ICANN Study Slams Verisign

Dinglenuts writes "ICANN has just released what I'm sure is a completely neutral and unbiased report, condemning Verisign's Sitefinder service for running afoul of 'community standards and caus[ing] harm to individual users and enterprises.' Seeing as how ICANN is currently being sued by Verisign for making them take down Sitefinder, this opinion can be considered less than revolutionary."

The dangers of money and power

[xonen]

It is the same as with dictators.. Any company that grows big and has influence must take very good care not to abuse it. I donnot have to give names, and some companies even believe themselves they have 'best intentions'.
But on-topic: i think verisign should loose there license. They have proven they cannot be trusted as independent tld maintainer.

Re:The dangers of money and power

[blowdart]

But ICANN is not much better. They have no accountability, refuse to reform, their meetings are basically junkets to somewhere expensive, and they try to gouge registrars for $15.8m for next year, double the previous years. Lets also not forget the fiasco that was the ICANN At Large, where the directors users voted in where quickly thrown out when they tried to represent user viewpoints.

Oh, and the too great an influence the US government has on ICANN.

Re:The dangers of money and power

You've got to wonder why enough people haven't just bailed on these guys and switched to one of the alternate dns root providers.

I think Opennic should play especially well here, where they eagerly advertises it's .geek and .oss TLDs on the header of their home page.

All it'd take is a /. giving up on their ".com" and ".org" and advertising themselves as "slashdot.geek at opennic", and I bet a bunch of us would switch overnight. Enough IT guys switch, and then who cares about all those .Com[mercial] groups anyway.

Re:The dangers of money and power

ICANN is so important there's even a site solely devoted to watching it, icannwatch.org

Our premise can be simply stated: The Internet is a global resource of incalculable value, and nothing is of greater importance to its future than the way in which ICANN performs its role as manager of the Domain Name System. All Internet users worldwide have a stake in these ongoing events, and our job is to serve as a central point of reference, a kind of hill overlooking the often-chaotic information landscape, from which anyone seeking a better understanding of these developments can survey the ever-changing terrain.

Re:The dangers of money and power

[SlamMan]

enough IT guys switch, and then who cares about all those .Com[mercial] groups anyway.

All of my users?

Re:The dangers of money and power

[ahknight]

who cares about all those .Com[mercial] groups anyway

Umm, it was google dot ... what, again?

Uh huh, yeah. Get your head out of your GeekPort and come back to the real world.

Re:The dangers of money and power

[E_elven]

It's a good thing we live in a healthy capitalist environment where the market determines who succeeds -if we don't like Verisign, we just won't use it and they'll crash and burn.

Oh. Nevermind.

Re:The dangers of money and power

[drinkypoo]

ICANN is important because there's a website watching them? There's websites for watching asian girls pee on each other too but I'd hardly call it important to the existence of the internet. (Then again, it might be the very reason for the same...)

Uh oh!

[Biotech9]

The next meeting, which starts Monday, features a workshop aimed at bridging the gap between ICANN and the United Nations, which is becoming increasingly interested in Internet governance.

The UN getting interested in governing the net?

Well, it was fun while it lasted. I'm off to spend the last few weeks of internet existence with the badgers.

Re:Uh oh!

[anaplasmosis]

The UN, through the ITU, assign all kinds of numbers, codes and callsigns. Did the world come to an end because the US had to paint "N" on the side of their airplanes?

Re:Uh oh!

[McDutchie]

Well, it was fun while it lasted. I'm off to spend the last few weeks of internet existence with the badgers [badgerbadgerbadger.com].

Oh, come on. The Internet survived the US for decades, I doubt the UN (i.e. the good folks that brought us international telecommunications standardization) would kill it any time soon.

Re:Uh oh!

[buro9]

Don't feed the trolls... it's a badger campaign... only marginally better than a goatsx or gay niggers ones.

They're still trying to d this?

[ErikTheRed]

After this whole thing started I simply had my dns cache resolve verisign.com addresses through my local dns server... problem solved. In fact, I'd forgotten about the whole thing...

Re:They're still trying to d this?

