Paul Vixie And David Maher On VeriSign Wildcarding

chromatic writes "The O'Reilly Network has just published an interview with Paul Vixie, chairman of the board of the Internet Software Consortium and a primary author of BIND. Topics include the recent VeriSign controversy, ISC's BIND patch in response, and other potential issues that might come to light in the near future." On a related note, dmehus writes with a link to the letter sent by David Maher, chairman of the Public Interest Registry -- the .org registrar, to ICANN President and CEO Paul Twomey. "The letter says that it supports ICANN's call for VeriSign to voluntarily suspend SiteFinder and the Internet Architecture Board preliminary position paper. It goes on to say that PIR will not be implementing any DNS wildcard to the .ORG zone. It urges ICANN to stand its ground, but also to implement a policy preventing registries from taking this kind of unilateral action in the future." The letter is in .doc format, but AbiWord and OpenOffice.org both open it fine.

Now this is interesting

[Saint+Aardvark]

From Vixie:

Some people suggest that administration of the DNS is a public trust, and that VeriSign is merely the caretaker of this system, not its owner. And now VeriSign has abused that trust. That may be true. Before a few days ago it didn't matter whether VeriSign was the owner or a caretaker. Now it matters a lot. VeriSign kicked a sleeping dog. It's a bizarre thing to do. Was it really VeriSign's decision to make, unilaterally? Did it need permission to make this decision? If so, what entity has the authority to grant such permission?

If you think about this from a social point of view, not just technical, this is absolutely fascinating (rather than just irratating/punch-provoking): here's an ability, that was theoretically possible all along, to have this big effect on something lots and lots of people use. No one made use of it before. Now someone has, and it's

1. (presumably) made a bunch of money for those who did it, and
2. pissed off a lot of -- but not all -- people.

Who's responsible? Who gets to say "No, you can't do that", or "Yes, you can"?

I know what I think is the right answer, and it's what (probably) the rest of you think. But the final answer isn't up to you and me, or at least not you and me alone. Watching that process of who-gets-to-decide is going to be at least as interesting and precedent-setting as what the final decision ends up being.

Re:Now this is interesting

[Saint+Aardvark]

I'm not sure what you mean by "No one's made use of it before"... No one else could make use of it (in .com and .net), Verisign is, as I said, a monopoly.

Bad choice of words: As you mentioned, I understand that other TLD registrars have made use of this before. Amended sentence: no one in this position of power (.com and .net being what they are) has made use of this before.

This:

This is no different from ISPs randomly redirecting users to their own branded search engine when you type in "www.google.com", or an ISP's employee intercepting passwords and using them to steal money.

and this from the comment below:

I do....I, and all the other sysadmins out there, decide whether SiteFinder works or not.

are exactly what I'm talking about when I say that this debate is fascinating. In all honesty, I'd give a lot to sit down w/whoever at Verisign and ask them these same questions -- not necessarily to provoke the answer that I feel is right, but just to see how separate groups of intelligent people come to utterly different answers about these questions.

Re:Now this is interesting

[Fnkmaster]

Well, besides de facto power of all the DNS operators out there, if the ICANN says "thou art not root anymore", won't that more or less effectively make it so? I mean, I'm not saying I think ICANN is the greatest body to be doing this, since they aren't terrible responsive to the needs of the citizenry of the Internet, but doesn't it mostly seem odd that Verisign has such a sack on them that they think they can just pull this and get away with it?

I guess if you look at the way Verisign has tried to build their business, it will become rapidly clear that it's not enough for them to just Make Money, they want to be in the business of Monopolizing Stupid Infrastructure. No, really. I mean, they acquired their main competitor in the SSL cert business so they could jack up rates of "discount" Thawte certs to make their own ultra-expensive offering of NOTHINGNESS look appealing.

There has been talk about alternative root DNS servers/systems for some time, and several exist already. My guess is that this move will increase interest in alternatives, and eventually cause either increased regulation or policing by the ICANN of what those supposedly entrusted with managing the TLDs can do with them. And in the meantime, the de facto standards will be set by those who manage DNS servers and filter out Verisign's root entries, or who route sitefinder to /dev/null. The Internet is beautiful because it's a cooperative entity, and if everybody else decides the rules are different, Verisign can do their merry thing and everybody will eventually choose to ignore them.

Re:Now this is interesting

[TheLink]

Actually we have a voice.

How about we give verisign what it wants - traffic to nonexistent domains.

