Slashdot Mirror

← Back to Stories (view on slashdot.org)

Paul Vixie And David Maher On VeriSign Wildcarding

Posted by timothy on from the ain't-fair-fellas dept.

chromatic writes "The O'Reilly Network has just published an interview with Paul Vixie, chairman of the board of the Internet Software Consortium and a primary author of BIND. Topics include the recent VeriSign controversy, ISC's BIND patch in response, and other potential issues that might come to light in the near future." On a related note, dmehus writes with a link to the letter sent by David Maher, chairman of the Public Interest Registry -- the .org registrar, to ICANN President and CEO Paul Twomey. "The letter says that it supports ICANN's call for VeriSign to voluntarily suspend SiteFinder and the Internet Architecture Board preliminary position paper. It goes on to say that PIR will not be implementing any DNS wildcard to the .ORG zone. It urges ICANN to stand its ground, but also to implement a policy preventing registries from taking this kind of unilateral action in the future." The letter is in .doc format, but AbiWord and OpenOffice.org both open it fine.

9 of 264 comments (clear)

  1. Get your Patched BIND for Slackware by ksuMacGyver · · Score: 5, Informative

    Get your Patched BIND for Slackware here:

    The more ISPs that use this, the more uncommon the SiteFinder 'service' becomes---the less users expect it.

    Remember when popups where not expected? After using mozilla for a while I simply cannot stand them now!
    ---

    --

    Ad Majorem Dei Gloriam

    Interested in AI? MACR
    1. Re:Get your Patched BIND for Slackware by gmack · · Score: 5, Informative

      Once you have the patched version go here to get the entries needed to block all root zones from doing this.

  2. .ORG Letter in plain text for MS Haters by Anonymous Coward · · Score: 5, Informative

    Dr. Paul Twomey
    President & CEO
    ICANN
    4676 Admiralty Way
    Suite 330
    Marina del Rey, CA 90292

    September 22, 2003

    Dear Paul,

    Public Interest Registry (PIR), the operator of the registry of the .ORG domain, supports ICANN's call for the voluntary suspension of VeriSign's deployment of a DNS wildcard service. We believe that ICANN (and the entire Internet community) should take steps to prevent all registries from unilaterally implementing changes to DNS that redirect requests for invalid domain names to any other site. PIR will not offer any service that makes such a change in the DNS.

    PIR also supports the Internet Architecture Board (IAB) statement on the same subject as set forth at:
    http://www.iab.org/documents/docs/2003-09-20- dns-w ildcards.html

    DNS is a critical piece of Internet infrastructure. Internet services such as the WWW and Email rely on DNS to function, and there should be no interference with the established protocols until there is complete assurance of no negative impact on the DNS.

    In another context, the Internet Architecture Board (IAB) has commented:

    "At the core of all of the IAB's concerns is the architectural principle that the DNS is a lookup service which must behave in an interoperable, predictable way at all levels of the DNS hierarchy. Furthermore, as a lookup service it is such a fundamental part of the Internet's infrastructure that converting it to an application-based search service ... is not

    Page 2

    appropriate even in the case where the query presented would not normally map to a registered domain."

    The architectural principle referred to by the IAB is clearly violated by the changes proposed for the .COM and .NET domains.

    On Monday, September 15, VeriSign changed the behavior of the .COM and .NET TLDs by adjusting servers to respond to requests for non-existent domains with a reference to the VeriSign Site Finder web site, (in other words, "wildcarding"). To a requesting user, it appears that non-existent domains are valid, because they are directed to the Site Finder. There is no difference between the responses for valid domains versus invalid domains from VeriSign's TLD servers.

    Because the VeriSign Site Finder server makes it appear that a non-existent domain exists, the service introduces significant problems to critical Internet infrastructure. Many other important Internet protocols rely heavily on proper DNS behavior. The impact of VeriSign's Site Finder is unclear with respect to security of the DNS. Site Finder unilaterally precludes the use of a prevalent type of anti-spam mail filter that uses DNS to validate the domain of legitimate eMails.

