Verisign Recommended to Keep .com & .net

An Anonymous SAIC Employee writes "The 'independent' company hired by ICANN to advise them on who should run the .com and .net registry has recommended that Verisign (fact sheet) should be chosen to continue to run the registry. Is it any surprise? Telcordia was owned by SAIC (Fact Sheet) during the time the study was conducted. SAIC bought Telcordia (fact sheet) (then Bellcore) in Nov. 1997 and sold it March 15, 2005. Network Solutions was bought by SAIC in 1995 and sold in 2000. Also, Telcordia worked with Verisign on the ENUM project. Is the fox guarding the hen house?"

And this is different how...?

[werewolf1031]

Um, what exactly does this change?

Right. Nothing. Just checking.

Re:And this is different how...?

It's a good thing we are all paying that ICANN tax. They sure know how to accomplish things.

Re:And this is different how...?

[SpaceLifeForm]

Note to moderator. This can't be redundant, but it is insightful.

Perhaps you should quit your job at Verisign.

Re:whhoot

You misspelled psot.

Oh no!

[SteelV]

"VeriSign's clumsy, unilateral attempt to hijack the DNS space through its SiteFinder wildcard service (and its goofy FUD-filled management statements since) proves that profiteering decisions can -- and do -- endanger the Internet more than any hacker or computer attack. It also proves once again that the Internet community -- ISPs, developers, engineers, and other experts -- can come together to effectively and quickly counter corporate, not just criminal, attacks on the network infrastructure - and we owe them our thanks."

http://padawan.info/web/verisign_bad_citizen_of_th e_net.html

Why don't they get that diversity is a *Good* thing? Switch it up every few years, to keep these guys on their toes and not let them get too comfortable/corrupt.

Re:Oh no!

[TheKidWho]

Sort of interesting, how about making it democratic? Vote for the company to do it every 2 years.

Re:Oh no!

As long as their is a stipulation that the winner can't run their campaign on every unregistered *.com.

Re:Oh no!

Better the devil you know... we all know verisign will try and screw us over, but we could see a lot worse from other companies in the ever present drive for money.

Re:Oh no!

[TrappedByMyself]

Switch it up every few years, to keep these guys on their toes and not let them get too comfortable/corrupt.

Oh, you mean like the Presidentcy?

Re:Oh no!

[traabil]

Why don't they get that diversity is a *Good* thing? Switch it up every few years, to keep these guys on their toes and not let them get too comfortable/corrupt.

If the switch is considered arbitrary, then that will kill off the incentive to improve. Why stay on your toes if the the election is not based on merit?

Re:Oh no!

What's a Presidentcy?

Re:Oh no!

[chrish]

That assumes that either of the two parties that stand a chance of winning in the US are different in any noticable way.

Re:Verizon is not about choice, same with all LECs

Verizon? i thought the article was about Verisign??

heh

[DiscoOnTheSide]

something tells me the guy who wrote that is a champ at "5 Degrees from Kevin Bacon" :P

not the fox guarding the henhouse

[thdexter]

This is the cock guarding the henhouse.

stupid filter
stupid filter
stupid filter
stupid filter
hate the filter

Technocrat had the story yesterday ...

[xmas2003]

Technocrat had this story yesterday - probably have a bit more discussion about it on Slashdot, but we'll have to see about the signal-noise ratio ... ;-)

Exactly...

[ral315]

Why would we honestly expect any different? Anyone who actually read into the situation expected VeriSign to get the contract, and it looks as if that's what's going to happen now.

Whats all the fuss about?

[FiReaNGeL]

Last time I checked, .com and .net domains costed a whole 10 bucks to register.

Why all the fuss about who should administer these? Is it doing any difference if it's Big Corporation A or B?

Re:Whats all the fuss about?

[ral315]

It's about other things. For example, as the article says, in 2003 when VeriSign directed 404 errors to their own search engine.

Re:Whats all the fuss about?

[Wesley+Felter]

Why all the fuss about who should administer these? Is it doing any difference if it's Big Corporation A or B?

Yes, because some people would drop the price to $2/year if they were in charge. It's a small difference in absolute dollars, but the relative difference is huge and exposes how much VeriSign is overcharging.

Also, VeriSign has a bad habit of implementing evil stuff like SiteFinder, although other companies would be likely to try the same thing if they were handed a monopoly.

Re:Whats all the fuss about?

No. They didn't redirect 404s. A 404 is an HTTP error. They redirected NXDOMAINS (error code 3), which is a DNS level error. There is a MASSIVE difference.

Re:Whats all the fuss about?

[Electroly]

Correction: VeriSign directed NXDOMAIN ("domain does not exist") DNS errors to their own search engines.

Re:Whats all the fuss about?

[RollingThunder]

This is NOT a trivial correction, either.

The GP makes it sound like it affected only web access. This was certainly not the case.

As an example, all sorts of DNS based tests around if a sending domain really existed started failing, removing one of the spam-blocker's methods of determining if a message is legit (IE: reject from unknown domains).

NXDOMAIN is in the spec for a reason, and Verisign hardly even got their hand slapped for breaking it.

Re:Whats all the fuss about?

[PsiPsiStar]

Would $2/year really be a good thing?
Or would it just encourage domain name squatting?

Re:Whats all the fuss about?

Or would it just encourage domain name squatting?

Ah how I long for the good old days of domain name squatting. Google bombing, typos, phishing, spamming, there's so much fun to be had by abusing the DNS system, why make criminals pay when it means legitimate users might have to skip lunch once a year to pay for their domain names.

Re:Whats all the fuss about?

http://it.slashdot.org/comments.pl?sid=144333&cid= 12095925

Shouldn't be informative. Should be redundant. He pretty much just posted what the AC before him posted. How lame.

Depends on what their contract says

[dmoen]

I wouldn't mind this, if Verisign's contract was amended to prohibit domain-typo hijacking, and more generally, to require them to remain compatible and RFC compliant. And I would want those same contract provisions regardless of who runs .com and .net.

