Slashdot Mirror

← Back to Stories (view on slashdot.org)

Paul Vixie And David Maher On VeriSign Wildcarding

Posted by timothy on from the ain't-fair-fellas dept.

chromatic writes "The O'Reilly Network has just published an interview with Paul Vixie, chairman of the board of the Internet Software Consortium and a primary author of BIND. Topics include the recent VeriSign controversy, ISC's BIND patch in response, and other potential issues that might come to light in the near future." On a related note, dmehus writes with a link to the letter sent by David Maher, chairman of the Public Interest Registry -- the .org registrar, to ICANN President and CEO Paul Twomey. "The letter says that it supports ICANN's call for VeriSign to voluntarily suspend SiteFinder and the Internet Architecture Board preliminary position paper. It goes on to say that PIR will not be implementing any DNS wildcard to the .ORG zone. It urges ICANN to stand its ground, but also to implement a policy preventing registries from taking this kind of unilateral action in the future." The letter is in .doc format, but AbiWord and OpenOffice.org both open it fine.

11 of 264 comments (clear)

  1. Now this is interesting by Saint+Aardvark · · Score: 5, Interesting
    From Vixie:

    Some people suggest that administration of the DNS is a public trust, and that VeriSign is merely the caretaker of this system, not its owner. And now VeriSign has abused that trust. That may be true. Before a few days ago it didn't matter whether VeriSign was the owner or a caretaker. Now it matters a lot. VeriSign kicked a sleeping dog. It's a bizarre thing to do. Was it really VeriSign's decision to make, unilaterally? Did it need permission to make this decision? If so, what entity has the authority to grant such permission?

    If you think about this from a social point of view, not just technical, this is absolutely fascinating (rather than just irratating/punch-provoking): here's an ability, that was theoretically possible all along, to have this big effect on something lots and lots of people use. No one made use of it before. Now someone has, and it's

    1. (presumably) made a bunch of money for those who did it, and
    2. pissed off a lot of -- but not all -- people.

    Who's responsible? Who gets to say "No, you can't do that", or "Yes, you can"?

    I know what I think is the right answer, and it's what (probably) the rest of you think. But the final answer isn't up to you and me, or at least not you and me alone. Watching that process of who-gets-to-decide is going to be at least as interesting and precedent-setting as what the final decision ends up being.

    --
    Carousel is a lie!
    1. Re:Now this is interesting by Saint+Aardvark · · Score: 4, Interesting
      I'm not sure what you mean by "No one's made use of it before"... No one else could make use of it (in .com and .net), Verisign is, as I said, a monopoly.

      Bad choice of words: As you mentioned, I understand that other TLD registrars have made use of this before. Amended sentence: no one in this position of power (.com and .net being what they are) has made use of this before.

      This:

      This is no different from ISPs randomly redirecting users to their own branded search engine when you type in "www.google.com", or an ISP's employee intercepting passwords and using them to steal money.

      and this from the comment below:

      I do....I, and all the other sysadmins out there, decide whether SiteFinder works or not.

      are exactly what I'm talking about when I say that this debate is fascinating. In all honesty, I'd give a lot to sit down w/whoever at Verisign and ask them these same questions -- not necessarily to provoke the answer that I feel is right, but just to see how separate groups of intelligent people come to utterly different answers about these questions.

      --
      Carousel is a lie!
    2. Re:Now this is interesting by TheLink · · Score: 3, Interesting

      Actually we have a voice.

      How about we give verisign what it wants - traffic to nonexistent domains.

      People with webpages should start having 1x1 img links to nonexistent domains. Should be one pixel by one pixel, in case the image from verisign is not desirable.

      e.g. img src=http://www.asdasdnrerwtc.com/ height=1 width=1

      That way verisign gets traffic for every page.

      You can even make a "broken ribbon" logo with a fancy table and lots of 1x1 images and coloured 1x1 image. There's a small chance it could get subverted and show the wrong image.

      --
  2. .org, .us, .do .it by krray · · Score: 4, Interesting

    Whatever. Why aren't more people just ditching their precious .COM names. Think UPS.com or Amazon.com couldn't get away with switching? Sure they could...

    For those in the .US take a look at NIC.US which can point you to all the various registrars. Heck, it's cheaper -- typically $15/yr.

    The only thing Verisign will understand is people speaking with their dollars. And yes, I personally have switched my domains over to .US -- of course I'll handle the .COM traffic until they expire in a year or two. In the mean time everything going out says .US as of yesterday.