    Because VeriSign's servers are authoritative for the .COM and .NET TLDs, the most prevalent of the TLDs, Internet users have little protection against the imposition of this flawed system. VeriSign implemented the Site Finder system with little advance notice or public commentary by the Internet community. We believe such unilateral behavior in changing a critical resource necessary for the world's information systems is inconsistent with the responsibilities of registries under their contracts with ICANN, particularly because of the necessity of DNS for other Internet resources to function properly.

    We are informed that other domain registries may be exploring services similar to the VeriSign Site Finder. (As noted above, PIR will
    Page 3

    not be one of them.) If this is the case, our comments concerning Site Finder apply with equal force to those other services. We believe that any such efforts to alter the TLD DNS systems, of which the VeriSign Site Finder appears to be the most prominent example, adversely affect the Internet infrastructure and the entire Internet community.

    Therefore,

  3. Re:To be honest by gmack · · Score: 4, Informative

    In the case of a spell checker if it sucks you get to use another product with a better one.

    You don't get to in this case.

    Also all the world is not http... the protocol level is the worst possible place to do this.

  4. Verisign Troubles? Contact these people: by SEE · · Score: 4, Informative
    Not quite on-topic, and a repost, but . . .

    1. The Department of Commerce; VeriSign's contract to operate .com and .org was originally with them.
    2. The Federal Communications Commission, which oversees telecommunications.
    3. The Senate Commerce Committee's Subcommittee on Communications; contact the committee itself, the chairman, the ranking member, and any of the other members you'd like.
    4. The House Subcommittee on Telecommunications and the Internet, including the committee itself, the chairman, the vice-chairman, and the ranking member.

    By email, phone, fax, telegram, or letter (or better, several of these), let them know what you think. These are the people who can give Verisign reasons to change their behavior.

  5. Stop Verisign DNS Abuse Petition by GeorgeK · · Score: 5, Informative

    It's now here having been Slashdotted last time....on a better server this time, though (we hope!), so be gentle....

    It's good to see that PIR is taking the high road. If .com/net are ever redelegated, I'd much rather they run it, than someone who would be looking for every opportunity to squeeze out nickels and dimes ($100 million/yr!) from the internet community, via abuse of their monopoly. Or, perhaps a corporation with a solid reputation (maybe IBM?) would step up, to replace Verisign.

  6. Re:To be honest by Atzanteol · · Score: 5, Informative

    The problem is that Verisign is doing their wildcarding at the DNS level. This effects the entire *internet*, not just the World Wide Web. So not only do you get directed to their site on your web-browser, but also if you lookup domains for telnet, ftp, ssh, smtp, etc. This causes problem for (among other things) spam filters, who check that your domain exists (well, now *all* .com domains exist) before delivering mail.

    Verisign is being extremely short-sighted. This whole deal reeks of a moronic manager who thught this would be a 'wonderful' idea.

    --
    "Ignorance more frequently begets confidence than does knowledge"

    - Charles Darwin
  7. Re:The Executive Team by switcha · · Score: 4, Informative

    I'd guess the guy responsible for "the company's globally deployed registration and resolution infrastructure that currently supports the Internet's Domain Name System (DNS)."

    --
    You know what? ... A little club soda *did* get that out!
  8. Query the Verisign roots for bogus .COM names by Nonesuch · · Score: 4, Informative
    My guess is that Verisign does log the requests received, but does not normally go to the effort to correlate the DNS requests with hits to SiteFinder, and that if you want to mess with their marketing data, you would want to send bogus requests to the SiteFinder HTTP, not just bogus DNS queries.
    Does anyone know if you can directly ask a root server about a domain? I didn't think mere mortals could
    Yes you can.

    Any host can make non-recursive requests to the root servers.

    Technically, if a query for whatever.com arrives at a root server, it should only return the list of NS records for .COM, and if a query for whatever.com arrives at an authoritative server for .COM (many roots are also .COM servers), it should only return the registered NS records for whatever.com.

    In fact, that is exactly the problem -- the Verisign roots should return only NS or NXDOMAIN records, but for names in .COM .or .NET, they instead "synthesize" an A record, pointing to sitefinder, with a 15 minute TTL (cache lifetime).

    The various hacks either ignore the specific A record, or ignore records from root servers other than NS. The latter is a cleaner approach, IMHO.

    --

    I do not deploy Linux. Ever.