Slashdot Mirror
Paul Vixie And David Maher On VeriSign Wildcarding
chromatic writes "The O'Reilly Network has just published an interview with Paul Vixie, chairman of the board of the Internet Software Consortium and a primary author of BIND. Topics include the recent VeriSign controversy, ISC's BIND patch in response, and other potential issues that might come to light in the near future." On a related note, dmehus writes with a link to the letter sent by David Maher, chairman of the Public Interest Registry -- the .org registrar, to ICANN President and CEO Paul Twomey. "The letter says that it supports ICANN's call for VeriSign to voluntarily suspend SiteFinder and the Internet Architecture Board preliminary position paper. It goes on to say that PIR will not be implementing any DNS wildcard to the .ORG zone. It urges ICANN to stand its ground, but also to implement a policy preventing registries from taking this kind of unilateral action in the future." The letter is in .doc format, but AbiWord and OpenOffice.org both open it fine.
They sure break up the SCO stories.
legally, is veri allowed to redirect requests to their own domain? if not, who has the rights to unused domain names?
How many times have you meant to go to goatse.cx and missed a letter, like goats.cx. This sort of site would help out users quite a bit. It could also offer other helpful suggestions, such as dogse.cx and pigse.cx.
Get your Patched BIND for Slackware here:
The more ISPs that use this, the more uncommon the SiteFinder 'service' becomes---the less users expect it.
Remember when popups where not expected? After using mozilla for a while I simply cannot stand them now!
---
Ad Majorem Dei Gloriam
Interested in AI? MACR
Some people suggest that administration of the DNS is a public trust, and that VeriSign is merely the caretaker of this system, not its owner. And now VeriSign has abused that trust. That may be true. Before a few days ago it didn't matter whether VeriSign was the owner or a caretaker. Now it matters a lot. VeriSign kicked a sleeping dog. It's a bizarre thing to do. Was it really VeriSign's decision to make, unilaterally? Did it need permission to make this decision? If so, what entity has the authority to grant such permission?
If you think about this from a social point of view, not just technical, this is absolutely fascinating (rather than just irratating/punch-provoking): here's an ability, that was theoretically possible all along, to have this big effect on something lots and lots of people use. No one made use of it before. Now someone has, and it's
Who's responsible? Who gets to say "No, you can't do that", or "Yes, you can"?
I know what I think is the right answer, and it's what (probably) the rest of you think. But the final answer isn't up to you and me, or at least not you and me alone. Watching that process of who-gets-to-decide is going to be at least as interesting and precedent-setting as what the final decision ends up being.
Carousel is a lie!
Gee, that's nice, but in the meantime, it aids spammers, since I can no longer tell if the sender's address is from a valid domain. With Verisign's corruption of the root servers, *all* .com and .net domains will now come back as being valid.
You're telling me that if you get a "server not found" page, you're too stupid to figure out you misspelled something?
This is an absolute abuse of Verisign's position. They are contracted to *maintain* the database, not warp it to their own *commercial* purposes. If this was actually a valid service, they would have had no trouble with proposing it to the Internet standards bodies before implementing it. Instead, they're defying those organizations. Worse yet, they've actually put me in the position of agreeing with ICANN.
Though I agree with everything he said (and thought he did so quite eloquently), it's a bit disheartening to see the chairman of the ISC refer to NXDOMAIN as a 404.
I think we should all go there at once.
We can say that we were all on our way to the grocery, made a wrong turn, and ended up at his house.
Then we can demand to buy groceries.
I'm sure he won't mind. Everyones ends up at his site for that reason, right?
Mod me down and I will become more powerful than you can possibly imagine!
Dr. Paul Twomey
.ORG domain, supports ICANN's call for the voluntary suspension of VeriSign's deployment of a DNS wildcard service. We believe that ICANN (and the entire Internet community) should take steps to prevent all registries from unilaterally implementing changes to DNS that redirect requests for invalid domain names to any other site. PIR will not offer any service that makes such a change in the DNS.
... is not
.COM and .NET domains.
.COM and .NET TLDs by adjusting servers to respond to requests for non-existent domains with a reference to the VeriSign Site Finder web site, (in other words, "wildcarding"). To a requesting user, it appears that non-existent domains are valid, because they are directed to the Site Finder. There is no difference between the responses for valid domains versus invalid domains from VeriSign's TLD servers.
.COM and .NET TLDs, the most prevalent of the TLDs, Internet users have little protection against the imposition of this flawed system. VeriSign implemented the Site Finder system with little advance notice or public commentary by the Internet community. We believe such unilateral behavior in changing a critical resource necessary for the world's information systems is inconsistent with the responsibilities of registries under their contracts with ICANN, particularly because of the necessity of DNS for other Internet resources to function properly.