Doug Moen

Re:Depends on what their contract says

[toddbu]

Yeah, but the problem here is they serve both as a registrar and keeper of the registry. The only way to get rid of this problem is to split the two functions and prohibit one single company from doing both job functions. Kind of like the U.S. Mint - if you don't know how to make the paper *AND* the ink then you can't print your own money (unless you own a laser printer :-)

Re:Depends on what their contract says

[godless+dave]

But if there are other companies who want the contract, why not give it to one of them instead of to a company with a proven track record of misdeeds and dishonesty.

Re:Depends on what their contract says

why don't you buy all the typo urls? that way you are safe. i don't think any comapny can do that cause www.cat.com and www.cut.com are two very similar names! do you consider one to be a typo?

Re:Depends on what their contract says

[Antique+Geekmeister]

The contract wasn't amended. Fortunately, Bind and most other fully capable DNS servers were tweaked to disallow this nonsense within days of Verisign trying it. Unfortunately, it's the little home and small network setups of DNS that will suffer from the re-routing when Verisign tries it againi.

Remember, that little stunt gave Verisign not only lots of salable traffic data about mistyped URL's, but it allowed them to route other people's mis-addressed email to their own mail servers. The stunt was very nasty and very dangerous.

Re:Depends on what their contract says

Where have you been? They spun network solutions back out as in independent registrar. Verisign is only the registry now.

Thank Odin noone is being bribed

[WillAffleckUW]

it's just no-bid contracts.

SNAFU.

Re:whhoot

[Dorsai42]

And no one cares that it was first, or that it was mispelled.

Sitefinder

[Uber+Banker]

Isn't hijacking every and any unclaimed URL for company profit while providing no public service in an organisation whose very objective is a public service reason enough?

Re:Sitefinder

[notque]

Isn't hijacking every and any unclaimed URL for company profit while providing no public service in an organisation whose very objective is a public service reason enough?

Yes.

Re:Sitefinder

[CSMastermind]

And what makes you think another company wouldn't do the exact same thing?

All that's a reason for is the government to instuit a better set of regulations about how the assignment of URLs will be done.

Re:Sitefinder

[fimbulvetr]

Which government?

The U.S.A.? Hahahahahaha. Hahahahahaha. Hahahahahaha.

You have to be out of your mind!

Re:Sitefinder

[MightyMartian]

And what makes you think another company wouldn't do the exact same thing?

A restrictive contract, that's what. Verisign should have been yanked the minute they pulled the stunt. What's really needed is a way of simply liquidating the next company's assets if they play dirty.

Uh oh

[ravenspear]

Something tells me the submitter of this story is in violation of his NDA. Maybe he should start looking for a new employer.

Re:Uh oh

[jericho4.0]

That's all public information.

What am I missing?

[The+Amazing+Fish+Boy]

Is SAIC the 'independent company'? Who's the fox? What henhouse? I'm not sure who's doing what, here.

Re:What am I missing?

No shit, that has to be the worst summary ever. I'm sure it made sense to the submitter, but wtf?

I read the report

It had numerous threatening references to the UN.

Not surprising

[Jailbrekr]

Virtually every company in the IT world is connected to each other. Its like a big stupid beowulf cluster of beaurocracy that uses IPX instead of IP for its communciation protocol.

Welcome to the techo-appalachians, where everyone is related to everyone else in some manner.

Re:Not surprising

[The+Amazing+Fish+Boy]

Virtually every company in the IT world is connected to each other. Its like a big stupid beowulf cluster of beaurocracy that uses IPX instead of IP for its communciation protocol. Welcome to the techo-appalachians, where everyone is related to everyone else in some manner.

I didn't know Silicon Valley relocated to Utah....

Re:Not surprising

[Zen+Punk]

IPX? The Novell network protocol?

Re:Not surprising

[Masami+Eiri]

That's the rockies. Appalachians are eastern (Maine to Georgia, I belive)

So What

[pHatidic]

This is just a recommendation. I have full faith that Joi Ito and the rest of the board will make the best decision when the time comes.

Re:So What

This is just a recommendation. I have full faith that Joi Ito and the rest of the board will make the best decision when the time comes.

I believe in Lord Buddha. Nevertheless, I don't let him delegate parts of the Internet; neither him, nor the people who are said to be representing him while he personally is waiting for all sould to gather at the gates of enlightenment...

Disclose what?

[fm6]

This is all public information. SAIC might fire him for saying negative things about them, or just for being a little wonky. But NDAs are about private information.

NetSol

[Saeed+al-Sahaf]

It seems like The Story always hits Slashdot a few days or months after it actually happens.

But...

Actually, obnoxious posing and behavior not withstanding, NetSol does in fact have the most solid infrastructure to insure solid .net and .com DNS. Yes, it's sad. But, it's true.

Re:NetSol

[kimba]

Actually, obnoxious posing and behavior not withstanding, NetSol does in fact have the most solid infrastructure to insure solid .net and .com DNS. Yes, it's sad. But, it's true.

Yes, but that doesn't mean they aren't the only one overly qualified to do so. Running the DNS isn't rocket science, as much as people would like you believe. There are many entities with enough technical clue to do so. Some of them even bidded against VeriSign.

Re:NetSol

[cpghost]

Running the DNS isn't rocket science

Yes, indeed. The whole registry infrastructure could be put up together from open source components that already exist. The servers could be secured and managed just like every other servers. There's nothing at all magical about it.

The real challenge for a registry is not technical. It is a major administrative and legal undertaking. One person was able to manage the whole .za domain from their basement, but .com and .net are a little bit larger and a tad more volatile.

So What?

[cgoody]

Why change when theres nothing wrong. Why change when Verisign hasnt done anything wrong.

Re:So What?

Nothing wrong? You nut! They screwed over everyone with their DNS hijacking and you say they've done nothing wrong?

Bastards are so low they should not have even been on the list to have a chance of getting the registry back!

Time for another ICANN meeting in an exotic locale

This sounds like an important issue. We should fly ICANN officials to another exotic destination!

Well, of course

Wasn't the dot-com boom the veri sign of .NET coming in the first place?

*ducks*

Re:Why change?

