Paul Vixie And David Maher On VeriSign Wildcarding

← Back to Stories (view on slashdot.org)

Paul Vixie And David Maher On VeriSign Wildcarding

Posted by timothy on Tuesday September 23, 2003 @02:43PM from the ain't-fair-fellas dept.

chromatic writes "The O'Reilly Network has just published an interview with Paul Vixie, chairman of the board of the Internet Software Consortium and a primary author of BIND. Topics include the recent VeriSign controversy, ISC's BIND patch in response, and other potential issues that might come to light in the near future." On a related note, dmehus writes with a link to the letter sent by David Maher, chairman of the Public Interest Registry -- the .org registrar, to ICANN President and CEO Paul Twomey. "The letter says that it supports ICANN's call for VeriSign to voluntarily suspend SiteFinder and the Internet Architecture Board preliminary position paper. It goes on to say that PIR will not be implementing any DNS wildcard to the .ORG zone. It urges ICANN to stand its ground, but also to implement a policy preventing registries from taking this kind of unilateral action in the future." The letter is in .doc format, but AbiWord and OpenOffice.org both open it fine.

6 of 264 comments (clear)

Min score:

Reason:

Sort:

Now this is interesting by Saint+Aardvark · 2003-09-23 14:52 · Score: 5, Interesting
From Vixie:
Some people suggest that administration of the DNS is a public trust, and that VeriSign is merely the caretaker of this system, not its owner. And now VeriSign has abused that trust. That may be true. Before a few days ago it didn't matter whether VeriSign was the owner or a caretaker. Now it matters a lot. VeriSign kicked a sleeping dog. It's a bizarre thing to do. Was it really VeriSign's decision to make, unilaterally? Did it need permission to make this decision? If so, what entity has the authority to grant such permission?
If you think about this from a social point of view, not just technical, this is absolutely fascinating (rather than just irratating/punch-provoking): here's an ability, that was theoretically possible all along, to have this big effect on something lots and lots of people use. No one made use of it before. Now someone has, and it's
1. (presumably) made a bunch of money for those who did it, and
2. pissed off a lot of -- but not all -- people.
Who's responsible? Who gets to say "No, you can't do that", or "Yes, you can"?
I know what I think is the right answer, and it's what (probably) the rest of you think. But the final answer isn't up to you and me, or at least not you and me alone. Watching that process of who-gets-to-decide is going to be at least as interesting and precedent-setting as what the final decision ends up being.
--
Carousel is a lie!
1. Re:Now this is interesting by Saint+Aardvark · 2003-09-23 15:33 · Score: 4, Interesting
  
  I'm not sure what you mean by "No one's made use of it before"... No one else could make use of it (in .com and .net), Verisign is, as I said, a monopoly.
  Bad choice of words: As you mentioned, I understand that other TLD registrars have made use of this before. Amended sentence: no one in this position of power (.com and .net being what they are) has made use of this before.
  This:
  This is no different from ISPs randomly redirecting users to their own branded search engine when you type in "www.google.com", or an ISP's employee intercepting passwords and using them to steal money.
  and this from the comment below:
  I do....I, and all the other sysadmins out there, decide whether SiteFinder works or not.
  are exactly what I'm talking about when I say that this debate is fascinating. In all honesty, I'd give a lot to sit down w/whoever at Verisign and ask them these same questions -- not necessarily to provoke the answer that I feel is right, but just to see how separate groups of intelligent people come to utterly different answers about these questions.
  
  --
  Carousel is a lie!
.org, .us, .do .it by krray · 2003-09-23 15:14 · Score: 4, Interesting

Whatever. Why aren't more people just ditching their precious .COM names. Think UPS.com or Amazon.com couldn't get away with switching? Sure they could...

For those in the .US take a look at NIC.US which can point you to all the various registrars. Heck, it's cheaper -- typically $15/yr.

The only thing Verisign will understand is people speaking with their dollars. And yes, I personally have switched my domains over to .US -- of course I'll handle the .COM traffic until they expire in a year or two. In the mean time everything going out says .US as of yesterday.

Sure, business cards and letter head still say .COM, but they surely won't on the next order. Maybe a year.
Did anybody have any luck by lightspawn · 2003-09-23 15:14 · Score: 4, Interesting

getting their ISP to upgrade DNS servers to counter this threat?

I'd appreciate any suggestions.
Re:To be honest by Anonymous Coward · 2003-09-23 15:43 · Score: 5, Interesting

(Posted anonymously to avoid a rampaging mob outside my house)

I'm a professional spammer. Well, that's a harsh term. I run bulk-email servers. I trust my clients that their entire list has double opted-in when they say so. Most are quite legitimate mailing lists; some are probably not.

This new bug is a godsend, but not for the reason a lot of people are saying. I don't fake "from" addresses, so I don't get any added anonymity from a wildcard.

What I do get is the ability to send my emails that have bad domains in them to a nominally but not effectively existant box at Verisign. I no longer get bad domain bounces to worry about.
Take back the roots by Skapare · 2003-09-23 15:48 · Score: 4, Interesting

Why not just take back the roots? The only reason Verisign can do what they do is because the GTLD servers they control are delegated to by the root servers (not sure who controls those anymore, but it can't be good). And those root servers are configured in the hint file of name servers all over the internet. So who controls those? We (who have our own name servers) do.

It's a little harder, but not a lot harder, to just run your own root zone. The biggest thing is to gather up all the NS records and associated A records for each TLD. That's a small list (relatively speaking), so it could be done via a few hundred dig commands to the root servers. Or it can be downloaded. Now once you have that data, you replace the .com and .net zones with your own. Of course that begs the question, replace it with what?

If enough people with enough server/network power get together, they can make their own independent "realm" of domain name space, starting with a replacement root zone (as has been done in the past to add new TLDs), and a replacement for both .com and .net.

I can just hear the complaints now (and I've heard them before): "But this will fragment the internet". My answer is: Yes!!!! yes it will! all the better. Imagine being in a whole different name space realm away from spammers and evil corporations. And maybe you can meet me in the .mp3 TLD.

--
now we need to go OSS in diesel cars