Slashdot Mirror
Paul Vixie And David Maher On VeriSign Wildcarding
chromatic writes "The O'Reilly Network has just published an interview with Paul Vixie, chairman of the board of the Internet Software Consortium and a primary author of BIND. Topics include the recent VeriSign controversy, ISC's BIND patch in response, and other potential issues that might come to light in the near future." On a related note, dmehus writes with a link to the letter sent by David Maher, chairman of the Public Interest Registry -- the .org registrar, to ICANN President and CEO Paul Twomey. "The letter says that it supports ICANN's call for VeriSign to voluntarily suspend SiteFinder and the Internet Architecture Board preliminary position paper. It goes on to say that PIR will not be implementing any DNS wildcard to the .ORG zone. It urges ICANN to stand its ground, but also to implement a policy preventing registries from taking this kind of unilateral action in the future." The letter is in .doc format, but AbiWord and OpenOffice.org both open it fine.
They sure break up the SCO stories.
I kind of like the Verisign redirect. I sometimes mistype URLs and the Verisign page usually has a link to the page I was looking for. It's a pretty nice system considering the alternatives.
legally, is veri allowed to redirect requests to their own domain? if not, who has the rights to unused domain names?
How many times have you meant to go to goatse.cx and missed a letter, like goats.cx. This sort of site would help out users quite a bit. It could also offer other helpful suggestions, such as dogse.cx and pigse.cx.
Get your Patched BIND for Slackware here:
The more ISPs that use this, the more uncommon the SiteFinder 'service' becomes---the less users expect it.
Remember when popups where not expected? After using mozilla for a while I simply cannot stand them now!
---
Ad Majorem Dei Gloriam
Interested in AI? MACR
Some people suggest that administration of the DNS is a public trust, and that VeriSign is merely the caretaker of this system, not its owner. And now VeriSign has abused that trust. That may be true. Before a few days ago it didn't matter whether VeriSign was the owner or a caretaker. Now it matters a lot. VeriSign kicked a sleeping dog. It's a bizarre thing to do. Was it really VeriSign's decision to make, unilaterally? Did it need permission to make this decision? If so, what entity has the authority to grant such permission?
If you think about this from a social point of view, not just technical, this is absolutely fascinating (rather than just irratating/punch-provoking): here's an ability, that was theoretically possible all along, to have this big effect on something lots and lots of people use. No one made use of it before. Now someone has, and it's
Who's responsible? Who gets to say "No, you can't do that", or "Yes, you can"?
I know what I think is the right answer, and it's what (probably) the rest of you think. But the final answer isn't up to you and me, or at least not you and me alone. Watching that process of who-gets-to-decide is going to be at least as interesting and precedent-setting as what the final decision ends up being.
Carousel is a lie!
Though I agree with everything he said (and thought he did so quite eloquently), it's a bit disheartening to see the chairman of the ISC refer to NXDOMAIN as a 404.
I think we should all go there at once.
We can say that we were all on our way to the grocery, made a wrong turn, and ended up at his house.
Then we can demand to buy groceries.
I'm sure he won't mind. Everyones ends up at his site for that reason, right?
Mod me down and I will become more powerful than you can possibly imagine!
Dr. Paul Twomey
.ORG domain, supports ICANN's call for the voluntary suspension of VeriSign's deployment of a DNS wildcard service. We believe that ICANN (and the entire Internet community) should take steps to prevent all registries from unilaterally implementing changes to DNS that redirect requests for invalid domain names to any other site. PIR will not offer any service that makes such a change in the DNS.
... is not
.COM and .NET domains.
.COM and .NET TLDs by adjusting servers to respond to requests for non-existent domains with a reference to the VeriSign Site Finder web site, (in other words, "wildcarding"). To a requesting user, it appears that non-existent domains are valid, because they are directed to the Site Finder. There is no difference between the responses for valid domains versus invalid domains from VeriSign's TLD servers.
.COM and .NET TLDs, the most prevalent of the TLDs, Internet users have little protection against the imposition of this flawed system. VeriSign implemented the Site Finder system with little advance notice or public commentary by the Internet community. We believe such unilateral behavior in changing a critical resource necessary for the world's information systems is inconsistent with the responsibilities of registries under their contracts with ICANN, particularly because of the necessity of DNS for other Internet resources to function properly.
