Slashdot Mirror
Paul Vixie And David Maher On VeriSign Wildcarding
chromatic writes "The O'Reilly Network has just published an interview with Paul Vixie, chairman of the board of the Internet Software Consortium and a primary author of BIND. Topics include the recent VeriSign controversy, ISC's BIND patch in response, and other potential issues that might come to light in the near future." On a related note, dmehus writes with a link to the letter sent by David Maher, chairman of the Public Interest Registry -- the .org registrar, to ICANN President and CEO Paul Twomey. "The letter says that it supports ICANN's call for VeriSign to voluntarily suspend SiteFinder and the Internet Architecture Board preliminary position paper. It goes on to say that PIR will not be implementing any DNS wildcard to the .ORG zone. It urges ICANN to stand its ground, but also to implement a policy preventing registries from taking this kind of unilateral action in the future." The letter is in .doc format, but AbiWord and OpenOffice.org both open it fine.
They sure break up the SCO stories.
I kind of like the Verisign redirect. I sometimes mistype URLs and the Verisign page usually has a link to the page I was looking for. It's a pretty nice system considering the alternatives.
legally, is veri allowed to redirect requests to their own domain? if not, who has the rights to unused domain names?
How many times have you meant to go to goatse.cx and missed a letter, like goats.cx. This sort of site would help out users quite a bit. It could also offer other helpful suggestions, such as dogse.cx and pigse.cx.
Get your Patched BIND for Slackware here:
The more ISPs that use this, the more uncommon the SiteFinder 'service' becomes---the less users expect it.
Remember when popups where not expected? After using mozilla for a while I simply cannot stand them now!
---
Ad Majorem Dei Gloriam
Interested in AI? MACR
Some people suggest that administration of the DNS is a public trust, and that VeriSign is merely the caretaker of this system, not its owner. And now VeriSign has abused that trust. That may be true. Before a few days ago it didn't matter whether VeriSign was the owner or a caretaker. Now it matters a lot. VeriSign kicked a sleeping dog. It's a bizarre thing to do. Was it really VeriSign's decision to make, unilaterally? Did it need permission to make this decision? If so, what entity has the authority to grant such permission?
If you think about this from a social point of view, not just technical, this is absolutely fascinating (rather than just irratating/punch-provoking): here's an ability, that was theoretically possible all along, to have this big effect on something lots and lots of people use. No one made use of it before. Now someone has, and it's
Who's responsible? Who gets to say "No, you can't do that", or "Yes, you can"?
I know what I think is the right answer, and it's what (probably) the rest of you think. But the final answer isn't up to you and me, or at least not you and me alone. Watching that process of who-gets-to-decide is going to be at least as interesting and precedent-setting as what the final decision ends up being.
Carousel is a lie!
Though I agree with everything he said (and thought he did so quite eloquently), it's a bit disheartening to see the chairman of the ISC refer to NXDOMAIN as a 404.
I think we should all go there at once.
We can say that we were all on our way to the grocery, made a wrong turn, and ended up at his house.
Then we can demand to buy groceries.
I'm sure he won't mind. Everyones ends up at his site for that reason, right?
Mod me down and I will become more powerful than you can possibly imagine!
Dr. Paul Twomey
.ORG domain, supports ICANN's call for the voluntary suspension of VeriSign's deployment of a DNS wildcard service. We believe that ICANN (and the entire Internet community) should take steps to prevent all registries from unilaterally implementing changes to DNS that redirect requests for invalid domain names to any other site. PIR will not offer any service that makes such a change in the DNS.
... is not
.COM and .NET domains.
.COM and .NET TLDs by adjusting servers to respond to requests for non-existent domains with a reference to the VeriSign Site Finder web site, (in other words, "wildcarding"). To a requesting user, it appears that non-existent domains are valid, because they are directed to the Site Finder. There is no difference between the responses for valid domains versus invalid domains from VeriSign's TLD servers.
.COM and .NET TLDs, the most prevalent of the TLDs, Internet users have little protection against the imposition of this flawed system. VeriSign implemented the Site Finder system with little advance notice or public commentary by the Internet community. We believe such unilateral behavior in changing a critical resource necessary for the world's information systems is inconsistent with the responsibilities of registries under their contracts with ICANN, particularly because of the necessity of DNS for other Internet resources to function properly.
President & CEO
ICANN
4676 Admiralty Way
Suite 330
Marina del Rey, CA 90292
September 22, 2003
Dear Paul,
Public Interest Registry (PIR), the operator of the registry of the
PIR also supports the Internet Architecture Board (IAB) statement on the same subject as set forth at:
http://www.iab.org/documents/docs/2003-09-20- dns-w ildcards.html
DNS is a critical piece of Internet infrastructure. Internet services such as the WWW and Email rely on DNS to function, and there should be no interference with the established protocols until there is complete assurance of no negative impact on the DNS.