People with webpages should start having 1x1 img links to nonexistent domains. Should be one pixel by one pixel, in case the image from verisign is not desirable.

e.g. img src=http://www.asdasdnrerwtc.com/ height=1 width=1

That way verisign gets traffic for every page.

You can even make a "broken ribbon" logo with a fancy table and lots of 1x1 images and coloured 1x1 image. There's a small chance it could get subverted and show the wrong image.

Re:Know what's great about these Verisign stories?

[__aavhli5779]

The only question is whether the collective level of indignation against Verisign will reach that held towards SCO.

Verisign has certainly been building up hatred for a long time.

I propose a battle between the two for the ire and dislike of /.ers.

.org, .us, .do .it

[krray]

Whatever. Why aren't more people just ditching their precious .COM names. Think UPS.com or Amazon.com couldn't get away with switching? Sure they could...

For those in the .US take a look at NIC.US which can point you to all the various registrars. Heck, it's cheaper -- typically $15/yr.

The only thing Verisign will understand is people speaking with their dollars. And yes, I personally have switched my domains over to .US -- of course I'll handle the .COM traffic until they expire in a year or two. In the mean time everything going out says .US as of yesterday.

Sure, business cards and letter head still say .COM, but they surely won't on the next order. Maybe a year.

Did anybody have any luck

[lightspawn]

getting their ISP to upgrade DNS servers to counter this threat?

I'd appreciate any suggestions.

bootleg patches?

[krokodil]

It is good interview but expression "bootleg patches" was someting I disliked. It does not fits well with free/open source spirit. It assumes that there are (in marketing terms) "offical" or "authorized" patches and everything else is "bootleg". It kind makes me feel my next patch to some open source product could be considered "bootleg" which makes me feel it is unwanted.

Re:bootleg patches?

It assumes it because it's true. The only people that will get offended by this statement are the exact people whose code DOES resemble those "bootleg patches" he refers to.

If you know what you're doing, you'd probably agree with his statements. Even if you think you've got the best patch out there, who's going to trust you over the BIND team, anyway?

Besides, he said he saw SEVERAL low-quality patches. He didn't say ALL of them were. It doesn't matter if the majority of them are good to decent solutions, it's the horrible ones that he's worried about. And what better way to avoid potential hazards than releasing an officially supported version?

Got the best code? Submit it to the team or apply for a job. But don't come here (of ALL places) crying about your feelings being hurt.

Re:To be honest

(Posted anonymously to avoid a rampaging mob outside my house)

I'm a professional spammer. Well, that's a harsh term. I run bulk-email servers. I trust my clients that their entire list has double opted-in when they say so. Most are quite legitimate mailing lists; some are probably not.

This new bug is a godsend, but not for the reason a lot of people are saying. I don't fake "from" addresses, so I don't get any added anonymity from a wildcard.

What I do get is the ability to send my emails that have bad domains in them to a nominally but not effectively existant box at Verisign. I no longer get bad domain bounces to worry about.

Take back the roots

[Skapare]

Why not just take back the roots? The only reason Verisign can do what they do is because the GTLD servers they control are delegated to by the root servers (not sure who controls those anymore, but it can't be good). And those root servers are configured in the hint file of name servers all over the internet. So who controls those? We (who have our own name servers) do.

It's a little harder, but not a lot harder, to just run your own root zone. The biggest thing is to gather up all the NS records and associated A records for each TLD. That's a small list (relatively speaking), so it could be done via a few hundred dig commands to the root servers. Or it can be downloaded. Now once you have that data, you replace the .com and .net zones with your own. Of course that begs the question, replace it with what?

If enough people with enough server/network power get together, they can make their own independent "realm" of domain name space, starting with a replacement root zone (as has been done in the past to add new TLDs), and a replacement for both .com and .net.

I can just hear the complaints now (and I've heard them before): "But this will fragment the internet". My answer is: Yes!!!! yes it will! all the better. Imagine being in a whole different name space realm away from spammers and evil corporations. And maybe you can meet me in the .mp3 TLD.

Trademark Infringement

[Bob9113]

Here's a fun solution:

If your ISP hasn't fixed this yet, go to http://ibm-asdf-hardware.com

Do you think IBM might be a little bit pissed off about their trademark being used to point to someone else's computer hardware site? Do you think they might, I dunno, sue?

