Paul Vixie And David Maher On VeriSign Wildcarding

chromatic writes "The O'Reilly Network has just published an interview with Paul Vixie, chairman of the board of the Internet Software Consortium and a primary author of BIND. Topics include the recent VeriSign controversy, ISC's BIND patch in response, and other potential issues that might come to light in the near future." On a related note, dmehus writes with a link to the letter sent by David Maher, chairman of the Public Interest Registry -- the .org registrar, to ICANN President and CEO Paul Twomey. "The letter says that it supports ICANN's call for VeriSign to voluntarily suspend SiteFinder and the Internet Architecture Board preliminary position paper. It goes on to say that PIR will not be implementing any DNS wildcard to the .ORG zone. It urges ICANN to stand its ground, but also to implement a policy preventing registries from taking this kind of unilateral action in the future." The letter is in .doc format, but AbiWord and OpenOffice.org both open it fine.

Get your Patched BIND for Slackware

[ksuMacGyver]

Get your Patched BIND for Slackware here:

The more ISPs that use this, the more uncommon the SiteFinder 'service' becomes---the less users expect it.

Remember when popups where not expected? After using mozilla for a while I simply cannot stand them now!
---

Re:Get your Patched BIND for Slackware

[gmack]

Once you have the patched version go here to get the entries needed to block all root zones from doing this.

Re:Get your Patched BIND for Slackware

[AKnightCowboy]

Once you have the patched version go here to get the entries needed to block all root zones from doing this.

Or if you're running BIND 9.2.3rc3 just add: options { root-delegation-only exclude { "cc"; "de"; "lv"; "museum"; "org"; "us"; }; }; This SHOULD be the default behavior for TLDs IMHO and I'm glad they're introducing the exclude list behavior.

Entirely a nitpick, but...

[__aavhli5779]

PV: I hope but I don't think so. I've heard that the patch works well, but VeriSign could bypass the patch. It could make synthesized responses look more like delegations. I don't think it will do that. VeriSign's spokesperson, Brian O'Shaughnessy, suggested that if people don't want this, they're free to block it. It's really meant to be a service for the supposedly inconvenienced web surfers. VeriSign maintains that its search page is more useful than 404 error messages. If VeriSign bypassed the patch, it would have to escalate things and retract these statements about how folks were free to block the wildcard.

Though I agree with everything he said (and thought he did so quite eloquently), it's a bit disheartening to see the chairman of the ISC refer to NXDOMAIN as a 404.

.ORG Letter in plain text for MS Haters

Dr. Paul Twomey
President & CEO
ICANN
4676 Admiralty Way
Suite 330
Marina del Rey, CA 90292

September 22, 2003

Dear Paul,

Public Interest Registry (PIR), the operator of the registry of the .ORG domain, supports ICANN's call for the voluntary suspension of VeriSign's deployment of a DNS wildcard service. We believe that ICANN (and the entire Internet community) should take steps to prevent all registries from unilaterally implementing changes to DNS that redirect requests for invalid domain names to any other site. PIR will not offer any service that makes such a change in the DNS.

PIR also supports the Internet Architecture Board (IAB) statement on the same subject as set forth at:
http://www.iab.org/documents/docs/2003-09-20- dns-w ildcards.html

DNS is a critical piece of Internet infrastructure. Internet services such as the WWW and Email rely on DNS to function, and there should be no interference with the established protocols until there is complete assurance of no negative impact on the DNS.

In another context, the Internet Architecture Board (IAB) has commented:

"At the core of all of the IAB's concerns is the architectural principle that the DNS is a lookup service which must behave in an interoperable, predictable way at all levels of the DNS hierarchy. Furthermore, as a lookup service it is such a fundamental part of the Internet's infrastructure that converting it to an application-based search service ... is not

Page 2

appropriate even in the case where the query presented would not normally map to a registered domain."

The architectural principle referred to by the IAB is clearly violated by the changes proposed for the .COM and .NET domains.

On Monday, September 15, VeriSign changed the behavior of the .COM and .NET TLDs by adjusting servers to respond to requests for non-existent domains with a reference to the VeriSign Site Finder web site, (in other words, "wildcarding"). To a requesting user, it appears that non-existent domains are valid, because they are directed to the Site Finder. There is no difference between the responses for valid domains versus invalid domains from VeriSign's TLD servers.

