ICANN Study Slams Verisign

Dinglenuts writes "ICANN has just released what I'm sure is a completely neutral and unbiased report, condemning Verisign's Sitefinder service for running afoul of 'community standards and caus[ing] harm to individual users and enterprises.' Seeing as how ICANN is currently being sued by Verisign for making them take down Sitefinder, this opinion can be considered less than revolutionary."

The dangers of money and power

[xonen]

It is the same as with dictators.. Any company that grows big and has influence must take very good care not to abuse it. I donnot have to give names, and some companies even believe themselves they have 'best intentions'.
But on-topic: i think verisign should loose there license. They have proven they cannot be trusted as independent tld maintainer.

Re:The dangers of money and power

[blowdart]

But ICANN is not much better. They have no accountability, refuse to reform, their meetings are basically junkets to somewhere expensive, and they try to gouge registrars for $15.8m for next year, double the previous years. Lets also not forget the fiasco that was the ICANN At Large, where the directors users voted in where quickly thrown out when they tried to represent user viewpoints.

Oh, and the too great an influence the US government has on ICANN.

Re:The dangers of money and power

ICANN is so important there's even a site solely devoted to watching it, icannwatch.org

Our premise can be simply stated: The Internet is a global resource of incalculable value, and nothing is of greater importance to its future than the way in which ICANN performs its role as manager of the Domain Name System. All Internet users worldwide have a stake in these ongoing events, and our job is to serve as a central point of reference, a kind of hill overlooking the often-chaotic information landscape, from which anyone seeking a better understanding of these developments can survey the ever-changing terrain.

Re:The dangers of money and power

[SlamMan]

enough IT guys switch, and then who cares about all those .Com[mercial] groups anyway.

All of my users?

Uh oh!

[Biotech9]

The next meeting, which starts Monday, features a workshop aimed at bridging the gap between ICANN and the United Nations, which is becoming increasingly interested in Internet governance.

The UN getting interested in governing the net?

Well, it was fun while it lasted. I'm off to spend the last few weeks of internet existence with the badgers.

Re:Uh oh!

[anaplasmosis]

The UN, through the ITU, assign all kinds of numbers, codes and callsigns. Did the world come to an end because the US had to paint "N" on the side of their airplanes?

Re:Uh oh!

[McDutchie]

Well, it was fun while it lasted. I'm off to spend the last few weeks of internet existence with the badgers [badgerbadgerbadger.com].

Oh, come on. The Internet survived the US for decades, I doubt the UN (i.e. the good folks that brought us international telecommunications standardization) would kill it any time soon.

They're still trying to d this?

[ErikTheRed]

After this whole thing started I simply had my dns cache resolve verisign.com addresses through my local dns server... problem solved. In fact, I'd forgotten about the whole thing...

Re:They're still trying to d this?

[csk_1975]

I simply had my dns cache resolve verisign.com addresses through my local dns server... problem solved

The way sitefinder worked was that Verisign wildcarded the whole .com and .net TLDs so that instead of getting an NXDOMAIN response when doing a query for a non existent domain you got the IP of the sitefinder website. Resolving verisign.com addresses was not the issue.

Yes there was a way to patch BIND and many other DNS servers so that the wildcarding didn't work and the proper NXDOMAIN reply was given for non existent domains - but simply redirecting requests for verisign.com addresses to your local cache would not have helped.

The sitefinder service personally bit me when I wasted hours tracking down a fault after I mistyped a domain name into a system which was using port 20000. Instead of getting NXDOMAIN and a simple to fix problem I was getting connection refused - it was not until I put a packet sniffer on the link (after hours of stuffing around) that I noticed that traffic was going to the wrong destination - verisign's then two day old sitefinder "service". But I had no idea that the wildcarding had been done. After fixing the problem and typing in the correct domain I then tried to fix my DNS to see why it was returning this IP instead of NXDOMAIN. Further fault finding led me to discussion in some newsgroups about the wildcarding.