President & CEO
ICANN
4676 Admiralty Way
Suite 330
Marina del Rey, CA 90292
September 22, 2003
Dear Paul,
Public Interest Registry (PIR), the operator of the registry of the
PIR also supports the Internet Architecture Board (IAB) statement on the same subject as set forth at:
http://www.iab.org/documents/docs/2003-09-20- dns-w ildcards.html
DNS is a critical piece of Internet infrastructure. Internet services such as the WWW and Email rely on DNS to function, and there should be no interference with the established protocols until there is complete assurance of no negative impact on the DNS.
In another context, the Internet Architecture Board (IAB) has commented:
"At the core of all of the IAB's concerns is the architectural principle that the DNS is a lookup service which must behave in an interoperable, predictable way at all levels of the DNS hierarchy. Furthermore, as a lookup service it is such a fundamental part of the Internet's infrastructure that converting it to an application-based search service
Page 2
appropriate even in the case where the query presented would not normally map to a registered domain."
The architectural principle referred to by the IAB is clearly violated by the changes proposed for the
On Monday, September 15, VeriSign changed the behavior of the
Because the VeriSign Site Finder server makes it appear that a non-existent domain exists, the service introduces significant problems to critical Internet infrastructure. Many other important Internet protocols rely heavily on proper DNS behavior. The impact of VeriSign's Site Finder is unclear with respect to security of the DNS. Site Finder unilaterally precludes the use of a prevalent type of anti-spam mail filter that uses DNS to validate the domain of legitimate eMails.
Because VeriSign's servers are authoritative for the
We are informed that other domain registries may be exploring services similar to the VeriSign Site Finder. (As noted above, PIR will
Page 3
not be one of them.) If this is the case, our comments concerning Site Finder apply with equal force to those other services. We believe that any such efforts to alter the TLD DNS systems, of which the VeriSign Site Finder appears to be the most prominent example, adversely affect the Internet infrastructure and the entire Internet community.
Therefore,
Carousel is a lie!
The letter is in .doc format, but AbiWord and OpenOffice.org both open it fine.
Yep, it's obvious that this is slashdot.
Anyone out there know if there is a debian package as of yet (preferable one I can use without wandering too far into the realm of "unstable")?
Would be great to apt-get upgrade and see this in there by default...
This is a terrible day for Internet freedom. VeriSign is obviously a monopolistic entity determined to eradicate its competition. I recommend that somebody here organize a picketing campaign. Unfortunately, nobody with influence appears to read Slashdot.
It's usually hit or miss with those other two.
But I didn't care because I don't celebrate Christmas.
.museum
.a bunch of small countries
.com and .net,
.cx, .io, .mp, .museum, .nu, .ph, .td, .tk, .tv, .ws) pulled the same stunt. I probably got the relative times wrong too.
Then they came for
but I didn't care because I haven't been in one in ages.
Then they came for
But I didn't care because I've never heard of them.
Then they came for
and nobody cared because it's common business practice.
Note: according to a posting I just looked up, at least 11 TLDs (.cc,
curl letter-to-ICANN-re-SiteFinder-030921.doc | strings | fmt | less But either way it comes out slightly garbled about 3/4 through.
Whatever. Why aren't more people just ditching their precious .COM names. Think UPS.com or Amazon.com couldn't get away with switching? Sure they could...
.US take a look at NIC.US which can point you to all the various registrars. Heck, it's cheaper -- typically $15/yr.
.US -- of course I'll handle the .COM traffic until they expire in a year or two. In the mean time everything going out says .US as of yesterday.
.COM, but they surely won't on the next order. Maybe a year.
For those in the
The only thing Verisign will understand is people speaking with their dollars. And yes, I personally have switched my domains over to
Sure, business cards and letter head still say
googlefight.com
sco( 300 000 results) versus verisign (1 760 000 results)
The winner is: verisign
The Singularity is closer than you think
Quant
getting their ISP to upgrade DNS servers to counter this threat?
I'd appreciate any suggestions.
This started about 1995 when people begain to conflate the Web with the Internet.
Slashdot: Where nerds gather to pool their ignorance
By email, phone, fax, telegram, or letter (or better, several of these), let them know what you think. These are the people who can give Verisign reasons to change their behavior.
It's now here having been Slashdotted last time....on a better server this time, though (we hope!), so be gentle....