[kwoo]

Verisign aren't doing a bad job as it is, why bother going through all the change. because we know if someone else takes over, the internet will go down for at least a week

Please tell me you're being facetious in your last sentence. If not, you know painfully little about the subject at hand, and would do much better to read and learn than to comment and look the fool.

Re:Why change?

[Desert+Raven]

because we know if someone else takes over, the internet will go down for at least a week

You mean just like it did when .org was transferred?

Oh, wait, nevermind....

+1, first fact sheet troll

Its always interesting to see where things begin.

Simple question: If not them...

[dark-br]

who else?

If there's not another option that is *much* better then the current one why bother? Keep in mind that a change like this could result in a *real* mess.

Re:Simple question: If not them...

[St.+Arbirix]

If there's not another option that is *much* better then the current one why bother?

EFF? W3C? IETF?
True, it's not their forte, but if any of them were willing to take it on...

Re:Simple question: If not them...

[Just+Some+Guy]

who else?

Anyone.

Keep in mind that a change like this could result in a *real* mess.

Ahhh, so you've never personally dealt with them. OK, here's the short answer for people who've never experienced that dishonor:

It would be darn nigh impossible to screw up anything worse than Verisign. They are absolutely, positively the worst "the problem must be on your end" pack of frickin' screwups ever to bungle network management. Network Solutions? Only if the problem is "I have too much money and time - please help me blow it on getting my domain back from the hijacker you gave it to without asking me first". I would give the job to Microsoft before I'd willingly let Verisign have another crack at it, and that's not something I'd say lightly. If they built cars, people would have died in the Verisign Pinto. They're the New Coke of networking, and I'd swear Terry Gilliam had a crystal ball and based "Brazil" around their bureaucracy.

It. Can't. Get. Worse. This is it. You're looking at it. The lowest common denominator is carrying the treasure. People hate them so much that they built entire alternative DNS hierarchies to fix the theoretical disasters that Verisign somehow managed to drag to life. I'd buy a SCO Linux license before I'd pay Verisign to register another domain.

Re:Simple question: If not them...

Your asterisks have convinced me! I wish to subscribe to your newsletter.

Re:Simple question: If not them...

[headLITE]

DENIC comes to mind, they're running the second largest registry database world-wide after .com; they should be able to do it.

Re:Simple question: If not them...

[cpghost]

I'd buy a SCO Linux license before I'd pay Verisign to register another domain.

Sorry to disappoint you, but if you own any .net or .com domain, you are already paying Verisign for it. Even if you registered with another registrar. All registrars (worldwide) pay a fee to the registry operator, which is for .com and .net Verisign. Verisign have a (apparently crappy) registrar business too, but that is not to be confused with the registry operation business.

Re:Simple question: If not them...

[Just+Some+Guy]

Sorry to disappoint you, but if you own any .net or .com domain, you are already paying Verisign for it.

I realize that, but it's the smallest payment possible under the circumstances. That's still a lot better than cutting them a check directly, although I really wish they weren't getting a penny of my money.

WARNING

[ta+bu+shi+da+yu]

That links to a last measure site.

Google

Google should run the TLDs.. I mean, why not? They have the servers and they basically run the internet anyways.

Re:Google

Also.. maybe they could use the domain registration information to improve their page ranking algorithim. Detect domains owned by the same entity all pointing to eachother and lower their page rank (might help combat some of the SEOs).

Re:Google

so...what is stopping them of doing that ? is it more than a site scrapping of netcraft, they crawl the web anyway.

As I posted to this same topic on technocrat...

[the_rajah]

yesterday.. "Verisign is right up there with MS and Intuit in my list of evil corporations. All the dealings I've had with Verisign / Network Solutions as a registrar have been nothing but a huge hassle. Please get someone who we can trust. I don't use them at all any more. Godaddy is a LOT less expensive and their telephone support is nothing short of wonderful. Disclaimer: I have no financial interest in Godaddy, but I do have some 90 domains happily registered with them.

"Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain

Re:As I posted to this same topic on technocrat...

Godaddy is a regist_rar_. Verisign is a regist_ry_. The two aren't equivalent. Network
solutions is the equivalent of godaddy.
Go daddy doesn't have necessary infrastructure to support the A-Level .net domain.

Re:As I posted to this same topic on technocrat...

[Cylix]

I don't have a lot of domains, but just one. Some time ago I had a provider who would not follow due process with the network solutions email transfer. I called the ISP and eventually they said they only do such things under written order.

This was silly... I had things already in place with the new provider and it was causing issues. Even discussing it with admin reached no solution. Finally, I told him I'm just going to forcibly yank control from them.

Beyond the whole faxing and charging for immediate service to have the domain moved it was basically a breeze. I went in expecting horrid things and it turned out basically alright.

I still had to go back to the old ISP a week later and inform them DNS was changed and they needed to remove their local records as it was causing email problems on their end.

Now despite the decent service I recieved from Network Solutions I won't be getting any new domains from them. That prickish business with the NXDOMAIN stuff was fairly childish.

Oddly, the business I'm with has never jumped on the "register everything we can" kick. While I want 20... 1 does the job.

Re:As I posted to this same topic on technocrat...

[Mycroft_VIII]

Are you saying they wanted a court order or just written confirmation to move the domain?
Up to a point I would HOPE transfering domains wouldn't be just an e-mail, but would require a bit of confirming. Hijacking seems a bit too easy already.
There have been a few domain snatch stories lately where all that happened was someone sent a email and just took the thing.

Mycroft

Re:As I posted to this same topic on technocrat...

[Raistlin77]

GoDaddy reps could not understand the status on a .org domain that one of my customers was trying to transfer to their service, and after pointing them to all the documentation at pir.org, they still adamently claimed that they could not transfer a domain that had status "Client Update Prohibited". After explaining to maybe 10 different GoDaddy reps that the only status affecting transfers was "Client Transfer Prohibited" (which had long before been removed), with my customer conferenced in on the calls, my customer decided that the extra $10 per year to stay with me was worth the horrible stupidity that he was avoiding by NOT switching to GoDaddy.