Because the VeriSign Site Finder server makes it appear that a non-existent domain exists, the service introduces significant problems to critical Internet infrastructure. Many other important Internet protocols rely heavily on proper DNS behavior. The impact of VeriSign's Site Finder is unclear with respect to security of the DNS. Site Finder unilaterally precludes the use of a prevalent type of anti-spam mail filter that uses DNS to validate the domain of legitimate eMails.

Because VeriSign's servers are authoritative for the .COM and .NET TLDs, the most prevalent of the TLDs, Internet users have little protection against the imposition of this flawed system. VeriSign implemented the Site Finder system with little advance notice or public commentary by the Internet community. We believe such unilateral behavior in changing a critical resource necessary for the world's information systems is inconsistent with the responsibilities of registries under their contracts with ICANN, particularly because of the necessity of DNS for other Internet resources to function properly.

We are informed that other domain registries may be exploring services similar to the VeriSign Site Finder. (As noted above, PIR will
Page 3

not be one of them.) If this is the case, our comments concerning Site Finder apply with equal force to those other services. We believe that any such efforts to alter the TLD DNS systems, of which the VeriSign Site Finder appears to be the most prominent example, adversely affect the Internet infrastructure and the entire Internet community.

Therefore,

Oh, and for those of you who like plain text:

[Saint+Aardvark]

$ strings letter-to-ICANN-re-SiteFinder-030921.doc | fmt | less

Re:legalities

[the+uNF+cola]

register.com lost a suit similar to what you are talking about.

when you buy a domain from rcom, your page automagically defaults to a page. This page is pretty much an advertisement for rcom and such. it drives revenue towards rcom.

many MANY people thought this was crooked, so there was a civil suit.. which rcom lost.

I couldn't see a case like this wouldn't run the same, since both the rcom parked-page service and this have search links and nifo that drive revnue to their respective companies...

Re:To be honest

[gmack]

In the case of a spell checker if it sucks you get to use another product with a better one.

You don't get to in this case.

Also all the world is not http... the protocol level is the worst possible place to do this.

Re:legalities

[the+uNF+cola]

a second note:

if i register abacadaba.com, and abacadaba.com becomes the biggest thing next to yahoo and slashdot combined with sex.com... everyone would want to go to abacadaba.com, or so i hope.

all mispellings on my idea, and my trademark if ihave it trademarked, will go to versign. they'd effectively be making money off of me via a transitive property.. sorta. people want to see my site which makes money, verisign takes all mispellings of my site.. people make verisign money!

whoa.. i think i just proved step 2 :\

Verisign Troubles? Contact these people:

[SEE]

Not quite on-topic, and a repost, but . . .

1. The Department of Commerce; VeriSign's contract to operate .com and .org was originally with them.
2. The Federal Communications Commission, which oversees telecommunications.
3. The Senate Commerce Committee's Subcommittee on Communications; contact the committee itself, the chairman, the ranking member, and any of the other members you'd like.
4. The House Subcommittee on Telecommunications and the Internet, including the committee itself, the chairman, the vice-chairman, and the ranking member.

By email, phone, fax, telegram, or letter (or better, several of these), let them know what you think. These are the people who can give Verisign reasons to change their behavior.

Stop Verisign DNS Abuse Petition

[GeorgeK]

It's now here having been Slashdotted last time....on a better server this time, though (we hope!), so be gentle....

It's good to see that PIR is taking the high road. If .com/net are ever redelegated, I'd much rather they run it, than someone who would be looking for every opportunity to squeeze out nickels and dimes ($100 million/yr!) from the internet community, via abuse of their monopoly. Or, perhaps a corporation with a solid reputation (maybe IBM?) would step up, to replace Verisign.

Re:To be honest

Gee, that's nice, but in the meantime, it aids spammers, since I can no longer tell if the sender's address is from a valid domain. With Verisign's corruption of the root servers, *all* .com and .net domains will now come back as being valid.

As has been said numerous times, this has nothing to do with the "root" servers, only the com and net TLD servers. ISC has already produced a very nice fix for Bind 9 so this doesn't really affect people using it anymore. Just designate the com and net zones as designate only and you won't pick up any A wildcard records. Let Verisign do stupid shit like this and watch as people work around them within 24 hours.