It's good to see that PIR is taking the high road. If .com/net are ever redelegated, I'd much rather they run it, than someone who would be looking for every opportunity to squeeze out nickels and dimes ($100 million/yr!) from the internet community, via abuse of their monopoly. Or, perhaps a corporation with a solid reputation (maybe IBM?) would step up, to replace Verisign.
It is good interview but expression "bootleg patches" was someting I disliked. It does not fits well with free/open source spirit. It assumes that there are (in marketing terms) "offical" or "authorized" patches and everything else is "bootleg". It kind makes me feel my next patch to some open source product could be considered "bootleg" which makes me feel it is unwanted.
Vulnerabilities, bugs, even exploits, are NOT always security "holes".
VeriSign is better then porno.
One day back in junior high, I was in a lab full of old Macs. Netscape suffered a lag attack and decided I wanted to go to 'hoo.com', not 'yahoo.com'. Hilarity ensued.
I think that particular site is defunct, though.
"Neque enim lex est aequior ulla, quam necis artifices arte perire sua."
Just surf slashdot at -1, and you'll never need to type goatse.cx - thus, no worries about mis-spelling it.
"If God created us in his own image, we have more than reciprocated"
Why not just take back the roots? The only reason Verisign can do what they do is because the GTLD servers they control are delegated to by the root servers (not sure who controls those anymore, but it can't be good). And those root servers are configured in the hint file of name servers all over the internet. So who controls those? We (who have our own name servers) do.
It's a little harder, but not a lot harder, to just run your own root zone. The biggest thing is to gather up all the NS records and associated A records for each TLD. That's a small list (relatively speaking), so it could be done via a few hundred dig commands to the root servers. Or it can be downloaded. Now once you have that data, you replace the .com and .net zones with your own. Of course that begs the question, replace it with what?
If enough people with enough server/network power get together, they can make their own independent "realm" of domain name space, starting with a replacement root zone (as has been done in the past to add new TLDs), and a replacement for both .com and .net.
I can just hear the complaints now (and I've heard them before): "But this will fragment the internet". My answer is: Yes!!!! yes it will! all the better. Imagine being in a whole different name space realm away from spammers and evil corporations. And maybe you can meet me in the .mp3 TLD.
now we need to go OSS in diesel cars
Are you claiming Sendmail and BIND are secure?!
You, sir, are a fucking idiot.
Other than maybe wu-ftpd nothing has made unix/linux security look worse. Ok, well, OpenSSH has been pretty sad recently too...
$ host www.werwearwer.com
Host not found.
$ host www.slshdt.org
Host not found.
I thought i should get verizon's ip? Anybody explain this? Or is there some way to get around this thing.
This sig is empty.
Verisign can break Vixie's patch. All they have to do is set up a separate name server which pretends to be a .com and .net server, with the very same wildcarded A-record. Now just put in wildcarded NS-records in the actual .com and .net zones in the real GTLD servers (in place of the existing wildcarded A-record). There, now it really looks like a real delegation to a different name server, just like real domains have. The new delegated wildcard server gets the query next, due to the delegation (that looks like a delegation, hence fools the patch), and due to its wildcard (and it doesn't need any other data from the .com or .net zones, since it doesn't get delegated to for real domains), it will answer with an A record of Verisign's choosing. If Verisign wants to keep doing what they are doing, they can defeat this patch by that method.
Then we'll have to make DNS servers filter out specific delegations (as opposed to filtering out non-delegation records where there should be only delegations). Verisign could rotate those delegations daily and fool efforts to block it.
now we need to go OSS in diesel cars
Why can't we work around this by instead of checking if the address is valid, check if the address comes back to Verisign's server???
Wh47 d1d j00 541, 31337 15n't t3h r0xor5 ne m0r3???
irc.niggerjewfagsandthemidgetsthatlovethem.com resolves to a verisign IP.
If you put that in a browser you will one of those verisign ad pages that are all to common these days.
Now, I understand that what VeriSign has done is wrong in several ways, but to play devil's advocate, I want to ask you guys a question:
What if rather than sitefinder, it redirected you to google? The "feature" they are trying to convince us they provide is basically spell checking the URL you type. "salshdot.org? Oh... you meant slashdot, here let me take you there."
What if this had been done in a more acceptable way, where profit leeching wasn't a suspected motive? Would we still complain?