Re:As I posted to this same topic on technocrat...

[Cylix]

no, snail mail written letter...

a court order would have been excessive.

This was also before the rampant hijacking as well.

Re:Verizon is not about choice, same with all LECs

that probablly why it was labled as off-topic

Cowardice

[Doc+Ruby]

SAIC might be crazy for hens like a fox. But who is this "An Anonymous SAIC Employee"? There's Slashdot UserID like that. Sure, the facts and interpretations of this incestuous relationship stand on their own (possible) merits. But what else is going on with this Slashdot story? Are we all just being used as a propaganda market again, in another infowar between rivals for the same government contract?

Re:Cowardice

[geminidomino]

It could just be that the whistleblower doesn't want to be outed just yet...

Re:Cowardice

[Doc+Ruby]

Yes, it could be. But it could be anything. Actual whistleblowing requires some accountability. Publishing whistleblower claims requires accountability, too. The best-known example of secret whistleblower, Watergate's "Deep Throat", was identified by Woodward and Bernstein to their editors at the Washington Post. Which had credibility (at that time) in assuring the public that the person was real, and credible themself. Slashdot does not have anything like that credibility, and has not even indicated that they know the SAIC "whistleblower's" identity. It's no Watergate, but it's wrong at a smaller scale.

Re:Cowardice

[geminidomino]

True, but it may not be TIME yet. If the whistleblower gets outed and fired now, what else may happen after he's gone and there's no one else to leak it?

Despite the protestations of the "only criminals have something to hide" crowd, anonymity does have its uses.

Re:Cowardice

[Doc+Ruby]

MAYBE. The whole point is that there are many possible explanations of this "leak", only one (or a few) of which are on the level, Many others are simply competition, and others are misunderstandings or miscommunications. As I first mentioned, the facts bear investigation. This isn't even a "leak", as no secret info has been revealed - just an unusual insight about the potential cronyism evident in public info about the transactions. But whistleblowing is very complex, balancing secret identity info, proprietary info on one side, against public disclosure on the other. Indulging a "whistleblower" who's just PR flack for the competition harms the publiser and the consumers. It's not to be undertaken lightly. And without evidence that Slashdot has validated this submitter, the question of their providence, and therefore the rest of the story, is very important, if not crucial.

Re:Cowardice

[geminidomino]

Hey, I'm not disagreeing that we should take this (and pretty much anything on slashdot) with a rather generous helping of salt.

My main disagreement was the implication, possibly misread on my part, that ANYONE whistleblowing under anonymity was a coward.

Re:Cowardice

[Doc+Ruby]

Well, I didn't imply that, and my citation of Deep Throat certainly implies the value of anonymous whistleblowers. But I did explicitly state the dubious nature of anonymous testimony, even when the facts are public. My own reaction to the anonymity is conditioned by the many journalists currently reporting pure propaganda when citing anonymous govenment and corporate "sources". Without validating the stories, without even knowing where the info is coming from (and therefore where it might be going). That kind of incompetence has helped get us into our Iraq war, not to mention many corporate cons flooding our society.

Unless the whistleblower remains anonymous while learning more useful info, I could make the case for cowardice. Not necessarily unwarranted cowardice, or inappropriate: just keeping my job might be more important to me, though I reveal misdeeds by my employers - I'm a coward, but not unreasonable.

Why is this still centralized?

[MrDomino]

I honestly find it hard to believe that a single entity can maintain control over such a large part of the Internet for so long a time; in the net's early days, a centralized domain registry might have been acceptable, being that it was a small thing and the overhead to implement anything more advanced would've outweighed the benefits. Now, though, with the Internet the size it is, I honestly think that something better needs to be in place: get rid of this central-domain-registry crap. Whoever's in charge of it--Verisign, Microsoft, even Google--is going to profiteer to some extent, simply because that is what companies do.

If you ask my opinion, a decentralized system would make much more sense here. Store addresses in a Kademlia network or something; allow anybody to register a domain name, and it'll propagate as it's accessed. With a PGP-like trust system implemented, there need not be a central registry anywhere. The only way to prevent abuse of such a large monopoly is to prevent any single entity from controlling it, and the only way to do that is to decentralize the process.

Re:Why is this still centralized?

[violent.ed]

Decentralization comes with its pros and cons. Amongst the feudal corps its in more of a "trustworthy" hand than in just anybody/everybodys.

when i hear "the only way to do that is to decentralize the process" i think of p2p.. sure its nice, it will live long & prosper. but its easy to taint.

"allow anybody to register a domain name, and it'll propagate as it's accessed." sorta reminds me of irc channels, sure you can reg it, but guess what. who the hell do you complain to when there are no IRCops to complain TO. which raises another point.

what happenes when it all becomes a big mess? where is the DIFINITIVE, AUTHORITIVE source for the "RIGHT" answer? and do you think that a 10, 5, 1 day old backup is enough to restore order to the chaos that would amass? do you know how many domains are registered/expire in 1 day? much less 1 hour? (man i hope you dont, at least for my point anyways hehe) i sure dont. can we say "sue"? can you tell me who to sue? then again, you have your homepage/business and then one day the dns gets tainted... now www.tobyshardware.com (not regg'ed btw) points to www.tubgirlmeetsgoatseman.net .. lets see you wiggle out of that one when your grandma (or DAUGHTER) goes to find out what new toys they can order.

which goes back to who do you shoot? i would say, in this case, yourself... because you voted on decentralizing the domain registry :P

Re:Why is this still centralized?

[MrDomino]

Amongst the feudal corps its in more of a "trustworthy" hand than in just anybody/everybodys.

So you're saying you'd rather have a group of complete strangers whose only motivation to protect your rights is to avoid getting in trouble control what websites go where than a group of your own self-selected, trusted friends (a la PGP)?

when i hear "the only way to do that is to decentralize the process" i think of p2p.. sure its nice, it will live long & prosper. but its easy to taint.

