Paul Vixie And David Maher On VeriSign Wildcarding

chromatic writes "The O'Reilly Network has just published an interview with Paul Vixie, chairman of the board of the Internet Software Consortium and a primary author of BIND. Topics include the recent VeriSign controversy, ISC's BIND patch in response, and other potential issues that might come to light in the near future." On a related note, dmehus writes with a link to the letter sent by David Maher, chairman of the Public Interest Registry -- the .org registrar, to ICANN President and CEO Paul Twomey. "The letter says that it supports ICANN's call for VeriSign to voluntarily suspend SiteFinder and the Internet Architecture Board preliminary position paper. It goes on to say that PIR will not be implementing any DNS wildcard to the .ORG zone. It urges ICANN to stand its ground, but also to implement a policy preventing registries from taking this kind of unilateral action in the future." The letter is in .doc format, but AbiWord and OpenOffice.org both open it fine.

Know what's great about these Verisign stories?

They sure break up the SCO stories.

legalities

[micronix1]

legally, is veri allowed to redirect requests to their own domain? if not, who has the rights to unused domain names?

I think Christmas Islands needs to follow Verisign

How many times have you meant to go to goatse.cx and missed a letter, like goats.cx. This sort of site would help out users quite a bit. It could also offer other helpful suggestions, such as dogse.cx and pigse.cx.

Get your Patched BIND for Slackware

[ksuMacGyver]

Get your Patched BIND for Slackware here:

The more ISPs that use this, the more uncommon the SiteFinder 'service' becomes---the less users expect it.

Remember when popups where not expected? After using mozilla for a while I simply cannot stand them now!
---

Re:Get your Patched BIND for Slackware

[gmack]

Once you have the patched version go here to get the entries needed to block all root zones from doing this.

Now this is interesting

[Saint+Aardvark]

From Vixie:

Some people suggest that administration of the DNS is a public trust, and that VeriSign is merely the caretaker of this system, not its owner. And now VeriSign has abused that trust. That may be true. Before a few days ago it didn't matter whether VeriSign was the owner or a caretaker. Now it matters a lot. VeriSign kicked a sleeping dog. It's a bizarre thing to do. Was it really VeriSign's decision to make, unilaterally? Did it need permission to make this decision? If so, what entity has the authority to grant such permission?

If you think about this from a social point of view, not just technical, this is absolutely fascinating (rather than just irratating/punch-provoking): here's an ability, that was theoretically possible all along, to have this big effect on something lots and lots of people use. No one made use of it before. Now someone has, and it's

1. (presumably) made a bunch of money for those who did it, and
2. pissed off a lot of -- but not all -- people.

Who's responsible? Who gets to say "No, you can't do that", or "Yes, you can"?

I know what I think is the right answer, and it's what (probably) the rest of you think. But the final answer isn't up to you and me, or at least not you and me alone. Watching that process of who-gets-to-decide is going to be at least as interesting and precedent-setting as what the final decision ends up being.

Re:Now this is interesting

[GigsVT]

It's a question of the duties of a provider of infrastructure.

There's a certain relationship between a consumer of infrastructure and a provider of it. The consumer must trust the infrastructure to do what it is supposed to do, and nothing more.

This is no different from ISPs randomly redirecting users to their own branded search engine when you type in "www.google.com", or an ISP's employee intercepting passwords and using them to steal money.

Infrastructure providers inherently have a lot of control over the services they provide. There is a duty there to provide the service as expected, without changing the content that is carried.

Verisign's position as a chartered monopoly makes this duty even more important, because consumers have no choice to use an alternative.

I'm not sure what you mean by "No one's made use of it before"... No one else could make use of it (in .com and .net), Verisign is, as I said, a monopoly.

Other CCTLDs have used wildcards before, but no one much cares about some island that is abusing the CC system to make extra money.

Re:Now this is interesting

Who's responsible? Who gets to say "No, you can't do that", or "Yes, you can"?

I do. I run the DNS servers at an ISP, and I am planning to apply the ISC patch that restricts delegation from root servers (as soon as the bugs are shaken out of it -- give it a week or two.) I, and all the other sysadmins out there, decide whether SiteFinder works or not.

Re:To be honest

[Desert+Raven]

Gee, that's nice, but in the meantime, it aids spammers, since I can no longer tell if the sender's address is from a valid domain. With Verisign's corruption of the root servers, *all* .com and .net domains will now come back as being valid.

You're telling me that if you get a "server not found" page, you're too stupid to figure out you misspelled something?

This is an absolute abuse of Verisign's position. They are contracted to *maintain* the database, not warp it to their own *commercial* purposes. If this was actually a valid service, they would have had no trouble with proposing it to the Internet standards bodies before implementing it. Instead, they're defying those organizations. Worse yet, they've actually put me in the position of agreeing with ICANN.

Anybody know Verisign's CEO's home address?

[fireboy1919]

I think we should all go there at once.

We can say that we were all on our way to the grocery, made a wrong turn, and ended up at his house.

Then we can demand to buy groceries.
I'm sure he won't mind. Everyones ends up at his site for that reason, right?

.ORG Letter in plain text for MS Haters

Dr. Paul Twomey
President & CEO
ICANN
4676 Admiralty Way
Suite 330
Marina del Rey, CA 90292

September 22, 2003

Dear Paul,

Public Interest Registry (PIR), the operator of the registry of the .ORG domain, supports ICANN's call for the voluntary suspension of VeriSign's deployment of a DNS wildcard service. We believe that ICANN (and the entire Internet community) should take steps to prevent all registries from unilaterally implementing changes to DNS that redirect requests for invalid domain names to any other site. PIR will not offer any service that makes such a change in the DNS.