Needless to say this pissed me off no end and I immediately blocked access to the sitefinder IPs at the border router and then when a patch was available for BIND I installed it on all my servers.

Verisign needs to remember that PORT 80 IS NOT THE INTERNET.

Still amazed...

[halo1982]

I'm still amazed by all of this, its really mind boggling. This is no better than those squatter sites (amazing search! etc) and they have complete control over the content and are trying to force everyone to see it. Its sad what some companies are trying to do for money.

Re:Still amazed...

[antic]

Revoke their license and give it to a company who restricts their commercial endeavours to what is considered *reasonable*.

Too much power to a company or individual without the best interests of the masses at heart is not a great thing and something should be done about it.

Google has, and continues to do so, proven that doing the right thing can bring commercial reward and brand loyalty.

Re:Still amazed...

[SillyNickName4me]

> Google has, and continues to do so, proven that doing the right thing can bring commercial reward and brand loyalty.

You nor I know what Google is really upto.
I'm not using their gmail service, and not using Orkut for a number of reasons, all of which come down to me not liking it when a company, regardless of which company, gets interested too much in my social activities and contacts.

Are they evil with it? I don't think so, but the issue is also that they don't have to be evil for it to go wrong anyway.

The simple problem is that in the end, they are bound to have too many conflicting activities, and will screw up without any intention of doing so.

Oh, and I do use their search and advertisement services, don't get me wrogn here, so far they have definitely shown to be a decent company, and its not like they don't deserve my business or such, but a s a matter of principe I do not want companies to try stick their noses into my private life too much, the risks of it going wrong are too big even when all involved do have the best intentions... What happens when the company gets bought out or merges with another one? or goes bankrupt? or what if there is some employee there who decides he wants to make a point???
Way too much can go wrong, and the more power you collect in one place, the bigger the chance that it will go wrong in a horrible way...

Fine, but without my data.

Right answer, wrong approach

[karl.auerbach]

ICANN's SSAC came up with the right answer with respect to Verisign's "Sitefinder" but they did so using a method that contains the seeds of an even greater danger to the net: unprincipled and subjective condemnation of change on the net.

See my note on this at http://www.cavebear.com/cbblog-archives/000108.htm l

Re:Right answer, wrong approach

[arcade]

ICANN's SSAC came up with the right answer with respect to Verisign's "Sitefinder" but they did so using a method that contains the seeds of an even greater danger to the net: unprincipled and subjective condemnation of change on the net.

While I certainly think it is good that people are sceptical to ICANN, I think this issue is the wrong time to voice those concerns. As you yourself state in your blog - "Sitefinder is so bad that the fact that ICANN is using vigilante methods to combat Sitefinder might be overlooked in our emotional reactions to the situation."

Sitefinder was incredibly bad. I had scripts failing all over the place due to not being able to rely on DNS providing proper "host not found" answers any more. I'm sure I was not the only one.

While I agree that the report could've been better - the important thing in this case is to support ICANN. The enemy of my enemy is my friend - at least temporarily - and at least about this issue.

There is a proper time and place for criticism. This is not the proper time to criticise ICANN, in my opinion.

Re:Right answer, wrong approach

[BigRedFish]

unprincipled and subjective condemnation of change on the net.

Huh? There's nothing subjective about the fact that looking up a non-existent domain name is supposed to return an Unknown Host error. I can think of plenty of applications that might rely on such a result code, spam-filtering being but one obvious example. Specs are specs.

ICANN didn't say that the specs are written permanently in stone - only that if one wants to change a spec, there are procedures that must be followed: public proposal, followed by peer review and discussion of the consequences being the big points. If the change is approved, then reasonable lead time needs to be given following final adoption of the new spec, so sysadmins have time to review their systems and update any affected code in preparation for the change.

Verisign did none of the above. They unilaterally and capriciously changed an important result code worldwide, with practically no notice given, and gave it no review whatsoever - not even internally. How else to explain doing it with email, which could easily have blown their own mail server off the net from the sheer volume of forged-header spam bouncing off non-existent recipient addresses? No tech ever really thought this one through (or if they did, they were ignored by BizDev/Marketing, which seems to me most likely).