In another context, the Internet Architecture Board (IAB) has commented:
"At the core of all of the IAB's concerns is the architectural principle that the DNS is a lookup service which must behave in an interoperable, predictable way at all levels of the DNS hierarchy. Furthermore, as a lookup service it is such a fundamental part of the Internet's infrastructure that converting it to an application-based search service
Page 2
appropriate even in the case where the query presented would not normally map to a registered domain."
The architectural principle referred to by the IAB is clearly violated by the changes proposed for the
On Monday, September 15, VeriSign changed the behavior of the
Because the VeriSign Site Finder server makes it appear that a non-existent domain exists, the service introduces significant problems to critical Internet infrastructure. Many other important Internet protocols rely heavily on proper DNS behavior. The impact of VeriSign's Site Finder is unclear with respect to security of the DNS. Site Finder unilaterally precludes the use of a prevalent type of anti-spam mail filter that uses DNS to validate the domain of legitimate eMails.
Because VeriSign's servers are authoritative for the
We are informed that other domain registries may be exploring services similar to the VeriSign Site Finder. (As noted above, PIR will
Page 3
not be one of them.) If this is the case, our comments concerning Site Finder apply with equal force to those other services. We believe that any such efforts to alter the TLD DNS systems, of which the VeriSign Site Finder appears to be the most prominent example, adversely affect the Internet infrastructure and the entire Internet community.
Therefore,
Carousel is a lie!
But I didn't care because I don't celebrate Christmas.
.museum
.a bunch of small countries
.com and .net,
.cx, .io, .mp, .museum, .nu, .ph, .td, .tk, .tv, .ws) pulled the same stunt. I probably got the relative times wrong too.
Then they came for
but I didn't care because I haven't been in one in ages.
Then they came for
But I didn't care because I've never heard of them.
Then they came for
and nobody cared because it's common business practice.
Note: according to a posting I just looked up, at least 11 TLDs (.cc,
Whatever. Why aren't more people just ditching their precious .COM names. Think UPS.com or Amazon.com couldn't get away with switching? Sure they could...
.US take a look at NIC.US which can point you to all the various registrars. Heck, it's cheaper -- typically $15/yr.
.US -- of course I'll handle the .COM traffic until they expire in a year or two. In the mean time everything going out says .US as of yesterday.
.COM, but they surely won't on the next order. Maybe a year.
For those in the
The only thing Verisign will understand is people speaking with their dollars. And yes, I personally have switched my domains over to
Sure, business cards and letter head still say
getting their ISP to upgrade DNS servers to counter this threat?
I'd appreciate any suggestions.
This started about 1995 when people begain to conflate the Web with the Internet.
Slashdot: Where nerds gather to pool their ignorance
By email, phone, fax, telegram, or letter (or better, several of these), let them know what you think. These are the people who can give Verisign reasons to change their behavior.
It's now here having been Slashdotted last time....on a better server this time, though (we hope!), so be gentle....
It's good to see that PIR is taking the high road. If .com/net are ever redelegated, I'd much rather they run it, than someone who would be looking for every opportunity to squeeze out nickels and dimes ($100 million/yr!) from the internet community, via abuse of their monopoly. Or, perhaps a corporation with a solid reputation (maybe IBM?) would step up, to replace Verisign.
It is good interview but expression "bootleg patches" was someting I disliked. It does not fits well with free/open source spirit. It assumes that there are (in marketing terms) "offical" or "authorized" patches and everything else is "bootleg". It kind makes me feel my next patch to some open source product could be considered "bootleg" which makes me feel it is unwanted.
Just surf slashdot at -1, and you'll never need to type goatse.cx - thus, no worries about mis-spelling it.
"If God created us in his own image, we have more than reciprocated"
Why not just take back the roots? The only reason Verisign can do what they do is because the GTLD servers they control are delegated to by the root servers (not sure who controls those anymore, but it can't be good). And those root servers are configured in the hint file of name servers all over the internet. So who controls those? We (who have our own name servers) do.
It's a little harder, but not a lot harder, to just run your own root zone. The biggest thing is to gather up all the NS records and associated A records for each TLD. That's a small list (relatively speaking), so it could be done via a few hundred dig commands to the root servers. Or it can be downloaded. Now once you have that data, you replace the .com and .net zones with your own. Of course that begs the question, replace it with what?