How about all these other blatant trademark infringements:
http://ibm-asda-hardware.com
http ://ibm-asdb-hardware.com
http://ibm-asdc-hardware .com
http://ibm-asdd-hardware.com
http://ibm-asd e-hardware.com
http://ibm-asdg-hardware.com
http ://ibm-asdh-hardware.com
http://ibm-asdi-hardware .com
http://ibm-asdj-hardware.com

As I see it, Verisign is facing a not-quite-infinite number of trademark infringement lawsuits. And, of course, if Verisign switches to point to IBM, I'm sure hardware.com would be delighted to fire their own volley of lawyers.

Re:What if it was Google rather than sitefinder?

[mlk]

I'd not use google any more.

It is not the person, it is the act.

You not seeing a down side is neither here nor there, if you want this functionality, install software on your local machine to do so.

Re:To be honest

[BiggerIsBetter]

Good point. We've heard lots of names or folks who are fighting the Good Fight (like Paul Vixie and David Maher) but who is actually responsible for this? Sure, Verisign is the company and they have their spokespersons/spindoctors, but who are the actual people who thought this up and implemented it? This shite affects all of us, so no more hiding behind the company doors.

Re:To be honest

[0x0d0a]

Fine -- it may be convenient for you, but the way they implement it is the wrong way from a technical standpoint (though the only way they'd be able to impose their own page). The technically correct approach is to have your browser query a website (sitefinder, if you want) if the DNS resolution fails. The approach they're using breaks valid systems Internet-wide.

Re:To be honest

RTFA, then RTFRFC.

#apt-get install clue

#man internet

The entire intarweb.net is not comprised of only http://

This isn't about your fancy towards the redirect page. A domain search page is an interesting idea - USEFUL, even. This wildcard idiocy is at a protocol level. They are breaking RFCs. The IANA has reserved all one letter .com domains, and now suddenly they "exist." http://a.com takes you right to their sitefinder site and that's NOT SUPPOSED TO HAPPEN. That's what RESERVED means. It breaks spam filters, too.

It IS terrible for everyone. If you want a domain search engine, great. It should be a site I can go to of my own free will, not if I happen to accidentally type in slashpork.com

Terms of Use

[Joystickit]

If you read the Terms of Use you can see that

# Sole Remedy.
YOUR USE OF THE VERISIGN SERVICES IS AT YOUR OWN RISK. IF YOU ARE DISSATISFIED WITH ANY OF THE MATERIALS, RESULTS OR OTHER CONTENTS OF THE VERISIGN SERVICES OR WITH THESE TERMS AND CONDITIONS, OUR PRIVACY STATEMENT, OR OTHER POLICIES, YOUR SOLE REMEDY IS TO DISCONTINUE USE OF THE VERISIGN SERVICES OR OUR SITE.

Couldn't they be sued for not providing some way for users to discontinue use of their service? It's like the shrink wrapped EULA, except on a way more annoying scale.

We're all going to have to call their tech support to ask them how to discontinue use of the service because we do not agree with their terms of use.

DNS tweaker for Windows

[apankrat]

Not sure if it's an appropriate thread, but it looks as good as any for a shameless plug :)

Yours truly put together quick utility - dnsfix, which monitors inbound DNS responses and tweaks result codes from 'success' to 'no-name' for those referencing specific IPs. In other words, it can be used to transparently negate the effect of VeriSign's SiteFinder "service" and restore DNS behaviour expected by (currently broken) spam filters and alike.

Domain squatting during registration hiatus

[MythMoth]

After reading this story about Russell Lewis's (Verisign GM) memo to staff, I registered "bookstre.com" and pointed it to Google via the Easily.co.uk redirector.

Now, until the DNS entry propagated, and in the 15 minute window before the non-existant domain timed out, I was still seeing the SiteFinder "domain". Obviously it's a contrived example, but I think it illustrates an important point:

I paid good money for this domain
Who said Verisign could use it ?

Legitimate domain registrations are still going to suffer from this decision, so I suspect this would be a legitimate set of grounds for a class action against Verisign.

Verisign is doing a phone survey right now

[Hohlraum]

I just got a call from an 'independent' survey company and about half way through I realized that it was sponsored by Verisign. They asked me all these questions about registering domain names and stuff really seemed to focus on Network Solutions/Verisign. They asked me how I would rate them and I said 1 (worst) and she acted kind of suprised. She had me explain why I felt that way and I said that they have jacked domain name registration and certificate pricing through the roof and that I strongly object to their SiteFinder service. Maybe some of you other guys will get the call as well. Sock it to em.