You're thinking of projects like Kazaa, I presume; those quite obviously are easy to manipulate and break, because they were designed with (poor|no) trust management system; any jackass can put whatever he wants on the network and it's given equal priority to everybody else's stuff (much, I might add, like the current domain registration scheme: you can register a domain, then completely ignore it, and it will still be held just as important as, say, slashdot.org in the system). In this hypothetical decentralized system, domains that are accessed regularly will propagate more through peoples' address books and be more reliable. One possible flaw that might be noticed here is that this would seem to suggest that only big sites would have stable domains; with a web of trust scheme in place, though, a site with a very small userbase who all trust each other can exist among that userbase indefinitely.

"allow anybody to register a domain name, and it'll propagate as it's accessed." sorta reminds me of irc channels, sure you can reg it, but guess what. who the hell do you complain to when there are no IRCops to complain TO.

I have no clue what you're asking here--probably because you never used a single question mark, but that's beside the point. Rephrase this in a way that makes some semblance of sense and I'll try to respond to it.

what happenes when it all becomes a big mess? where is the DIFINITIVE, AUTHORITIVE source for the "RIGHT" answer? and do you think that a 10, 5, 1 day old backup is enough to restore order to the chaos that would amass?

You're looking at it the wrong way; there will be no definitive, authoritative source, nor will there be a single "right" answer. The net will exist as a group of communities of trusted friends, meshing and interacting with each other dynamically; if a collision is produced between domain names, the one that is offered by the source you trust more will be used. In this way, community A, a group of gun nuts, can maintain that foo.com points to a site about the evils of gun control, while community B maintains that foo.com points to a site promoting gun regulation. Both communities can happily use the foo.com domain independently and both can achieve the results that they desire.

Re:Why is this still centralized?

[PedanticSpellingTrol]

So what if somebody from community A wants to see community B's content? Will B have to have a second domain for "outisders"? Claiming that conflicts aren't a problem because nobody would want to see both sites is incredibly shortsighted.

Re:Why is this still centralized?

[MrDomino]

Good point; I suppose, then, there'd have to be some better form of collision resolution in place. This might not be easy to do, but there are certainly ways of solving it, and tossing the entire idea out the window on the grounds that the current vastly corrupted and outdated system is "good enough" is even more shortsighted.

Re:Why is this still centralized?

[blew_fantom]

hrm. while an intriguing idea, how would you address dns poisoning or dns hijacking? we're talking redesigning the way the Internet functions no? as it is now (and anyone can correct or clarify me), when a request goes out, it usually goes to "root" servers first. "root" servers usually then push the translation request to .com servers. and from there, routers find the best possible route to the ip address (hideously oversimplified). for new entries or changes convergence usually takes 24-48 hours for routers to know best possible routes for ip addresses. how would convergence work in a decentralized environment? my guess is that more complex algorithms will be needed to weed out bad routes, convergence could take longer, and the Internet could possible become unstable... that's just my guess tho. i'm more inclined to agree that there should be a centralized system administered by anyone other than verisign...

Re:Why is this still centralized?

The central registry you're thinking of is the ROOT SERVERS, which are controlled by a cabal, the same way they always were, just like Usenet. Anyone can create a set of root servers, but in practice just about everyone agrees on the same set, and that's the set your local DNS server has cached.

Verisign just controls a few non-ccTLDs, which would be irrelevant but for the fact that people like you can't distinguish them from the root, and so insist that they somehow represent the whole Internet, rather than merely a particularly cheap and tarwdry piece of it.

The ccTLD system is as de-centralised as anything could be, it's run by dozens of countries, via everything from private companies run in someone's back bedroom to huge government departments. You get your free TLD when you convince an ISO committee that you're a country, and not just a country but one significant enough that people might want to abbreviate it to just two characters. A few notable exceptions to this rule exist, particularly .uk, controlled by the UK government which was officially assigned .gb but prefers the more mnemonic alternative.

A brief observation of the UN in general session should convince you that even the medium-sized countries of the world can't agree on anything, and thus this de-centralized system is protected from any conceivable abuse. If the Russians and Americans gang up to ban bad language, or prohibit all mention of Viagra, you can go to the Chinese, or the Swiss, or the Australians, and plead your case to them. If Belgium is charging you too much for example.be, get a better deal from Finland for example.fi

Here's a concrete example. A regular Joe who bought donkeyhats.co.uk in 1997 would have been given a cryptographically secure DNS upgrade facility by the incumbent monopoly DNS provider to the UK government. Black hats wanting donkeyhats.co.uk would have to resort to complicated DNS-server shenanigans to wrest it away even temporarily, and Joe would never have needed to resort to court action to retain it. However if Joe had bought donkeyhats.com, run by Verisign, he'd have no choice but to constantly check that it hadn't been taken over by Black hats, because Verisign's security is totally laughable. In some crazy recognition of this Verisign invented a new policy not long ago - now they tell everyone that all domains are free for the taking, unless you set a "locked" flag which forces you to negotiate with your registrar if you ever need to change providers.

So what's crazy is not that Verisign are allowed to continue running .com, but that people still love .com so much that they'd rather waste a huge quantity of money for inferior service than choose any of the alternatives.

Re:Why is this still centralized?

[mrogers]

Two words: domain squatting. If names were free, what would stop someone from writing a script that generated and registered names as fast as their network connection would allow? If the system doesn't allow duplicates then a single squatter can register all trademarks and dictionary words in a matter of seconds; if duplicates are allowed then names are longer a convenient, reliable way of referring to a particular machine, and the system is worse than useless because of the possible abuses. Namespaces have to be centralised. True, it's dangerous to put infrastructural monopolies in the hands of a single company - the traditional solution is government regulation or even nationalisation. Maybe it's time to think about retiring the international TLDs like .com, .net and .org in favour of the national TLDs, which can be regulated in a more-or-less democratic way.

Re:Why is this still centralized?

[violent.ed]

"One possible flaw that might be noticed here is that this would seem to suggest that only big sites would have stable domains; with a web of trust scheme in place, though, a site with a very small userbase who all trust each other can exist among that userbase indefinitely."