And btw, the only downside I can personally think of with the concept in general is that you can no longer tell a site is down or exists just by pinging it, because you get the "spell checker" site's reply rather than nothing.
Feedback?
no comment
A quart of kerosene can spoil a tanker-truck full of milk:
#!/usr/bin/perl
srand();
my @alpha = (a..z);
my @prefix= qw( www web1 web2 ftp mail dns ns1 ns2 ns3 dns1 dns2 dns3 );
my @suffix = qw ( com net );
$|=1;
while(1) {
my $length = int(rand(16)+1);
my $n = "";
for (0..$length) {
$n.=$alpha[int(rand(26))];
}
my $p = $prefix[int(rand($#prefix))];
my $s = $suffix[int(rand($#suffix))];
$l = `nslookup $p.$n.$s`;
print $l;
sleep int(rand(5))+1;
}
enough crap in their database, it won't be good for marketing data anymore.
What a strange bird is the pelican, his beak can hold more than his belly can.
Here's a fun solution:
p ://ibm-asdb-hardware.come .comd e-hardware.comp ://ibm-asdh-hardware.come .com
If your ISP hasn't fixed this yet, go to http://ibm-asdf-hardware.com
Do you think IBM might be a little bit pissed off about their trademark being used to point to someone else's computer hardware site? Do you think they might, I dunno, sue?
How about all these other blatant trademark infringements:
http://ibm-asda-hardware.com
htt
http://ibm-asdc-hardwar
http://ibm-asdd-hardware.com
http://ibm-as
http://ibm-asdg-hardware.com
htt
http://ibm-asdi-hardwar
http://ibm-asdj-hardware.com
As I see it, Verisign is facing a not-quite-infinite number of trademark infringement lawsuits. And, of course, if Verisign switches to point to IBM, I'm sure hardware.com would be delighted to fire their own volley of lawyers.
Stop-Prism.org: Opt Out of Surveillance
What? How the hell do you get an HTTP 404 error message if there's no server to even connect to?
now we need to go OSS in diesel cars
I tried your links, and then realized that I've already patched my BIND to kill them...
I think he knows the difference...
Go to
http://www.dns.net/dnsrd/rfc/
Search on P. Vixie...
Yes, thats the one.
I just wish he'd fix the crontab options so I dont delete my files so much.
My ISP has already routed around VeriSign's damage. Mind you, before they patched BIND (or whatever it is that they use, I never checked), I had fun with them for awhile.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
$ host irc.niggerjewfagsandthemidgetsthatlovethem.como st not found.
H
Still, the same thing. But yes, my browser defaults to Verisign's page. But why doesnt host too return a valid IP?
This sig is empty.
Gramps: When I was a wee lad we used to get that error when a web page was not found.
Granddaughter: Thank Goodness for Verisign! We don't have to see those error meanies no more!
I am surprised that Paul Vixie did not seem to exhibit much emotion regarding the Sitefinder situation - for someone who's been at the core of what we now know as the DNS for so many years (you would think it's like his own child:).
He seemed reserved, while calmly pointing out, part by part, what is wrong with Verisign's actions. More of this is called for from the important people in the Internet technical and business community - the way community coverage has been heading, and the way comments are worded on Slashdot and other sites, is leading to resentment, anger, name-calling, and joking about Verisign and their policies, creating a situation in which the community is less likely to be taken seriously by Verisign, Microsoft, AOL, etc. Mr. Vixie also mentions that there are smart people at Verisign, reminding us that the Sitefinder "service" is the brainchild of but a handful of people, maybe even just one or two. It reminds me that as engineers, we still have to work with the other guy at a certain level.. becoming enemies doesn't help anything.
Mr. Vixie is saying that perhaps ICANN should "do something about it". This whole situation should be approached by attorneys general, from the both the branding/business practices angle mentioned by Mr. Vixie, and also from the consumer rights angle (much like telemarketers). Right now the average consumer can get effectively get rid of telemarketers, thanks to recent laws, with a single verbal or written request, but the Sitefinder service can only be circumvented using DNS tools by an engineer or technician "in charge" of the DNS servers. The web-browsing consumer has no way around this by themselves.
I wonder which one of these characters made this mess happen?. html
http://www.verisign.com/corporate/about/executive
Forget thrust, drag, lift and weight. Airplanes fly because of money.