[csk_1975]

I simply had my dns cache resolve verisign.com addresses through my local dns server... problem solved

The way sitefinder worked was that Verisign wildcarded the whole .com and .net TLDs so that instead of getting an NXDOMAIN response when doing a query for a non existent domain you got the IP of the sitefinder website. Resolving verisign.com addresses was not the issue.

Yes there was a way to patch BIND and many other DNS servers so that the wildcarding didn't work and the proper NXDOMAIN reply was given for non existent domains - but simply redirecting requests for verisign.com addresses to your local cache would not have helped.

The sitefinder service personally bit me when I wasted hours tracking down a fault after I mistyped a domain name into a system which was using port 20000. Instead of getting NXDOMAIN and a simple to fix problem I was getting connection refused - it was not until I put a packet sniffer on the link (after hours of stuffing around) that I noticed that traffic was going to the wrong destination - verisign's then two day old sitefinder "service". But I had no idea that the wildcarding had been done. After fixing the problem and typing in the correct domain I then tried to fix my DNS to see why it was returning this IP instead of NXDOMAIN. Further fault finding led me to discussion in some newsgroups about the wildcarding.

Needless to say this pissed me off no end and I immediately blocked access to the sitefinder IPs at the border router and then when a patch was available for BIND I installed it on all my servers.

Verisign needs to remember that PORT 80 IS NOT THE INTERNET.

Still amazed...

[halo1982]

I'm still amazed by all of this, its really mind boggling. This is no better than those squatter sites (amazing search! etc) and they have complete control over the content and are trying to force everyone to see it. Its sad what some companies are trying to do for money.

Re:Still amazed...

[antic]

Revoke their license and give it to a company who restricts their commercial endeavours to what is considered *reasonable*.

Too much power to a company or individual without the best interests of the masses at heart is not a great thing and something should be done about it.

Google has, and continues to do so, proven that doing the right thing can bring commercial reward and brand loyalty.

Re:Still amazed...

[SillyNickName4me]

> Google has, and continues to do so, proven that doing the right thing can bring commercial reward and brand loyalty.

You nor I know what Google is really upto.
I'm not using their gmail service, and not using Orkut for a number of reasons, all of which come down to me not liking it when a company, regardless of which company, gets interested too much in my social activities and contacts.

Are they evil with it? I don't think so, but the issue is also that they don't have to be evil for it to go wrong anyway.

The simple problem is that in the end, they are bound to have too many conflicting activities, and will screw up without any intention of doing so.

Oh, and I do use their search and advertisement services, don't get me wrogn here, so far they have definitely shown to be a decent company, and its not like they don't deserve my business or such, but a s a matter of principe I do not want companies to try stick their noses into my private life too much, the risks of it going wrong are too big even when all involved do have the best intentions... What happens when the company gets bought out or merges with another one? or goes bankrupt? or what if there is some employee there who decides he wants to make a point???
Way too much can go wrong, and the more power you collect in one place, the bigger the chance that it will go wrong in a horrible way...

Fine, but without my data.

Re:Still amazed...

[antic]

True. Anyone using a webmail service is putting a lot of trust in a company not holding personal missives for private gain. But what's to say that any mailserver out of your hands isn't logging full copies of everything you send?

Which is the better path?

1. Spread a tenth of your data between each of ten commercial providers, each with x% chance of abusing it.

2. Put all of your information with a single operator with that same chance.

I mean, if you're doing seriously dodgy stuff, then something like Echelon is going to bust you anyway.

I search with Google, appreciate the traffic it brings my sites, and use their AdSense program. From my experiences with them and other companies, I would trust Google before a lot of others. And that was, ultimately, my point -- doing the right thing (at least in the sense that perception is reality) brings reward. It might not give you 90% market share the week you start the business, or rain angel VC cash upon you, and it won't grab those lovely users who'll use and abuse whatever is the latest craze, but it will (with time) bring you loyalty and long-term users. And those people are priceless -- they'll market your business for you.

Right answer, wrong approach

[karl.auerbach]

ICANN's SSAC came up with the right answer with respect to Verisign's "Sitefinder" but they did so using a method that contains the seeds of an even greater danger to the net: unprincipled and subjective condemnation of change on the net.