Define "that userbase." do you mean userbase, as the entire dns using internet, will trust only a "small group" such as their neighboring boxes on the local branch of the cable offices' router system?
or will it be a much larger group separated into large segements of the natation, serviced by random by connection-status "hub" dns servers that serve only those who know about them? speaking of which, for a decentralized network, such as the newer p2p or bittorrent protocols, a tracker or some other list providing entity (be it a host file on disk or a remote server sending broadcasts of known hubs, which would REALLY bog everything down depending on how you want it spread...) ok ive drank to mucch & smoked one too many bowls, that was my main reply ... umm

"I have no clue what you're asking here--probably because you never used a single question mark,"...
i will blame that on my "internet ink" running out before i could make the lil obtuse dollar sign thingy above the .

Re:This changes a lot FYI

[TerminaMorte]

It's a fucking GNAA pop-up thing.

Does it have to be one company?

[mi]

It currently works on the hierarchical basis, right? So all .com must be under the same "roof".

With little effort, the system can be modified to ask a different set of "root" servers based on some simple formula on the domain-name. Like, sum up all letters of the name and % by the number of competitors.

Then we'll be able to measure the efficiency of each contender -- number of failures, average response time, &c. and compare them.

Or am I totally wrong? Any DNS gurus here?

Re:Does it have to be one company?

[bigberk]

It currently works on the hierarchical basis, right? So all .com must be under the same "roof".

I don't think this is the case. There are several root servers that answer for the .COM top level domain. These are A.GTLD-SERVERS.NET, B.GTLD-SERVERS.NET etc. There isn't just one server.

The IP addresses for all those root servers belong to Verisign, but I don't see why "A" can't be Verisign, "B" can be someone else, etc. Maybe one downside would be more difficult synchronization between all those servers, certainly not a major problem.

Re:Does it have to be one company?

[Wesley+Felter]

But under that scheme there would still be one company for any particular domain. So if you want to register, say, slashdot.com, you still wouldn't have a choice.

Re:Does it have to be one company?

[Wesley+Felter]

Except all the .com servers simply replicate from the .com master, which is run by VeriSign.

AFAIK, no one has figured out how to have multiple registries for a single domain.

Re:Does it have to be one company?

[mi]

True, but objectively comparing the competitors would become possible. Currently Verisign can respond to any criticism with: "Well, nobody can do it any better."

Nobody -- including Verisign themselves -- knows, whether this is true or not. With my method objective metrics can collected and minimum standards imposed.

As for changing, my simple formula will force automatic reshuffle of all domains any time another competitor enters the fray.

Re:Does it have to be one company?

[mi]

Except all the .com servers simply replicate from the .com master, which is run by VeriSign.

And "under my plan", they'll replicate from several servers -- what's the big deal?

AFAIK, no one has figured out how to have multiple registries for a single domain.

Well, I'm offering a way -- a simple hash of the domain name requested. Such as summing up all letters' ASCII values and % the result by the number of contenders. Only the root-servers' software needs to be modified for this.

Re:Does it have to be one company?

[chuckychesthair]

I am not a DNS guru, but yes, you are totally wrong. DNS is embedded in so many machines and is already such a complex standard, that it is impossible to change something so fundamental and have it work. Even adding something like DNSSEC took more than 10 years (and some broken attempts) before we reached the standard (just happened).

Basically, it has to be 1 company. Since delegations are on label boundaries. There is no way to get around that, unless you want to develop a new DNS-alike protocol and get everyone to switch over to it. Oh, and if you, build security into it while you're at it!

CC

Re:Does it have to be one company?

[Rich0]

Actually, some of the other posts in this thread have hit on an idea - a 1-off registry.

You register a .com DNS address with one or more registars. An ICANN-run server combines all this into a single database (they own the master registry). Then, a subcontracted set of servers replicate that master database, and those are the ones that are pointed to as the DNS servers for .com.

ICANN owns the key piece of infrastructure - the master domain list. However, the hardware for this needs only be moderate and is not critical to internet operation. They can now subcontract the running of the DNS servers to as many other companies as they want, and they are only providing DNS resolution services. ICANN doesn't deal with end-users on either end - both registration and resolution are outsourced. They can just charge the registrars a flat per-entry fee which gets passed back to domain owners.

Slave DNS servers fortunately are well-handled by DNS already...

Re:Does it have to be one company?

[chuckychesthair]

You mean the current setup? Where ICANN has a company (registry) manage the master server, which gets updated through registrars, who are multiple companies handling the registration of domain names under the particular TLD that the company/registry is chosen for. (in this case .com)

There is a reason that ICANN has outsourced the infrastructure management of the TLDs. It simply does not have the resources to do it itself, nor the legal background to handle ccTLDs.

CC

Re:Does it have to be one company?

[perp]

Verisign does not own all the root servers. That would be insane; they would have the entire Internet by the nads (don't they wish). The root servers are spread around the world, though most of them are in the USA. See here. The purpose of the root servers is to direct queries to the correct TLD (top level domain) server depending on the TLD of the query. All DNS servers need to know the ip addresses of the root servers, and the root servers take it from there

Verisign owns the .com and .org TLD servers, which are the ones all the root servers refer .com and .org queries to.

Does this make me a DNS guru? :-P

Re:Does it have to be one company?

[mi]

DNS is embedded in so many machines and is already such a complex standard, that it is impossible to change something so fundamental and have it work.

Unlike DNSSEC, my plan only requires modifications to the root-servers' software, which, I'm sure, is already heavily modified and customized. And it does not have to happen in one instant either -- those servers can be updated gradually.

Re:Does it have to be one company?

[Rich0]

You described the current setup - not my proposed one.

The main difference would be that ICANN would maintain the master server - but that server would not be reachable by anything other than the replica DNS servers and the registrars. You could run that on a Athlon over a T1 line.

The current setup puts the master server in the hands of Verisign, as well as all the replica DNS servers. I would propose breaking that part up. They could be a registrar, and they could run some replica servers, but they wouldn't run the master server and they couldn't run all the replica servers.

If ICANN wants to outsource domain dispute handling that is fine too, as long as they have the power to step in when they need to.