President & CEO
ICANN
4676 Admiralty Way
Suite 330
Marina del Rey, CA 90292
September 22, 2003
Dear Paul,
Public Interest Registry (PIR), the operator of the registry of the
PIR also supports the Internet Architecture Board (IAB) statement on the same subject as set forth at:
http://www.iab.org/documents/docs/2003-09-20- dns-w ildcards.html
DNS is a critical piece of Internet infrastructure. Internet services such as the WWW and Email rely on DNS to function, and there should be no interference with the established protocols until there is complete assurance of no negative impact on the DNS.
In another context, the Internet Architecture Board (IAB) has commented:
"At the core of all of the IAB's concerns is the architectural principle that the DNS is a lookup service which must behave in an interoperable, predictable way at all levels of the DNS hierarchy. Furthermore, as a lookup service it is such a fundamental part of the Internet's infrastructure that converting it to an application-based search service
Page 2
appropriate even in the case where the query presented would not normally map to a registered domain."
The architectural principle referred to by the IAB is clearly violated by the changes proposed for the
On Monday, September 15, VeriSign changed the behavior of the
Because the VeriSign Site Finder server makes it appear that a non-existent domain exists, the service introduces significant problems to critical Internet infrastructure. Many other important Internet protocols rely heavily on proper DNS behavior. The impact of VeriSign's Site Finder is unclear with respect to security of the DNS. Site Finder unilaterally precludes the use of a prevalent type of anti-spam mail filter that uses DNS to validate the domain of legitimate eMails.
Because VeriSign's servers are authoritative for the
We are informed that other domain registries may be exploring services similar to the VeriSign Site Finder. (As noted above, PIR will
Page 3
not be one of them.) If this is the case, our comments concerning Site Finder apply with equal force to those other services. We believe that any such efforts to alter the TLD DNS systems, of which the VeriSign Site Finder appears to be the most prominent example, adversely affect the Internet infrastructure and the entire Internet community.
Therefore,
Though you've been modded flaimbait, I'm assuming you were simply posting from the perspective of a strictly web user, who could presumably be helped (emphasis on presumably) by being redirected to SiteFinder and pointed to the proper site.
I think the main thing that has admins screaming, however, is that SiteFinder breaks so many other services just to provide a questionable service for web surfers. Sure, surfers may benefit, but email admins, DNS admins, and many others are banging their heads against the wall because of the problems Verisign's divergence from accepted protocol has caused them.
Just a thought.
In the case of a spell checker if it sucks you get to use another product with a better one.
You don't get to in this case.
Also all the world is not http... the protocol level is the worst possible place to do this.
But I didn't care because I don't celebrate Christmas.
.museum
.a bunch of small countries
.com and .net,
.cx, .io, .mp, .museum, .nu, .ph, .td, .tk, .tv, .ws) pulled the same stunt. I probably got the relative times wrong too.
Then they came for
but I didn't care because I haven't been in one in ages.
Then they came for
But I didn't care because I've never heard of them.
Then they came for
and nobody cared because it's common business practice.
Note: according to a posting I just looked up, at least 11 TLDs (.cc,
Whatever. Why aren't more people just ditching their precious .COM names. Think UPS.com or Amazon.com couldn't get away with switching? Sure they could...
.US take a look at NIC.US which can point you to all the various registrars. Heck, it's cheaper -- typically $15/yr.
.US -- of course I'll handle the .COM traffic until they expire in a year or two. In the mean time everything going out says .US as of yesterday.
.COM, but they surely won't on the next order. Maybe a year.
For those in the
The only thing Verisign will understand is people speaking with their dollars. And yes, I personally have switched my domains over to
Sure, business cards and letter head still say
getting their ISP to upgrade DNS servers to counter this threat?
I'd appreciate any suggestions.
This started about 1995 when people begain to conflate the Web with the Internet.
Slashdot: Where nerds gather to pool their ignorance
By email, phone, fax, telegram, or letter (or better, several of these), let them know what you think. These are the people who can give Verisign reasons to change their behavior.
It's now here having been Slashdotted last time....on a better server this time, though (we hope!), so be gentle....
It's good to see that PIR is taking the high road. If .com/net are ever redelegated, I'd much rather they run it, than someone who would be looking for every opportunity to squeeze out nickels and dimes ($100 million/yr!) from the internet community, via abuse of their monopoly. Or, perhaps a corporation with a solid reputation (maybe IBM?) would step up, to replace Verisign.
As has been said numerous times, this has nothing to do with the "root" servers, only the com and net TLD servers. ISC has already produced a very nice fix for Bind 9 so this doesn't really affect people using it anymore. Just designate the com and net zones as designate only and you won't pick up any A wildcard records. Let Verisign do stupid shit like this and watch as people work around them within 24 hours.