Such behaviour may be useful in some instances but it should not be rooted deep down in the DNS systems.
Your user agent (ie your browser) is what should be doing this for you if you so desire.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
Whether it's SiteFinder, Google, or even Slashdot, the issue is not so much (or at least not only) the fact that a website comes up instead of a 404. It's the fact that practically everything automated breaks because this "service" is oriented toward humans. Consider:
I'm sure there are others, but the point is that what's good for human users is not good for computers, and it should be the client, i.e. the thing interacting directly with the human user, that interprets the computer responses and makes them easier to use for humans. (There wouldn't be nearly as much uproar over this if Verisign had, say, made a deal with Microsoft to redirect all NXDOMAIN queries to SiteFinder; in that case it would be an Internet Explorer, i.e. client issue, and DNS itself would be unharmed.)
Am I the only one who finds it ironic that Verisign's slogan is "The Value of Trust"? They sure don't seem to be aware of just that, the value of the trust we have given them.
You idiot!
Don't give them any ideas. I'm convinced marketing thought up the last one, and the techs who implemented it were probably resentful, and did it as simply as possible.
Now everyone... just lower your weapons, slowly.... slowly...
Fuck Beta. Fuck Dice
In the past, ICANN has always made a song and dance about the crucial need for DNS stability, yet now, in the face of a unilateral move that causes great instability, they meekly ask Verisign to please stop. If ICANN are too spineless to act, then the Department of Commerce needs to step in. Despite the contractual complexities (see Karl Auerbach's blog), Verisign have committed a fundamental breach of trust, and the DoC should reallocate responsibility for .net and .com as soon as practically possible.
My next sig will be ready soon, but subscribers can beat the rush
You'll just hammer your ISP's DNS resolver, killing it's cache; or whomever your nameserver peers with.
Instead, hit the IP addresses of sitefinder and sitefinder-idn.verisign.com directly with bogus HTTP requests instead. I can't be sure, but I'll bet they don't record the requests at the DNS server, but at the webserver because the logs are probably easier to process with existing web analysis tools.
(Does anyone know if you can directly ask a root server about a domain? I didn't think mere mortals could)
Fuck Beta. Fuck Dice
Couldn't they be sued for not providing some way for users to discontinue use of their service? It's like the shrink wrapped EULA, except on a way more annoying scale.
We're all going to have to call their tech support to ask them how to discontinue use of the service because we do not agree with their terms of use.
www..com
Host www..com not found.
www..net
Host www..net not found.
www..org
Host www..org not found.
Did we win?
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
Any host can make non-recursive requests to the root servers.
Technically, if a query for whatever.com arrives at a root server, it should only return the list of NS records for .COM, and if a query for whatever.com arrives at an authoritative server for .COM (many roots are also .COM servers), it should only return the registered NS records for whatever.com.
In fact, that is exactly the problem -- the Verisign roots should return only NS or NXDOMAIN records, but for names in .COM .or .NET, they instead "synthesize" an A record, pointing to sitefinder, with a 15 minute TTL (cache lifetime).
The various hacks either ignore the specific A record, or ignore records from root servers other than NS. The latter is a cleaner approach, IMHO.
I do not deploy Linux. Ever.
Of course that should look like www..com, etc
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
As a member of the BOD of a non-profit ISP Ive called on our board to send Verisign a letter requesting the suspension of the service and to star talking to the main stream press. What is everyone else doing?
Skapare writes:
I run my own root on most of my networks and employers' networks -- it's easy to implement and more efficient. (That said, we do it for security, to keep lookups for bogus TLDs from going out over the internet.) Overriding "." on your own nameserver is easy, as the delegation information for BIZ/INFO/COM/NET/ORG/UK/TV/etc is easy to obtain and doesn't change very often. Overriding the TLDs themselves, going from serving "." to serving ".COM", is a much more difficult project.Unlike the "." root zone, the .COM zone changes twice a day, is HUGE, and the zone file itself is not readily available to the general public.
I do not deploy Linux. Ever.
The really not-so-funny part about your joke?
They already do.
n to the motherfuckin t
Actually, Christmas Islands already does something very similar to this. Try pigse.cx. You will end up at a "sitefinder"-like page from the Christmas Island TLD Authority which suggests that you register the domain, explaining that all unregistered domains in .cx are redirected to that page. It does not return NXDOMAIN, but there are no commercial advertisements (other than by C.I.) and no search function.