So, if a company like Verisign wants to start implementing sitefinder or otherwise breaking RFCs, ICANN simply changes the root servers to remove their replica servers from the list, and the problem is instantly solved. The DNS load falls to the other contracted companies, who might be paid based on relative number of queries served or something like that (to be tested by a 3rd party logging in via various normal ISPs and running DNS queries at various times during the month and counting up who ended up handling each).

The problem with Verisign is that ICANN can't pull the plug without shutting off the Internet as we know it. That isn't a good bargaining position. My proposal would let ICANN outsource all the heavy lifting while keeping the most critical parts of the opreation in their own control.

Outsourcing is fine and all, but why would you outsource all control over something when you get almost the same benefit from outsourcing all the hard parts and keeping the easy part which is also the most critical one?

Re:Does it have to be one company?

[chuckychesthair]

Unlike DNSSEC, my plan only requires modifications to the root-servers' software, which, I'm sure, is already heavily modified and customized. And it does not have to happen in one instant either -- those servers can be updated gradually.

Not really, as the load on the root and tld servers is lessened by caching the information (for a ttl). So if you do a query for www.bar.com to a root server, you are getting a referral to the servers authoritative for .com. You would cache this information, so if you then want to go to www.foo.com, you will reuse this information and thus cannot go to the other .com server.

The only way in which it would work is if you set the TTL of the records extremely low, which would increase the level of traffic well over manageable levels.

Oh, and just so you know, most root servers run regular versions of Bind and NSD, not specific changed versions. My company runs a root server and it has no special software. That would increase the possibility of special bugs too much.

CC

Re:Does it have to be one company?

[chuckychesthair]

The main difference would be that ICANN would maintain the master server - but that server would not be reachable by anything other than the replica DNS servers and the registrars. You could run that on a Athlon over a T1 line.

Much like it is today for the roots. DNS servers don't need massive cpu power anyway, they are more memory intensive.

The system you describe is active for the root. Verisign runs the master server for that too. And the other organisations get the zone from a hidden master. And even for .com... there were a few slave servers for .com that removed the sitefinder wildcard. A bad move, imo, because it works around the problem instead of solving it, like ICANN did. (then again, the Internet usually works around problems).

It simply comes down to wether or not you think it is easy to maintain the .com zone file and deal with all the registrars. You seem to think so. I think it is not.

CC

Re:Does it have to be one company?

[mi]

Not really, as the load on the root and tld servers is lessened by caching the information (for a ttl). So if you do a query for www.bar.com to a root server, you are getting a referral to the servers authoritative for .com.

I thought, the root servers themselves are authoritative for their entire toplevel domain, updating their own data from the real single master "often"...

You would cache this information, so if you then want to go to www.foo.com, you will reuse this information and thus cannot go to the other .com server.

So, I would automatically ask the server authoritative for bar.com about foo.com? Does not sound plausible -- either you are a guru or you are wrong :-)

Re:Does it have to be one company?

[chuckychesthair]

I thought, the root servers themselves are authoritative for their entire toplevel domain

You are correct. They are authoritative for "." , the root zone. the .com zone is under that in the hierarchy. FQDN (fully qualified domain names) always end with a dot, to indicate the root. By convention, this is usually left out. So the FQDN for "slashdot.org" is "slashdot.org." , just try it in your browser, it will work.

So, I would automatically ask the server authoritative for bar.com about foo.com? Does not sound plausible -- either you are a guru or you are wrong :-)

w00t! So I'm a guru! :-)
(you would ask the same server about foo.com as bar.com, that's the way that remains manageable. You don't have to re-ask every question from the root down to where you need to be. You can re-use the most specific answer you still have in your cache about authority)

CC

Re:Does it have to be one company?

[mi]

Ok, but there is more than one .com server, is not there? Can some of them not belong to other companies?

They would all carry the entire .com (so that caches would still be valid), but the root-servers would redirect requests to them based on the formula I suggested or even on simple round-robin...

Re:Does it have to be one company?

[chuckychesthair]

That is the current situation. Verisign does not operate all .com servers. There are other companies that run slave servers for them, spread over the world. DNS clients (recursive servers, like the DNS server of your ISP that you use) round robin between the authoritative servers they know to get the fastest one and that's the one they'll stick with for a while.

CC

WARNING

[ta+bu+shi+da+yu]

Links to a Last Measure troll site. If you want to hear "I look at Gay Porno!" then be sure to follow that link. You have been warned.

Not very insightful..

[beldraen]

First of all, there is more to domain names than just registering a name. You obviously believe in first come first serve, but the American economy is not a free economy. It has command elements to protect against fraudulent acts, malicious content, and trademark disputes. Secondly, a decentralized system only works on the merits of the people wanting it to work. Just look at Kazaa and the music war there. Most of the music is poisoned. Do we really want domain name wars when one hot-headed tech gets pissed at another group and decides to flood the DNS with garbage? Have you ever looked at the number of newsgroups that exist solely because some yucko wanted to have alt.vampire.bite.flonk.flonk.flonk? A decentralized system can easily accept additions, but they are often difficult to remove entities.

Originally, DNS was purely handled by your HOST file. The number of DNS entries is a non-trivial amount. It was centralized to help us out. After all, it is amazing that people do not charge for such a necessary service. Do not confuse in theory and in practice. In theory, the system is a good design. In practice, we have not put the political pressure to lawmakers to force DNS host to operate solely to RFCs. That is to where anger needs to be vented.

Re:Not very insightful..

[MrDomino]

I hardly believe in first come, first serve--which, incidentally, is closer to the current centralized domain registration system than to a well-implemented decentralized one. The domain will resolve to whichever address is most appropriate based on the answers given and the trust ratings of the answering computers; this way, rather than having a single centralized mish-mash of domains like foobarbaz123.com, communities can form around sets of domains pertinent to themselves.

This would not function at all like Usenet or Kazaa; trust would play a very important role, preventing junk-flooding, and the relevant domain names to any trust web would be a relatively small subset of the entire set of names. The system would not be a direct replacement for the current DNS registry; rather, it would be a different way of thinking about names in the Internet.