    Sure, business cards and letter head still say .COM, but they surely won't on the next order. Maybe a year.

  3. Did anybody have any luck by lightspawn · · Score: 4, Interesting

    getting their ISP to upgrade DNS servers to counter this threat?

    I'd appreciate any suggestions.

  4. Re:To be honest by Anonymous Coward · · Score: 5, Interesting

    (Posted anonymously to avoid a rampaging mob outside my house)

    I'm a professional spammer. Well, that's a harsh term. I run bulk-email servers. I trust my clients that their entire list has double opted-in when they say so. Most are quite legitimate mailing lists; some are probably not.

    This new bug is a godsend, but not for the reason a lot of people are saying. I don't fake "from" addresses, so I don't get any added anonymity from a wildcard.

    What I do get is the ability to send my emails that have bad domains in them to a nominally but not effectively existant box at Verisign. I no longer get bad domain bounces to worry about.

  5. Take back the roots by Skapare · · Score: 4, Interesting

    Why not just take back the roots? The only reason Verisign can do what they do is because the GTLD servers they control are delegated to by the root servers (not sure who controls those anymore, but it can't be good). And those root servers are configured in the hint file of name servers all over the internet. So who controls those? We (who have our own name servers) do.

    It's a little harder, but not a lot harder, to just run your own root zone. The biggest thing is to gather up all the NS records and associated A records for each TLD. That's a small list (relatively speaking), so it could be done via a few hundred dig commands to the root servers. Or it can be downloaded. Now once you have that data, you replace the .com and .net zones with your own. Of course that begs the question, replace it with what?

    If enough people with enough server/network power get together, they can make their own independent "realm" of domain name space, starting with a replacement root zone (as has been done in the past to add new TLDs), and a replacement for both .com and .net.

    I can just hear the complaints now (and I've heard them before): "But this will fragment the internet". My answer is: Yes!!!! yes it will! all the better. Imagine being in a whole different name space realm away from spammers and evil corporations. And maybe you can meet me in the .mp3 TLD.

    --
    now we need to go OSS in diesel cars
  6. Trademark Infringement by Bob9113 · · Score: 3, Interesting

    Here's a fun solution:

    If your ISP hasn't fixed this yet, go to http://ibm-asdf-hardware.com

    Do you think IBM might be a little bit pissed off about their trademark being used to point to someone else's computer hardware site? Do you think they might, I dunno, sue?

    How about all these other blatant trademark infringements:
    http://ibm-asda-hardware.com
    http ://ibm-asdb-hardware.com
    http://ibm-asdc-hardware .com
    http://ibm-asdd-hardware.com
    http://ibm-asd e-hardware.com
    http://ibm-asdg-hardware.com
    http ://ibm-asdh-hardware.com
    http://ibm-asdi-hardware .com
    http://ibm-asdj-hardware.com

    As I see it, Verisign is facing a not-quite-infinite number of trademark infringement lawsuits. And, of course, if Verisign switches to point to IBM, I'm sure hardware.com would be delighted to fire their own volley of lawyers.

    --
    Stop-Prism.org: Opt Out of Surveillance
  7. Re:What if it was Google rather than sitefinder? by mlk · · Score: 3, Interesting

    I'd not use google any more.

    It is not the person, it is the act.

    You not seeing a down side is neither here nor there, if you want this functionality, install software on your local machine to do so.

    --
    Wow, I should not post when knackered.
  8. Re:To be honest by BiggerIsBetter · · Score: 3, Interesting

    Good point. We've heard lots of names or folks who are fighting the Good Fight (like Paul Vixie and David Maher) but who is actually responsible for this? Sure, Verisign is the company and they have their spokespersons/spindoctors, but who are the actual people who thought this up and implemented it? This shite affects all of us, so no more hiding behind the company doors.

    --
    Forget thrust, drag, lift and weight. Airplanes fly because of money.
  9. DNS tweaker for Windows by apankrat · · Score: 3, Interesting

    Not sure if it's an appropriate thread, but it looks as good as any for a shameless plug :)

    Yours truly put together quick utility - dnsfix, which monitors inbound DNS responses and tweaks result codes from 'success' to 'no-name' for those referencing specific IPs. In other words, it can be used to transparently negate the effect of VeriSign's SiteFinder "service" and restore DNS behaviour expected by (currently broken) spam filters and alike.

    --
    3.243F6A8885A308D313