I am a geek attorney, but not your geek attorney unless you've already retained me. This is not legal advice.
...let them do it. Just charge them for all names registered. Assuming they wildcard the name with 26 letters plus "-", say, 20 chars deep, charge them 27^20 registered domain names. Even with a good discount, say, $0.01/domain name it will still be more than there is money on Earth :)
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
3 mililiters of human semen and they won't allow that for trade :)
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
try www.testing.ph and it will be redirected to the ph admins website. screw them
Not sure if it's an appropriate thread, but it looks as good as any for a shameless plug :)
Yours truly put together quick utility - dnsfix, which monitors inbound DNS responses and tweaks result codes from 'success' to 'no-name' for those referencing specific IPs. In other words, it can be used to transparently negate the effect of VeriSign's SiteFinder "service" and restore DNS behaviour expected by (currently broken) spam filters and alike.
3.243F6A8885A308D313
This is rather like using a bulldozer to plant tulips.
I find it is more like using a shotgun to pop a pimple.
Item 6 on VeriSwine's T&C's is intreasting:-
Modification by VeriSign.
At any time VeriSign may modify or terminate these terms of use, its websites and the VeriSign Services and may at any time discontinue your use of the VeriSign Services without any notice to you, and without liability to you, any other user or any third party. Please review these Terms of Use from time to time so that you will be aware of any changes. Your continued use of the VeriSign Services constitutes your agreement to all such terms, conditions, and notices.
although it's a standrd legal clause, I didn't actually ask to use their services - DNS or ShiteFinder. Whilst they would be hard pressed to try and spply these T&Cs to the DNS side of thier business, they may try to enforce them on the ShiteFinder part. What if they modified their T&C's to include something like... you sleep with Daryl McTwat and pay SCO $699 for the use of your own code.
After reading this story about Russell Lewis's (Verisign GM) memo to staff, I registered "bookstre.com" and pointed it to Google via the Easily.co.uk redirector.
Now, until the DNS entry propagated, and in the 15 minute window before the non-existant domain timed out, I was still seeing the SiteFinder "domain". Obviously it's a contrived example, but I think it illustrates an important point:
I paid good money for this domain
Who said Verisign could use it ?
Legitimate domain registrations are still going to suffer from this decision, so I suspect this would be a legitimate set of grounds for a class action against Verisign.
--- These are not words: wierd, genious, rediculous
Has anyone tracked down a backport of the delegation-only patch for bind 8.x?
So far, all I've got is unofficial patches, which will not be run on production systems.
The .cc domain is Verisign controlled and does
.com and .net root servers. It could set up a parallel DNS!
the sitefinder-type thing...
http://RandomJunk8347458475.cc
Also, as Verisign so helpfully pointed out in their
letter the other day many TLDs wildcard. ICANN should *ask* them to stop too.
Bind has their option to prevent wildcarding from certain domains. Maybe they
could ship it pre configured block all wildcarding domains. Or can you simply
say block all wildcarding no matter what the TLD.
Since BIND is prevalent it could take an end run around the existing
If your ISP won't block it, it's simple to (partially) disable Verisign's power grab on "firewall" Cable/DSL routers, often used on home and small office networks.
.
On a Linksys BEFSX41, for example, just put "sitefinder.verisign.com" in the "Blocked URL Contents" section of the router's "Firewall" configuration page.
If you mistype a URL (I use the term loosly) Mozilla will put up an alert box: "The document contains no data". Internet Explorer brings up a "The page cannot be displayed" page.
Caveats: (1) many routers don't have this "firewall" feature; (2) this works only for clients downstream from the router. It won't help your ISP bounce spam from "loser@verisignisdoingbadthingstotheinternet.com"
Now who the hell modded this guy flamebait? If you disagree with him, say so. Don't use up a mod point for that.
Only on
Host returns an IP for me...
This all is coming about because of what I consider to be a design flaw in DNS, to whit:
.foo.bar.baz, there is one and only one possible dataset to answer that query.
.com - thus whosoever controls that dataset controls .com.
.com now, a name server could cache the list of name servers for .com now, and could send the queries out in parallel to the servers it knows about, reducing the time.