See my note on this at http://www.cavebear.com/cbblog-archives/000108.htm l

Re:Right answer, wrong approach

[peachpuff]

". . . a method that contains the seeds of an even greater danger to the net: unprincipled and subjective condemnation of change on the net."

Unless we're talking about two different things, that's been around in bulk for a long time.

Re:Right answer, wrong approach

[arcade]

ICANN's SSAC came up with the right answer with respect to Verisign's "Sitefinder" but they did so using a method that contains the seeds of an even greater danger to the net: unprincipled and subjective condemnation of change on the net.

While I certainly think it is good that people are sceptical to ICANN, I think this issue is the wrong time to voice those concerns. As you yourself state in your blog - "Sitefinder is so bad that the fact that ICANN is using vigilante methods to combat Sitefinder might be overlooked in our emotional reactions to the situation."

Sitefinder was incredibly bad. I had scripts failing all over the place due to not being able to rely on DNS providing proper "host not found" answers any more. I'm sure I was not the only one.

While I agree that the report could've been better - the important thing in this case is to support ICANN. The enemy of my enemy is my friend - at least temporarily - and at least about this issue.

There is a proper time and place for criticism. This is not the proper time to criticise ICANN, in my opinion.

Re:Right answer, wrong approach

[BigRedFish]

unprincipled and subjective condemnation of change on the net.

Huh? There's nothing subjective about the fact that looking up a non-existent domain name is supposed to return an Unknown Host error. I can think of plenty of applications that might rely on such a result code, spam-filtering being but one obvious example. Specs are specs.

ICANN didn't say that the specs are written permanently in stone - only that if one wants to change a spec, there are procedures that must be followed: public proposal, followed by peer review and discussion of the consequences being the big points. If the change is approved, then reasonable lead time needs to be given following final adoption of the new spec, so sysadmins have time to review their systems and update any affected code in preparation for the change.

Verisign did none of the above. They unilaterally and capriciously changed an important result code worldwide, with practically no notice given, and gave it no review whatsoever - not even internally. How else to explain doing it with email, which could easily have blown their own mail server off the net from the sheer volume of forged-header spam bouncing off non-existent recipient addresses? No tech ever really thought this one through (or if they did, they were ignored by BizDev/Marketing, which seems to me most likely).

Maybe ICANN is unprincipled, maybe not. But Verisign is unprincipled. Just because Peter's a jerk doesn't mean Paul's a saint. They might both be jerks. It's not a zero-sum game.

Lots of people have problems with ICANN, but that's a separate issue, unrelated to the fact that Verisign has proven itself unworthy of its station. Given that this lawsuit even exists, it proves that they (Verisign) haven't learned anything from all this, and shouldn't be allowed anywhere near top-level DNS servers.

Re:Right answer, wrong approach

[SillyNickName4me]

> The enemy of my enemy is my friend - at least temporarily - and at least about this issue.

Ah yes... that is the exact strategy that got us all kinds of nice things... like... we did get the Russians out of Afghanistan with help of our 'friends' there... too bad those same friends decided later it was a good idea to fly planes into buildings..

Sorry to pull in that bit of not so nice world history, but this way of reasoning is so amazingly short sighted and stupid, how much more proof of that do you need really??

Before you ever consider anyone a friend, look first what motive they have for being friendly to you right now..

You can have a temporary alliance with what is normally your enemy in order to fight a bigger, common enemy... but never ever regard such an alliance as 'friends', it is a big and often repeated historical mistake that time and again proves itself to be a really really serious mistake.

In other words... ICAN is on the same side as many of us are in this issue, well, good, but it won't change in any way what I think about them, the only way to change that is by actually addressing their internal problems.

And where it stops nobody knows

[Quirk]

From the article: ""Different people and different organizations have divergent views on what constitutes the common good, on what constitutes acceptable and desirable goals, and what are legitimate and ethical constraints," Auerbach wrote..."

It's interesting to watch the dynamic that is the evolution of the administration of the net. ICANN is seen by much of the world as to American centric and requiring, possibly a UN governing body to replace it or some other world centric governing body. Perhaps the growing pains of the European Union could offer some lessons as to how to best govern the net. It must irk many nations and organizations to see the administration and future plans for the net played out in American courts.