(Posted anonymously to avoid a rampaging mob outside my house)
I'm a professional spammer. Well, that's a harsh term. I run bulk-email servers. I trust my clients that their entire list has double opted-in when they say so. Most are quite legitimate mailing lists; some are probably not.
This new bug is a godsend, but not for the reason a lot of people are saying. I don't fake "from" addresses, so I don't get any added anonymity from a wildcard.
What I do get is the ability to send my emails that have bad domains in them to a nominally but not effectively existant box at Verisign. I no longer get bad domain bounces to worry about.
Why not just take back the roots? The only reason Verisign can do what they do is because the GTLD servers they control are delegated to by the root servers (not sure who controls those anymore, but it can't be good). And those root servers are configured in the hint file of name servers all over the internet. So who controls those? We (who have our own name servers) do.
It's a little harder, but not a lot harder, to just run your own root zone. The biggest thing is to gather up all the NS records and associated A records for each TLD. That's a small list (relatively speaking), so it could be done via a few hundred dig commands to the root servers. Or it can be downloaded. Now once you have that data, you replace the .com and .net zones with your own. Of course that begs the question, replace it with what?
If enough people with enough server/network power get together, they can make their own independent "realm" of domain name space, starting with a replacement root zone (as has been done in the past to add new TLDs), and a replacement for both .com and .net.
I can just hear the complaints now (and I've heard them before): "But this will fragment the internet". My answer is: Yes!!!! yes it will! all the better. Imagine being in a whole different name space realm away from spammers and evil corporations. And maybe you can meet me in the .mp3 TLD.
now we need to go OSS in diesel cars
But, do you really like that it's Versign doing this for you? Assuming you use IE, MSN already provided this service to you. Verisign has just exploited the DNS system to make their service come up in situations where MSN's used to come up. Other browser developers could have designed their own responses to the "NXDOMAIN" signal, but now Verisign has stopped returning "NXDOMAIN" and instead returns a redirect to their own site... That's what really rubs people the wrong way. Instead of returning the error code that people thought they could depend on, they're returning a redirect to a service you didn't ask for. Yeah, it's a pretty good service on its merits if they tried to sell it to you... but instead they're forcing it on some people who were happy with MSN's service or happy with the traditional error...
The problem is that Verisign is doing their wildcarding at the DNS level. This effects the entire *internet*, not just the World Wide Web. So not only do you get directed to their site on your web-browser, but also if you lookup domains for telnet, ftp, ssh, smtp, etc. This causes problem for (among other things) spam filters, who check that your domain exists (well, now *all* .com domains exist) before delivering mail.
Verisign is being extremely short-sighted. This whole deal reeks of a moronic manager who thught this would be a 'wonderful' idea.
"Ignorance more frequently begets confidence than does knowledge"
- Charles Darwin
Verisign can break Vixie's patch. All they have to do is set up a separate name server which pretends to be a .com and .net server, with the very same wildcarded A-record. Now just put in wildcarded NS-records in the actual .com and .net zones in the real GTLD servers (in place of the existing wildcarded A-record). There, now it really looks like a real delegation to a different name server, just like real domains have. The new delegated wildcard server gets the query next, due to the delegation (that looks like a delegation, hence fools the patch), and due to its wildcard (and it doesn't need any other data from the .com or .net zones, since it doesn't get delegated to for real domains), it will answer with an A record of Verisign's choosing. If Verisign wants to keep doing what they are doing, they can defeat this patch by that method.
Then we'll have to make DNS servers filter out specific delegations (as opposed to filtering out non-delegation records where there should be only delegations). Verisign could rotate those delegations daily and fool efforts to block it.
now we need to go OSS in diesel cars
deb http://www.backports.org/debian stable bind9
Here's a fun solution:
p ://ibm-asdb-hardware.come .comd e-hardware.comp ://ibm-asdh-hardware.come .com
If your ISP hasn't fixed this yet, go to http://ibm-asdf-hardware.com
Do you think IBM might be a little bit pissed off about their trademark being used to point to someone else's computer hardware site? Do you think they might, I dunno, sue?
How about all these other blatant trademark infringements:
http://ibm-asda-hardware.com
htt
http://ibm-asdc-hardwar
http://ibm-asdd-hardware.com
http://ibm-as
http://ibm-asdg-hardware.com
htt
http://ibm-asdi-hardwar
http://ibm-asdj-hardware.com
As I see it, Verisign is facing a not-quite-infinite number of trademark infringement lawsuits. And, of course, if Verisign switches to point to IBM, I'm sure hardware.com would be delighted to fire their own volley of lawyers.
Stop-Prism.org: Opt Out of Surveillance
I'd not use google any more.
It is not the person, it is the act.
You not seeing a down side is neither here nor there, if you want this functionality, install software on your local machine to do so.
Wow, I should not post when knackered.