.com, just the set of domains registered with .com. It would reduce (somewhat) the size of the servers needed to serve the .com domain (as the workload would be spread out among more servers), and would allow for each registrar to maintain their own database without having to go though Verisign.
.foo, but maybe Alternic does".
.com domain would have to do their homework in registering a domain - there would have to be a clearing house for domain registry.
For any given suffix
So if you are looking up bar.com, there is only one dataset that contains information on
Now, what if a server for a given domain, in addition to having a parent had siblings? For example, if you were looking up narf.com, then the queries might look like this:
my machine - Hey root, where's narf.com?
Root - I don't know, but verisign.com should - ask him.
My machine - Hey verisign.com, where's narf.com?
Verisign.com - I don't know, maybe alternic.com does.
My machine - Hey alternic.com, where's narf.com?
alternic.com - narf.com is at 192.168.0.1
In other words, for every zone record there would be a new configuration possible - a list of zero or more siblings. On a negative result, the sibling records would be returned, and the quering name server would consult them. As a result, you could allow joker.com, register.com, verisign.com et. al. to have just their records on their servers, with cross links to the other servers.
Yes, this would increase the number of queries a name server might have to do to resolve a domain, especially in the negative case (domain does not exist). However, just as a name server can and will cache the servers for
Under this system, a failure of verisign's server would not black out
Extending this to the root servers would allow for things like Alternic to be added - the root servers could say "I don't recognize
Yes, it would be possible for Joker.com and Register.com to create records for VerisignEngineersAreWeenies.com, and for those records to disagree. Yes, the set of owners of servers for the
But were this idea implemented, it would prevent anybody from pulling the kind of unilateral crap that Verisign has.
www.eFax.com are spammers
I just read the Terms of Service on the sitefinder site:
COST OF THE VERISIGN SERVICES.
The Verisign Service(s) are provided to you free of charge.
Hey folks, we're getting this service for free. Looks like we don't have a leg to stand on.
Evil is the money of root.
The more I feel that, regardless of paperwork, or whatever agreements they signed... most of us consider the .com registry and, to a larger degree, the entire DNS system to be a large public trust at the top levels. It works because we all cooperate, and agree to use it... and ONLY because of that.
I think, though of course the devil is in the details, it's time that Verisign learned that it's power comes from us, only because we allow it.
How we do that is another story.
Yet still my emails to VeriSign somehow end up at Network Solution's feet. At this point their responses aren't nearly so "helpful" with regard to volunteering opinions about the permissibility of VeriSign's decision to .com and .net into upheaval.
I just got a call from an 'independent' survey company and about half way through I realized that it was sponsored by Verisign. They asked me all these questions about registering domain names and stuff really seemed to focus on Network Solutions/Verisign. They asked me how I would rate them and I said 1 (worst) and she acted kind of suprised. She had me explain why I felt that way and I said that they have jacked domain name registration and certificate pricing through the roof and that I strongly object to their SiteFinder service. Maybe some of you other guys will get the call as well. Sock it to em.
User's in other country's will be confused by this, granted the internet is an english langauge creation for the most part thus far, but when it come's to not understanding something, a error message is easier to understand than an english verisign page. If anyone doesn't agree with this, i suggest you, like i did, sign the petition!
because verislimes silly prank breaks a number of default behaviours within IE and various search options within Windows.
In addition ISPs in non-English countries sometimes catch requests for unknown domains and put up a web page in the appropriate language - this is now also broken.
don't forget to add "127.0.0.1 sitefinder.verisign.com" to your hosts file
I scooped away two "service" pages to add a little protest of my own:
.com pages are actually deployed by Verisign..
http://wewantour404.net (.com)
Including some statistics as why this "service" should be reverted asap. In concredo this "service" means that 99.9999999999999999999999(etc.) % of all
How about a fart detector which initiates toilet seat warming to your preferred temperature?
I just realized that if you can do
.com then you can use:
.geek zone
zone "com" { type forward; forward first; forwarders { 204.152.184.76; }; };
to make a BIND 8 server use the ISC public recursive servers for
zone "geek" { type forward; forward first; forwarders { 208.181.60.45; }; };
to add the
http://www.opennic.geek/ now works for me while I'm using normal DNS for other TLDs.
I didn't know anything about alternate Internet DNS namespaces. Thanks for pointing it out.