Tim Berners-Lee saw the founding of the web as a world wide endeavour surely a body as important as ICANN should be under the ageis of the UN?

House of Mirrors

[inode_buddha]

I've often thought how accurately humanity is reflected on the net sometimes, like a mirror. Including the good, the bad, and the ugly. It looks like human nature is spilling over into the governance of the net itself - so much for neutrality!

On a somewhat related note, I'm wondering if it even makes sense to waste energy bashing governments and corporations anymore. Sure, a corporation is a fictitious person, but that sure looks like real signatures on the contracts and international treaties.

They're like squabbling children

[JosKarith]

ICANN and Verisign are behaving in the same way as a pair of spoilt toddlers. What the world needs is for their teacher to come along and give the pair of them a slap

Re:They're like squabbling children

[mikechant]

If there's any leg-slapping to be done we should call in some Lederhosen-clad Germans. They have a lot of experience in this matter.

Some things aren't meant to be for-profit.

[mrchaotica]

What really needs to happen is that domain registration and management needs to be handled by a non-profit organization, so they don't have as much of an incentive to screw with stuff. I'm not convinced that registrars like Verisign should even be allowed to exist.

Re:Some things aren't meant to be for-profit.

[timftbf]

Be careful with the registry / registrar distinction.

I'm all in favour of lots of for profit, for free, for the common good, for great justic registrars, as long as they meet some basic technical standards for interfacing with the registry and generally not breaking stuff.

The registry, on the other hand, should be run by a non-profit that understands the Internet and can run it for the common good.

Regards,
Tim.

Re:Some things aren't meant to be for-profit.

[mrchaotica]

Well, I'm not a big fan of the capitalistic nature of registrars either -- I don't have to pay extra for a postal address or a phone number (they come free with buying a home and buying phone service, respectively), so why should I pay separately for a domain name, especially one that nobody else wants, like my name?

Better handled by the browser

[Mr_Silver]

VeriSign has defended Site Finder by saying it offers a better way to handle nonexistent or misspelled domain names than the unhelpful error messages that some Web browsers currently provide.

The advantage of having the browser deal with it is that I can turn it on or off (or even customise it) and that it doesn't affect anyone else. The higher up the chain you make the changes, the more people and things you affect.

Talking of error messages, Verisign does have a point when it comes to Firefox. I find their error messages really rather poor (that is, the ones that the browser shows once you've dug out the option from the bowels which really, IMO, should be on by default).

If I submitted better formatted and more informative descriptions for them do you think they'd even consider it? Or is it handled a different way?

Re:Better handled by the browser

[Scarblac]

VeriSign has defended Site Finder by saying it offers a better way to handle nonexistent or misspelled domain names than the unhelpful error messages that some Web browsers currently provide.

Apparently VeriSign believes that DNS is only used for Web traffic, and/or that the Internet is only the Web.

That's why it's no use talking about advantages of disadvantages of their method - their method just makes no sense. DNS (their thing) works on an entirely different level than the Web, they can't know whether a request has anything to do with anyone's web browser at all. They show a page to people using web browsers and break everything else, that's just stupid.

Re:Better handled by the browser

[abb3w]

VeriSign has defended Site Finder by saying it offers a better way to handle nonexistent or misspelled domain names than the unhelpful error messages that some Web browsers currently provide.

The advantage of having the browser deal with it is that I can turn it on or off (or even customise it) and that it doesn't affect anyone else. The higher up the chain you make the changes, the more people and things you affect.

More to the point, fixing problems with browsers is NOT THEIR JOB. It is the jobs of Microsoft, Apple, Netscape Communications Corporation, The Mozilla Organization and Mozilla Foundation, Opera Software, the KDE dev team, the Omni Group, Anderson Che, and just possibly Michael Grobe of the University of Kansas, along with doubtless a few others I've missed. Even if (for the sake of arguement) all these folk I've listed are incompetent nitwits, that is not Verisign's problem.