Re:To be honest

[Atzanteol]

The problem is that Verisign is doing their wildcarding at the DNS level. This effects the entire *internet*, not just the World Wide Web. So not only do you get directed to their site on your web-browser, but also if you lookup domains for telnet, ftp, ssh, smtp, etc. This causes problem for (among other things) spam filters, who check that your domain exists (well, now *all* .com domains exist) before delivering mail.

Verisign is being extremely short-sighted. This whole deal reeks of a moronic manager who thught this would be a 'wonderful' idea.

Verisign can break Vixie's patch - here's how

[Skapare]

Verisign can break Vixie's patch. All they have to do is set up a separate name server which pretends to be a .com and .net server, with the very same wildcarded A-record. Now just put in wildcarded NS-records in the actual .com and .net zones in the real GTLD servers (in place of the existing wildcarded A-record). There, now it really looks like a real delegation to a different name server, just like real domains have. The new delegated wildcard server gets the query next, due to the delegation (that looks like a delegation, hence fools the patch), and due to its wildcard (and it doesn't need any other data from the .com or .net zones, since it doesn't get delegated to for real domains), it will answer with an A record of Verisign's choosing. If Verisign wants to keep doing what they are doing, they can defeat this patch by that method.

Then we'll have to make DNS servers filter out specific delegations (as opposed to filtering out non-delegation records where there should be only delegations). Verisign could rotate those delegations daily and fool efforts to block it.

Re:Debian?

[holviala]

deb http://www.backports.org/debian stable bind9

The Executive Team

[BiggerIsBetter]

I wonder which one of these characters made this mess happen?
http://www.verisign.com/corporate/about/executive. html

Re:The Executive Team

[switcha]

I'd guess the guy responsible for "the company's globally deployed registration and resolution infrastructure that currently supports the Internet's Domain Name System (DNS)."

Re:To be honest

You're just trollin'.

VeriSign's mail server is called the Snubby Mail Rejector Daemon v1.5

v1.3 wasn't fully SMTP compliant: See here.

v1.5 now responds a little more properly: See here.

It rejects them anyway.

Re:legalities

[laird]

plain old text mangles my post a bit, so here it is again. Sorry I didn't catch it in preview...

I believe that Verisign's use of a wildcard to map all DNS requests for *.com to their web site violates the relevant RFC's.

Going through all of the DNS RFC's, all of them assume or require that when a name is not found, the DNS server return an error.

Going through them in historical order: RFC 811 specifies that if the name is not found, a 'NAMNFD' code is returned. RFC 1034 also talks about sending "a name error indicating that the name does not exist" and "A name error (NE). This happens when the referenced name does not exist. For example, a user may have mistyped a host name." It also discusses caching name errors for efficiency, which of course only makes sense if the authoritative DNS servers actually issue name errors (which Verisign is now not doing). RFC 1035 specifies that if "the domain name referenced in the query does not exist" that a "Name Error" be returned.

There is a wildcard mechanism in RFC 1034, but it's defined to apply to '"*.<anydomain>", where <anydomain> is any domain name' which makes it pretty clear to me that it's not intended to apply to domains. To emphasise this, all of the examples of DNS wildcards are of the form *.X.COM or *.A.X.COM.

Query the Verisign roots for bogus .COM names

[Nonesuch]

My guess is that Verisign does log the requests received, but does not normally go to the effort to correlate the DNS requests with hits to SiteFinder, and that if you want to mess with their marketing data, you would want to send bogus requests to the SiteFinder HTTP, not just bogus DNS queries.

Does anyone know if you can directly ask a root server about a domain? I didn't think mere mortals could

Yes you can.

Any host can make non-recursive requests to the root servers.

Technically, if a query for whatever.com arrives at a root server, it should only return the list of NS records for .COM, and if a query for whatever.com arrives at an authoritative server for .COM (many roots are also .COM servers), it should only return the registered NS records for whatever.com.

In fact, that is exactly the problem -- the Verisign roots should return only NS or NXDOMAIN records, but for names in .COM .or .NET, they instead "synthesize" an A record, pointing to sitefinder, with a 15 minute TTL (cache lifetime).

The various hacks either ignore the specific A record, or ignore records from root servers other than NS. The latter is a cleaner approach, IMHO.

