responsibility for the .com and .net top-level-domains to be operated in ways consistent with the good of the internet community. Reckless management of that responsility, resulting in technical problems which it refuses to correct, and taking financial advantage of that trust in a way unavailable to any other entity... adds up to a "problem".