The job of Verisign is to help keep things working on port 53, not to deal with the underhelpful responses of most client software that works on port 80 (thereby breaking every $%^&* port at once). Trying to help someone else with their job is all very well and good; I do it all the time with other local techs, as it's usually a learning opporunity... but I have to make sure I'm doing MY job right, first, or I'll get fired.

Now, if they want to expand the DNS error message from "not found", to "not found, do you want this instead?", they should propose the modification of RFC 1035 part 4, instead of just rewriting it on their own. (Or, they can write their own browser (or modify a few bits of GPLed code) and distribute it... at which point, they've undertaken another job do do at the same time. Either way, I'm happy.)

Sitefinder WILL be reintroduced

I hate Sitefinder as much as the rest of you, but you can bet your asses that it will be reintroduced. It's a moneymaking machine, and I'm sure Verisign won't let all the work behind Sitefinder down the drain.

It's a pity, but it's exactly what PHB's wants.

Re:Sitefinder WILL be reintroduced

[gclef]

While you're probably right, what ICANN's trying to prevent is the arms race that reintroducing Sitefinder (specifically the DNS wildcard) will cause.

If the wildcard comes back, you can count on ISPs and software companies building their own overrides for the service (some to prevent it from happening, some to point their users to their service instead). Then, of course, Verisign will modify their system to compensate, etc, etc. That arms race will almost certainly affect the stability of the system, so ICANN's trying to keep it from starting. If that takes getting a court-ordered shutdown, I think they're prepared to take that route.

Re:Er the UN did what?

[hcdejong]

Actually, telecomms standardization is the job of the ITU, which is part of the UN.

Report Conclusions

[ljavelin]

I actually read the report, and I have to say that it is pretty sound.

Although ICANN totally sucks as an organization, the committee certainly did a good job with this report. How the original poster could suggest that it is a strongly biased "propaganda" report is beyond me.

Will Verisign try to find issue with the report? I'm sure. After all, isn't it in the financial and legal interest of Verisign to counter its critics?

Not surprisingly, no one has yet to post counter-claims to the issues and assumptions made in the report.

It is a report, and it may make assumptions, but it certainly isn't a whitewash.

It's the SSAC, stupid!

[bathmann]

It's the Security and Stability Advisory Committee of Icann which issued the report not the Board of Icann! This committee is literally filled with top-notch DNS experts (see here: Members of the Committee) and I don't think they give a rat's ass about Icann's issues with VeriSign. Btw, 2 VS employees are also members of the SSAC...

Now keep on flaming!

Not good tone in the article.

[Performer+Guy]

How about a bit of ballance, remember that ICANN is *supposed* to police this stuff, and Verisign's actions were just unbelievably bad. Verisign are suing ICANN for finally doing its job, even if you don't like ICANN you can't support Verisign in this.

Gee, a study

[Craig+Ringer]

Perhaps ICANN are simply doing what so many other companies love to do, but cutting out the middleman?

[No, I'm not serious. The "studies" others quote are usually independent in a sense, just carefully selected in topic and configuration to be likely to be faviourable, then only published if they're faviourable.]

On another note, SiteFinder was pretty awful. As someone who rejected spam from invalid domains, I felt the pain when SiteFinder went live within minutes. Oh, the spam! It also considerably increased our mail server load for another reason - it tried to deliver bounces to invalid domains instead of freezing them or never generating them.

If VeriSign try to bring that back, I'm finding another Internet :-P

Re:Why does ICANN only have a problem with Verisig

For the only reason that verisign controls the '.' zone via the root servers. The .cx and .museum servers DOES NOT HAVE THE ABILITY TO REDIRECT ALL REQUESTS FOR ANY ADDRESS TO THEIR SERVICE!

Let's not forget

[DSP_Geek]

People who used Verisign's Web-based domain name search got their domains hijacked more often than not. It happened to my stepbrother, along with a number of other people I know. The sleazeballs didn't even *try* to make it look legitimate: from lookup to hijack took around a dozen hours.

As my friend in the Army said: "Once is happenstance, twice is coincidence, three times is enemy action".

Veritas delenda est.

It was google dot...

[infernalC]

co.uk

, you insensitive clod!