Take back the roots!

[Nonesuch]

I agree, take back the roots. I notice that the .ORG zone removed the Verisign nameservers earlier this month. Any connection to SiteFinder?

Skapare writes:

Why not just take back the roots? The only reason Verisign can do what they do is because the GTLD servers they control are delegated to by the root servers (not sure who controls those anymore, but it can't be good). And those root servers are configured in the hint file of name servers all over the internet. So who controls those? We (who have our own name servers) do.

I run my own root on most of my networks and employers' networks -- it's easy to implement and more efficient. (That said, we do it for security, to keep lookups for bogus TLDs from going out over the internet.)

It's a little harder, but not a lot harder, to just run your own root zone. The biggest thing is to gather up all the NS records and associated A records for each TLD. That's a small list (relatively speaking), so it could be done via a few hundred dig commands to the root servers. Or it can be downloaded. Now once you have that data, you replace the .com and .net zones with your own. Of course that begs the question, replace it with what?

Overriding "." on your own nameserver is easy, as the delegation information for BIZ/INFO/COM/NET/ORG/UK/TV/etc is easy to obtain and doesn't change very often. Overriding the TLDs themselves, going from serving "." to serving ".COM", is a much more difficult project.

Unlike the "." root zone, the .COM zone changes twice a day, is HUGE, and the zone file itself is not readily available to the general public.

Re:Anybody know Verisign's CEO's home address?

[11223]

Please, read the "Terms Of Use" before you keep playing with their site. Go and do it now.

Not done yet? Uh huh, keep reading.

Fine, I'll snip out the relevant parts for you:

You agree to release, indemnify, defend and hold harmless VeriSign, and any of our contractors, subcontractors, members, agents, employees, officers, directors, shareholders, affiliates and assigns from all liabilities, claims, damages, costs and expenses, including reasonable attorneys' fees and expenses, relating to or arising out of (a) these Terms of Use, (b) the VeriSign Services or your use of such services, including without limitation infringement or dilution by you, or someone else using our service(s) from your computer, (c) any intellectual property or other proprietary right of any person or entity, or (d) a violation of any of our operating rules or policies relating to the service(s) provided. When we are threatened with suit or sued by a third party, we may seek written assurances from you concerning your promise to indemnify us; your failure to provide those assurances may be considered by us to be a material breach of these Terms of Use.

Congratulations! You've just given up your rights to anything you've ever written! Block this service, now, and you have a good chance of convincing the court you didn't agree to the terms. Otherwise, I wouldn't bet my entire life history's worth of recorded works on it.

This is one of the most evil things I've ever seen done.

Re:I think Christmas Islands needs to follow Veris

[mpoulton]

Actually, Christmas Islands already does something very similar to this. Try pigse.cx. You will end up at a "sitefinder"-like page from the Christmas Island TLD Authority which suggests that you register the domain, explaining that all unregistered domains in .cx are redirected to that page. It does not return NXDOMAIN, but there are no commercial advertisements (other than by C.I.) and no search function.

Re:First they came for .cx

[Zocalo]

Yes, museum uses a wildcard, so what? Firstly the intention to wildcard was right up there and stated in the original proposal for the domain, before it was even approved by ICANN. Unlike Verisign's contract with ICANN, in which they are explicitly instructed to return NXDOMAIN on their .COM and .NET domains (.ORG too, but that is now moot), MuseDoma had approval to do this.

Why? Well firstly, .musuem is a highly restricted domain, and secondly it's all to do with how museums operate. If I go to the London Science Museum and start asking for paleontology information, they will redirect me across to the National History Museum. The wildcarding is just a virtual way of helping people find what they are looking for, which makes sense.

".com" on the otherhand, is a largely unregulated free for all of firstcome first served registrations and lawsuits, trying to apply a structure to that is insane. A good analogy I saw from another poster here on Slashdot was the difference between the alt.* and comp.sci.* heirarchies on Usenet. Do *you* want to try being a moderator on .alt?

Re:Year 2039: Grandpa, what's a 404 error?

[hey]

Arg, why does everyone says this removes 404's. You need a webserver to return a 404. Before wildcarding you didn't hit a websserver so no 404. And you can still get a 404 by hitting a page that doesn't exist on a webserver that does.