If enough people with enough server/network power get together, they can make their own independent "realm" of domain name space, starting with a replacement root zone (as has been done in the past to add new TLDs), and a replacement for both .com and .net.
I can just hear the complaints now (and I've heard them before): "But this will fragment the internet". My answer is: Yes!!!! yes it will! all the better. Imagine being in a whole different name space realm away from spammers and evil corporations. And maybe you can meet me in the .mp3 TLD.
now we need to go OSS in diesel cars
Verisign can break Vixie's patch. All they have to do is set up a separate name server which pretends to be a .com and .net server, with the very same wildcarded A-record. Now just put in wildcarded NS-records in the actual .com and .net zones in the real GTLD servers (in place of the existing wildcarded A-record). There, now it really looks like a real delegation to a different name server, just like real domains have. The new delegated wildcard server gets the query next, due to the delegation (that looks like a delegation, hence fools the patch), and due to its wildcard (and it doesn't need any other data from the .com or .net zones, since it doesn't get delegated to for real domains), it will answer with an A record of Verisign's choosing. If Verisign wants to keep doing what they are doing, they can defeat this patch by that method.
Then we'll have to make DNS servers filter out specific delegations (as opposed to filtering out non-delegation records where there should be only delegations). Verisign could rotate those delegations daily and fool efforts to block it.
now we need to go OSS in diesel cars
deb http://www.backports.org/debian stable bind9
Here's a fun solution:
p ://ibm-asdb-hardware.come .comd e-hardware.comp ://ibm-asdh-hardware.come .com
If your ISP hasn't fixed this yet, go to http://ibm-asdf-hardware.com
Do you think IBM might be a little bit pissed off about their trademark being used to point to someone else's computer hardware site? Do you think they might, I dunno, sue?
How about all these other blatant trademark infringements:
http://ibm-asda-hardware.com
htt
http://ibm-asdc-hardwar
http://ibm-asdd-hardware.com
http://ibm-as
http://ibm-asdg-hardware.com
htt
http://ibm-asdi-hardwar
http://ibm-asdj-hardware.com
As I see it, Verisign is facing a not-quite-infinite number of trademark infringement lawsuits. And, of course, if Verisign switches to point to IBM, I'm sure hardware.com would be delighted to fire their own volley of lawyers.
Stop-Prism.org: Opt Out of Surveillance
What? How the hell do you get an HTTP 404 error message if there's no server to even connect to?
now we need to go OSS in diesel cars
I'd not use google any more.
It is not the person, it is the act.
You not seeing a down side is neither here nor there, if you want this functionality, install software on your local machine to do so.
Wow, I should not post when knackered.
My ISP has already routed around VeriSign's damage. Mind you, before they patched BIND (or whatever it is that they use, I never checked), I had fun with them for awhile.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
ahhh but, if you googlefight "sco sucks" and "verisign sucks", you get "sco sucks" (1880 results) versus "verisign sucks" (876 results).
Therefore, SCO sucks more! (for now)
And the muscular cyborg German dudes dance with sexy French Canadians
I am surprised that Paul Vixie did not seem to exhibit much emotion regarding the Sitefinder situation - for someone who's been at the core of what we now know as the DNS for so many years (you would think it's like his own child:).
He seemed reserved, while calmly pointing out, part by part, what is wrong with Verisign's actions. More of this is called for from the important people in the Internet technical and business community - the way community coverage has been heading, and the way comments are worded on Slashdot and other sites, is leading to resentment, anger, name-calling, and joking about Verisign and their policies, creating a situation in which the community is less likely to be taken seriously by Verisign, Microsoft, AOL, etc. Mr. Vixie also mentions that there are smart people at Verisign, reminding us that the Sitefinder "service" is the brainchild of but a handful of people, maybe even just one or two. It reminds me that as engineers, we still have to work with the other guy at a certain level.. becoming enemies doesn't help anything.
Mr. Vixie is saying that perhaps ICANN should "do something about it". This whole situation should be approached by attorneys general, from the both the branding/business practices angle mentioned by Mr. Vixie, and also from the consumer rights angle (much like telemarketers). Right now the average consumer can get effectively get rid of telemarketers, thanks to recent laws, with a single verbal or written request, but the Sitefinder service can only be circumvented using DNS tools by an engineer or technician "in charge" of the DNS servers. The web-browsing consumer has no way around this by themselves.
I wonder which one of these characters made this mess happen?. html
http://www.verisign.com/corporate/about/executive
Forget thrust, drag, lift and weight. Airplanes fly because of money.
