Paul Vixie And David Maher On VeriSign Wildcarding

chromatic writes "The O'Reilly Network has just published an interview with Paul Vixie, chairman of the board of the Internet Software Consortium and a primary author of BIND. Topics include the recent VeriSign controversy, ISC's BIND patch in response, and other potential issues that might come to light in the near future." On a related note, dmehus writes with a link to the letter sent by David Maher, chairman of the Public Interest Registry -- the .org registrar, to ICANN President and CEO Paul Twomey. "The letter says that it supports ICANN's call for VeriSign to voluntarily suspend SiteFinder and the Internet Architecture Board preliminary position paper. It goes on to say that PIR will not be implementing any DNS wildcard to the .ORG zone. It urges ICANN to stand its ground, but also to implement a policy preventing registries from taking this kind of unilateral action in the future." The letter is in .doc format, but AbiWord and OpenOffice.org both open it fine.

legalities

[micronix1]

legally, is veri allowed to redirect requests to their own domain? if not, who has the rights to unused domain names?

Re:To be honest

[Desert+Raven]

Gee, that's nice, but in the meantime, it aids spammers, since I can no longer tell if the sender's address is from a valid domain. With Verisign's corruption of the root servers, *all* .com and .net domains will now come back as being valid.

You're telling me that if you get a "server not found" page, you're too stupid to figure out you misspelled something?

This is an absolute abuse of Verisign's position. They are contracted to *maintain* the database, not warp it to their own *commercial* purposes. If this was actually a valid service, they would have had no trouble with proposing it to the Internet standards bodies before implementing it. Instead, they're defying those organizations. Worse yet, they've actually put me in the position of agreeing with ICANN.

Re:To be honest

[__aavhli5779]

Though you've been modded flaimbait, I'm assuming you were simply posting from the perspective of a strictly web user, who could presumably be helped (emphasis on presumably) by being redirected to SiteFinder and pointed to the proper site.

I think the main thing that has admins screaming, however, is that SiteFinder breaks so many other services just to provide a questionable service for web surfers. Sure, surfers may benefit, but email admins, DNS admins, and many others are banging their heads against the wall because of the problems Verisign's divergence from accepted protocol has caused them.

Just a thought.

Re:Now this is interesting

[GigsVT]

It's a question of the duties of a provider of infrastructure.

There's a certain relationship between a consumer of infrastructure and a provider of it. The consumer must trust the infrastructure to do what it is supposed to do, and nothing more.

This is no different from ISPs randomly redirecting users to their own branded search engine when you type in "www.google.com", or an ISP's employee intercepting passwords and using them to steal money.

Infrastructure providers inherently have a lot of control over the services they provide. There is a duty there to provide the service as expected, without changing the content that is carried.

Verisign's position as a chartered monopoly makes this duty even more important, because consumers have no choice to use an alternative.

I'm not sure what you mean by "No one's made use of it before"... No one else could make use of it (in .com and .net), Verisign is, as I said, a monopoly.

Other CCTLDs have used wildcards before, but no one much cares about some island that is abusing the CC system to make extra money.

Re:Now this is interesting

Who's responsible? Who gets to say "No, you can't do that", or "Yes, you can"?

I do. I run the DNS servers at an ISP, and I am planning to apply the ISC patch that restricts delegation from root servers (as soon as the bugs are shaken out of it -- give it a week or two.) I, and all the other sysadmins out there, decide whether SiteFinder works or not.

Re:Know what's great about these Verisign stories?

[Jeremiah+Cornelius]

I think its a bit of gall to complain about 'net standards, and have your URI point to an MS Word .doc, no?

That's one I won't be reading...

Re:To be honest

[LostCluster]

But, do you really like that it's Versign doing this for you? Assuming you use IE, MSN already provided this service to you. Verisign has just exploited the DNS system to make their service come up in situations where MSN's used to come up. Other browser developers could have designed their own responses to the "NXDOMAIN" signal, but now Verisign has stopped returning "NXDOMAIN" and instead returns a redirect to their own site... That's what really rubs people the wrong way. Instead of returning the error code that people thought they could depend on, they're returning a redirect to a service you didn't ask for. Yeah, it's a pretty good service on its merits if they tried to sell it to you... but instead they're forcing it on some people who were happy with MSN's service or happy with the traditional error...

It's the same issue

[achurch]

Whether it's SiteFinder, Google, or even Slashdot, the issue is not so much (or at least not only) the fact that a website comes up instead of a 404. It's the fact that practically everything automated breaks because this "service" is oriented toward humans. Consider:

• "Automatic domain completion" in browsers, where you can type "slashdot" and get it completed to "http://slashdot.org/" if slashdot.{com,net} don't exist. This will fail to work because DNS will no longer return NXDOMAIN for nonexistent domains. (Admittedly, with everyone and his brother registering .com domains this is something of a straw man...)
• Spam filters. Many server admins have installed a filter that denies mail with a From: address in a nonexistent domain. With Verisign answering every .com/.net query with an A record, these filters have become essentially useless.

I'm sure there are others, but the point is that what's good for human users is not good for computers, and it should be the client, i.e. the thing interacting directly with the human user, that interprets the computer responses and makes them easier to use for humans. (There wouldn't be nearly as much uproar over this if Verisign had, say, made a deal with Microsoft to redirect all NXDOMAIN queries to SiteFinder; in that case it would be an Internet Explorer, i.e. client issue, and DNS itself would be unharmed.)

Re:To be honest

[gothicpoet]

This is an absolute abuse of Verisign's position. They are contracted to *maintain* the database, not warp it to their own *commercial* purposes. If this was actually a valid service, they would have had no trouble with proposing it to the Internet standards bodies before implementing it. Instead, they're defying those organizations. Worse yet, they've actually put me in the position of agreeing with ICANN.

With those words (an absolute abuse) you just described most of what Verisign has done.

Folks should remember, this is the company that was contracted to *maintain* the database until one day they decided that they *owned* the database... (errr... okay... if I get paid to clean all the cars at the dealership can I decide one day that I own them all and get away with it?)

And yet somehow years after that magical acquisition of property rights they've still got the contracts. They've gotten away with all kinds of stuff and like a spoiled child they'll keep taking more until (if ever) someone takes away their privileges and sends them to time out.

Gotta agree with you that there's no way that any benefits that stupid Sitefinder page provides make up for the abuse of position and random chaos it's caused.