PIR also supports the Internet Architecture Board (IAB) statement on the same subject as set forth at:
http://www.iab.org/documents/docs/2003-09-20- dns-w ildcards.html

DNS is a critical piece of Internet infrastructure. Internet services such as the WWW and Email rely on DNS to function, and there should be no interference with the established protocols until there is complete assurance of no negative impact on the DNS.

In another context, the Internet Architecture Board (IAB) has commented:

"At the core of all of the IAB's concerns is the architectural principle that the DNS is a lookup service which must behave in an interoperable, predictable way at all levels of the DNS hierarchy. Furthermore, as a lookup service it is such a fundamental part of the Internet's infrastructure that converting it to an application-based search service ... is not

Page 2

appropriate even in the case where the query presented would not normally map to a registered domain."

The architectural principle referred to by the IAB is clearly violated by the changes proposed for the .COM and .NET domains.

On Monday, September 15, VeriSign changed the behavior of the .COM and .NET TLDs by adjusting servers to respond to requests for non-existent domains with a reference to the VeriSign Site Finder web site, (in other words, "wildcarding"). To a requesting user, it appears that non-existent domains are valid, because they are directed to the Site Finder. There is no difference between the responses for valid domains versus invalid domains from VeriSign's TLD servers.

Because the VeriSign Site Finder server makes it appear that a non-existent domain exists, the service introduces significant problems to critical Internet infrastructure. Many other important Internet protocols rely heavily on proper DNS behavior. The impact of VeriSign's Site Finder is unclear with respect to security of the DNS. Site Finder unilaterally precludes the use of a prevalent type of anti-spam mail filter that uses DNS to validate the domain of legitimate eMails.

Because VeriSign's servers are authoritative for the .COM and .NET TLDs, the most prevalent of the TLDs, Internet users have little protection against the imposition of this flawed system. VeriSign implemented the Site Finder system with little advance notice or public commentary by the Internet community. We believe such unilateral behavior in changing a critical resource necessary for the world's information systems is inconsistent with the responsibilities of registries under their contracts with ICANN, particularly because of the necessity of DNS for other Internet resources to function properly.

We are informed that other domain registries may be exploring services similar to the VeriSign Site Finder. (As noted above, PIR will
Page 3

not be one of them.) If this is the case, our comments concerning Site Finder apply with equal force to those other services. We believe that any such efforts to alter the TLD DNS systems, of which the VeriSign Site Finder appears to be the most prominent example, adversely affect the Internet infrastructure and the entire Internet community.

Therefore,

Re:To be honest

[__aavhli5779]

Though you've been modded flaimbait, I'm assuming you were simply posting from the perspective of a strictly web user, who could presumably be helped (emphasis on presumably) by being redirected to SiteFinder and pointed to the proper site.

I think the main thing that has admins screaming, however, is that SiteFinder breaks so many other services just to provide a questionable service for web surfers. Sure, surfers may benefit, but email admins, DNS admins, and many others are banging their heads against the wall because of the problems Verisign's divergence from accepted protocol has caused them.

Just a thought.

First they came for .cx

[lightspawn]

But I didn't care because I don't celebrate Christmas.

Then they came for .museum
but I didn't care because I haven't been in one in ages.

Then they came for .a bunch of small countries
But I didn't care because I've never heard of them.

Then they came for .com and .net,
and nobody cared because it's common business practice.

Note: according to a posting I just looked up, at least 11 TLDs (.cc, .cx, .io, .mp, .museum, .nu, .ph, .td, .tk, .tv, .ws) pulled the same stunt. I probably got the relative times wrong too.

Stop Verisign DNS Abuse Petition

[GeorgeK]

It's now here having been Slashdotted last time....on a better server this time, though (we hope!), so be gentle....

It's good to see that PIR is taking the high road. If .com/net are ever redelegated, I'd much rather they run it, than someone who would be looking for every opportunity to squeeze out nickels and dimes ($100 million/yr!) from the internet community, via abuse of their monopoly. Or, perhaps a corporation with a solid reputation (maybe IBM?) would step up, to replace Verisign.

Re:To be honest

(Posted anonymously to avoid a rampaging mob outside my house)

I'm a professional spammer. Well, that's a harsh term. I run bulk-email servers. I trust my clients that their entire list has double opted-in when they say so. Most are quite legitimate mailing lists; some are probably not.

This new bug is a godsend, but not for the reason a lot of people are saying. I don't fake "from" addresses, so I don't get any added anonymity from a wildcard.

What I do get is the ability to send my emails that have bad domains in them to a nominally but not effectively existant box at Verisign. I no longer get bad domain bounces to worry about.

Re:To be honest

[Atzanteol]

The problem is that Verisign is doing their wildcarding at the DNS level. This effects the entire *internet*, not just the World Wide Web. So not only do you get directed to their site on your web-browser, but also if you lookup domains for telnet, ftp, ssh, smtp, etc. This causes problem for (among other things) spam filters, who check that your domain exists (well, now *all* .com domains exist) before delivering mail.

Verisign is being extremely short-sighted. This whole deal reeks of a moronic manager who thught this would be a 'wonderful' idea.