Re:Not very insightful..

[beldraen]

I respectfully disagree it is not first-come. After all, if I find out about your company first before you are ready to advertise, there is no central authority to stop me. The whole point of internet is to know that I got to the place that I intented to get; otherwise, it is man in the middle issues.

As for trust for peers is really trust for who has the larges set of associates. Just look at all the work google has to constantly go through to attempt to prevent people from uping thier page ranking.

I short: Unless you can find technical details that support the idea, I do not recognize how this system can stop flooding and spoofing.

I don't get it

[Flibberdijibbit]

Why would ICANN, the org that flogged Verisign over the Sitefinder fiasco, hire a company with ties to Verisign? I don't get it. The biggest problem getting anyone to notice is that the vast majority of the Internet population simply saw Sitefinder as a page that came up when a domain was typed in wrong. What most people don't know is that *every* unknown request for a domain was forwarded to Verisign's servers. Most disturbing in my mind (maybe because I'm an email admin) is SMTP connections went through to their servers. And if I remember correct, they accepted the entire conversation. Headers and message body. They then returned a 5xx level NDR back to the sender. They 'say' they weren't collecting data, but come on, at the very least, they had access to know good sender addresses. What corp wouldn't keep track of that goldmine of information??

Commission me! Oooh, Pick me!

[elronxenu]

Pay me big $$ and I'll happily report that Verisign should not be permitted to keep .com and .net. And I'll finish that report in world-record time!

bill gates loves open source

[master0ne]

is it just me or is the headline to this story simmilar to saying "bill gates lovers open source, because he worked with steve jobs, who loves company x, who donated to company y, who pressed a law suite aganst sco, for alleged copyright infringment, because sco is suing linux users, who it claims stole their code."?

Sorry, I didn't make it clear...

[the_rajah]

that I have used both of them as registrars and found that NetSol was difficult to deal with as compared to GoDaddy. I was taking that as an indication of what kind of company they are in general. I do know the difference between the two terms.

"Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain

...kind of like...

[x2A]

Virtually every company in the IT world is connected to each other. Its like a big

...network!

Is it really bad?

[cpghost]

Perhaps that's because current competitors and bidders like, say, DeNIC and others are not really desirable from a technical, legal and political point of view?

Verisign is certainly not a good custodian for .net and .com (due to that Sitefinder debacle), but are other registry operators, at least the ones who are currently seeking to take the job, any better?

DeNIC?

[cpghost]

DeNIC? Under which jurisdiction? If they operate under German laws, some US domains will have to be purged from the registry. If ICANN, a US company, is really going down this route, they'll be submerged with law suits seeking damages. Is this really something they would want to expose themselves to?

See my comments from 2003 about Verisign

[hqm]

Their CEO is a sociopathic liar, at least in terms of behavior norms for responsible Internet protocol maintainers.

http://blog.lextext.com/blog/_archives/2003/10/20/ 4773.html

...lets call it...

[Heidistein]

Virtually every company in the IT world is connected to each other. Its like a big network! Like ... the internet!

Re:...lets call it...

[x2A]

yes, very good, you got the joke...

What was wrong with new coke?

[Mycroft_VIII]

Actually I rather liked new Coke.

Mycroft

Re:What was wrong with new coke?

[Mycroft_VIII]

But apparently one of the mods didn't like it. OH well so much for humor.(admittedly the feeble humor of admitting to likeing the new coke)

Mycroft

Re:Why change?

.org was transferred?
I have two active domains.
a .org and a .com
guess i should look-see where the rootz reside

The 'fox' isn't guarding anything

You are looking way too much into this.

If the 'fox' was still guarding the hen house, SAIC would never have sold them in the first place.

This is non news and quite stupid to even be listed.

Telecordia worked with VeriSign on ENUM...

[keithmoore]

If you actually check the references what you find is that Telecordia worked with VeriSign to test ENUM. Telecordia and VeriSign didn't develop ENUM - that was done by an IETF working group in which anyone could participate.

I don't personally think that VeriSign has served as a responsible steward of .COM and .NET (or of the root) and I don't think they should get to keep .NET. But I don't see anything wrong with VeriSign helping to test ENUM.

ohthankgod

[rs79]

1) Sitefinder: At the time NSI did this two doezen other cctlds did this. NSI's point was "hey, either we can all do it or nobody can". That doesn't seem unreasonable to me.

2) .net rebid: Have a look inside all the facilities that bid on .net and tell me you'd have picked someplace else. I dare you.

3) Location location location: Like the US govt was gonna let .net outside the the borders of the US. Good one.

Frankly I sleep a bit more easy about my 3 .net names now. (Hows that funky .org whois workin out for ya?)

*groan*

:-)

That was so bad that it's actually funny as hell.

Agreed

[metamatic]

My personal favorite was the impossibility of getting them to transfer a domain I had registered, for which I was the primary contact, to another party. Then when I tired of that, I tried to simply delete the registration, and found I couldn't persuade them to do that either.

They are incompetent buffoons. The only explanation I can think of is that they must have hired all their staff from the phone company.

Re:Why change?

[Desert+Raven]

Um, yeah. .org was transferred years ago. The registry is managed by Afilias, and the DNS is managed by UltraDNS.

No, but breaking DNS in the process is

[billstewart]

Sitefinder did a lot more than hijack unclaimed URLs - it did so without discussing the process with the community first, and it did so in a way that broke DNS for services other than Port 80 http.

• For instance, if you tried to telnet/ssh to missspelled-example.com, the right response is to return a "missspelled-example.com not found" packet, not to return sitefinder's IP address and then not be running telnet/ssh there.
• Similarly, if you tried to connect to https://missspelled-example.com on port 443, the right thing is to return that the DNS doesn't resolve, not to return sitefinder's address and hijack the connection.
• I don't know what it did to firewall-penetration applications that use Port 80 for something other than HTTP, e.g. some of Skype's games. It's one thing to say that tunnel-servers-over-http are evil and deserve to be broken occasionally (:-), but they still should be broken correctly.