Whether it's SiteFinder, Google, or even Slashdot, the issue is not so much (or at least not only) the fact that a website comes up instead of a 404. It's the fact that practically everything automated breaks because this "service" is oriented toward humans. Consider:
I'm sure there are others, but the point is that what's good for human users is not good for computers, and it should be the client, i.e. the thing interacting directly with the human user, that interprets the computer responses and makes them easier to use for humans. (There wouldn't be nearly as much uproar over this if Verisign had, say, made a deal with Microsoft to redirect all NXDOMAIN queries to SiteFinder; in that case it would be an Internet Explorer, i.e. client issue, and DNS itself would be unharmed.)
Am I the only one who finds it ironic that Verisign's slogan is "The Value of Trust"? They sure don't seem to be aware of just that, the value of the trust we have given them.
Couldn't they be sued for not providing some way for users to discontinue use of their service? It's like the shrink wrapped EULA, except on a way more annoying scale.
We're all going to have to call their tech support to ask them how to discontinue use of the service because we do not agree with their terms of use.
Any host can make non-recursive requests to the root servers.
Technically, if a query for whatever.com arrives at a root server, it should only return the list of NS records for .COM, and if a query for whatever.com arrives at an authoritative server for .COM (many roots are also .COM servers), it should only return the registered NS records for whatever.com.
In fact, that is exactly the problem -- the Verisign roots should return only NS or NXDOMAIN records, but for names in .COM .or .NET, they instead "synthesize" an A record, pointing to sitefinder, with a 15 minute TTL (cache lifetime).
The various hacks either ignore the specific A record, or ignore records from root servers other than NS. The latter is a cleaner approach, IMHO.
I do not deploy Linux. Ever.
The only reason verisign won that was because of all the wildcards that they added.
-S
Skapare writes:
I run my own root on most of my networks and employers' networks -- it's easy to implement and more efficient. (That said, we do it for security, to keep lookups for bogus TLDs from going out over the internet.) Overriding "." on your own nameserver is easy, as the delegation information for BIZ/INFO/COM/NET/ORG/UK/TV/etc is easy to obtain and doesn't change very often. Overriding the TLDs themselves, going from serving "." to serving ".COM", is a much more difficult project.Unlike the "." root zone, the .COM zone changes twice a day, is HUGE, and the zone file itself is not readily available to the general public.
I do not deploy Linux. Ever.
Actually, Christmas Islands already does something very similar to this. Try pigse.cx. You will end up at a "sitefinder"-like page from the Christmas Island TLD Authority which suggests that you register the domain, explaining that all unregistered domains in .cx are redirected to that page. It does not return NXDOMAIN, but there are no commercial advertisements (other than by C.I.) and no search function.
I am a geek attorney, but not your geek attorney unless you've already retained me. This is not legal advice.
...let them do it. Just charge them for all names registered. Assuming they wildcard the name with 26 letters plus "-", say, 20 chars deep, charge them 27^20 registered domain names. Even with a good discount, say, $0.01/domain name it will still be more than there is money on Earth :)
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Not sure if it's an appropriate thread, but it looks as good as any for a shameless plug :)
Yours truly put together quick utility - dnsfix, which monitors inbound DNS responses and tweaks result codes from 'success' to 'no-name' for those referencing specific IPs. In other words, it can be used to transparently negate the effect of VeriSign's SiteFinder "service" and restore DNS behaviour expected by (currently broken) spam filters and alike.
3.243F6A8885A308D313
After reading this story about Russell Lewis's (Verisign GM) memo to staff, I registered "bookstre.com" and pointed it to Google via the Easily.co.uk redirector.
Now, until the DNS entry propagated, and in the 15 minute window before the non-existant domain timed out, I was still seeing the SiteFinder "domain". Obviously it's a contrived example, but I think it illustrates an important point:
I paid good money for this domain
Who said Verisign could use it ?
Legitimate domain registrations are still going to suffer from this decision, so I suspect this would be a legitimate set of grounds for a class action against Verisign.
--- These are not words: wierd, genious, rediculous
Arg, why does everyone says this removes 404's. You need a webserver to return a 404. Before wildcarding you didn't hit a websserver so no 404. And you can still get a 404 by hitting a page that doesn't exist on a webserver that does.
I just got a call from an 'independent' survey company and about half way through I realized that it was sponsored by Verisign. They asked me all these questions about registering domain names and stuff really seemed to focus on Network Solutions/Verisign. They asked me how I would rate them and I said 1 (worst) and she acted kind of suprised. She had me explain why I felt that way and I said that they have jacked domain name registration and certificate pricing through the roof and that I strongly object to their SiteFinder service. Maybe some of you other guys will get the call as well. Sock it to em.