Maybe ICANN is unprincipled, maybe not. But Verisign is unprincipled. Just because Peter's a jerk doesn't mean Paul's a saint. They might both be jerks. It's not a zero-sum game.

Lots of people have problems with ICANN, but that's a separate issue, unrelated to the fact that Verisign has proven itself unworthy of its station. Given that this lawsuit even exists, it proves that they (Verisign) haven't learned anything from all this, and shouldn't be allowed anywhere near top-level DNS servers.

And where it stops nobody knows

[Quirk]

From the article: ""Different people and different organizations have divergent views on what constitutes the common good, on what constitutes acceptable and desirable goals, and what are legitimate and ethical constraints," Auerbach wrote..."

It's interesting to watch the dynamic that is the evolution of the administration of the net. ICANN is seen by much of the world as to American centric and requiring, possibly a UN governing body to replace it or some other world centric governing body. Perhaps the growing pains of the European Union could offer some lessons as to how to best govern the net. It must irk many nations and organizations to see the administration and future plans for the net played out in American courts.

Tim Berners-Lee saw the founding of the web as a world wide endeavour surely a body as important as ICANN should be under the ageis of the UN?

Some things aren't meant to be for-profit.

[mrchaotica]

What really needs to happen is that domain registration and management needs to be handled by a non-profit organization, so they don't have as much of an incentive to screw with stuff. I'm not convinced that registrars like Verisign should even be allowed to exist.

Re:Some things aren't meant to be for-profit.

[timftbf]

Be careful with the registry / registrar distinction.

I'm all in favour of lots of for profit, for free, for the common good, for great justic registrars, as long as they meet some basic technical standards for interfacing with the registry and generally not breaking stuff.

The registry, on the other hand, should be run by a non-profit that understands the Internet and can run it for the common good.

Regards,
Tim.

Sitefinder WILL be reintroduced

I hate Sitefinder as much as the rest of you, but you can bet your asses that it will be reintroduced. It's a moneymaking machine, and I'm sure Verisign won't let all the work behind Sitefinder down the drain.

It's a pity, but it's exactly what PHB's wants.

Re:Sitefinder WILL be reintroduced

[gclef]

While you're probably right, what ICANN's trying to prevent is the arms race that reintroducing Sitefinder (specifically the DNS wildcard) will cause.

If the wildcard comes back, you can count on ISPs and software companies building their own overrides for the service (some to prevent it from happening, some to point their users to their service instead). Then, of course, Verisign will modify their system to compensate, etc, etc. That arms race will almost certainly affect the stability of the system, so ICANN's trying to keep it from starting. If that takes getting a court-ordered shutdown, I think they're prepared to take that route.

Re:Er the UN did what?

[hcdejong]

Actually, telecomms standardization is the job of the ITU, which is part of the UN.

Re:Better handled by the browser

[Scarblac]

VeriSign has defended Site Finder by saying it offers a better way to handle nonexistent or misspelled domain names than the unhelpful error messages that some Web browsers currently provide.

Apparently VeriSign believes that DNS is only used for Web traffic, and/or that the Internet is only the Web.

That's why it's no use talking about advantages of disadvantages of their method - their method just makes no sense. DNS (their thing) works on an entirely different level than the Web, they can't know whether a request has anything to do with anyone's web browser at all. They show a page to people using web browsers and break everything else, that's just stupid.

Report Conclusions

[ljavelin]

I actually read the report, and I have to say that it is pretty sound.

Although ICANN totally sucks as an organization, the committee certainly did a good job with this report. How the original poster could suggest that it is a strongly biased "propaganda" report is beyond me.

Will Verisign try to find issue with the report? I'm sure. After all, isn't it in the financial and legal interest of Verisign to counter its critics?

Not surprisingly, no one has yet to post counter-claims to the issues and assumptions made in the report.

It is a report, and it may make assumptions, but it certainly isn't a whitewash.