My ISP has already routed around VeriSign's damage. Mind you, before they patched BIND (or whatever it is that they use, I never checked), I had fun with them for awhile.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
Good point. We've heard lots of names or folks who are fighting the Good Fight (like Paul Vixie and David Maher) but who is actually responsible for this? Sure, Verisign is the company and they have their spokespersons/spindoctors, but who are the actual people who thought this up and implemented it? This shite affects all of us, so no more hiding behind the company doors.
Forget thrust, drag, lift and weight. Airplanes fly because of money.
Then use client side software, why should EVERYONE suffer for YOUR tastes.
Wow, I should not post when knackered.
I am surprised that Paul Vixie did not seem to exhibit much emotion regarding the Sitefinder situation - for someone who's been at the core of what we now know as the DNS for so many years (you would think it's like his own child:).
He seemed reserved, while calmly pointing out, part by part, what is wrong with Verisign's actions. More of this is called for from the important people in the Internet technical and business community - the way community coverage has been heading, and the way comments are worded on Slashdot and other sites, is leading to resentment, anger, name-calling, and joking about Verisign and their policies, creating a situation in which the community is less likely to be taken seriously by Verisign, Microsoft, AOL, etc. Mr. Vixie also mentions that there are smart people at Verisign, reminding us that the Sitefinder "service" is the brainchild of but a handful of people, maybe even just one or two. It reminds me that as engineers, we still have to work with the other guy at a certain level.. becoming enemies doesn't help anything.
Mr. Vixie is saying that perhaps ICANN should "do something about it". This whole situation should be approached by attorneys general, from the both the branding/business practices angle mentioned by Mr. Vixie, and also from the consumer rights angle (much like telemarketers). Right now the average consumer can get effectively get rid of telemarketers, thanks to recent laws, with a single verbal or written request, but the Sitefinder service can only be circumvented using DNS tools by an engineer or technician "in charge" of the DNS servers. The web-browsing consumer has no way around this by themselves.
You're just trollin'.
VeriSign's mail server is called the Snubby Mail Rejector Daemon v1.5
v1.3 wasn't fully SMTP compliant: See here.
v1.5 now responds a little more properly: See here.
It rejects them anyway.
Whether it's SiteFinder, Google, or even Slashdot, the issue is not so much (or at least not only) the fact that a website comes up instead of a 404. It's the fact that practically everything automated breaks because this "service" is oriented toward humans. Consider:
I'm sure there are others, but the point is that what's good for human users is not good for computers, and it should be the client, i.e. the thing interacting directly with the human user, that interprets the computer responses and makes them easier to use for humans. (There wouldn't be nearly as much uproar over this if Verisign had, say, made a deal with Microsoft to redirect all NXDOMAIN queries to SiteFinder; in that case it would be an Internet Explorer, i.e. client issue, and DNS itself would be unharmed.)
I'd guess the guy responsible for "the company's globally deployed registration and resolution infrastructure that currently supports the Internet's Domain Name System (DNS)."
You know what?
Any host can make non-recursive requests to the root servers.
Technically, if a query for whatever.com arrives at a root server, it should only return the list of NS records for .COM, and if a query for whatever.com arrives at an authoritative server for .COM (many roots are also .COM servers), it should only return the registered NS records for whatever.com.
In fact, that is exactly the problem -- the Verisign roots should return only NS or NXDOMAIN records, but for names in .COM .or .NET, they instead "synthesize" an A record, pointing to sitefinder, with a 15 minute TTL (cache lifetime).
The various hacks either ignore the specific A record, or ignore records from root servers other than NS. The latter is a cleaner approach, IMHO.
I do not deploy Linux. Ever.
The only reason verisign won that was because of all the wildcards that they added.
-S
Not sure if it's an appropriate thread, but it looks as good as any for a shameless plug :)
Yours truly put together quick utility - dnsfix, which monitors inbound DNS responses and tweaks result codes from 'success' to 'no-name' for those referencing specific IPs. In other words, it can be used to transparently negate the effect of VeriSign's SiteFinder "service" and restore DNS behaviour expected by (currently broken) spam filters and alike.
3.243F6A8885A308D313
With those words (an absolute abuse) you just described most of what Verisign has done.
Folks should remember, this is the company that was contracted to *maintain* the database until one day they decided that they *owned* the database... (errr... okay... if I get paid to clean all the cars at the dealership can I decide one day that I own them all and get away with it?)
And yet somehow years after that magical acquisition of property rights they've still got the contracts. They've gotten away with all kinds of stuff and like a spoiled child they'll keep taking more until (if ever) someone takes away their privileges and sends them to time out.
Gotta agree with you that there's no way that any benefits that stupid Sitefinder page provides make up for the abuse of position and random chaos it's caused.
Quoth he
"It's all academic anyway..."