<-prev [Thread] next-> <-prev [Date] next->
Month Index | List Home

(INTA-list) (INTA list) Verisign Hijacks Internet

Subject: (INTA-list) (INTA list) Verisign Hijacks Internet
From: "Bob Bradlee" <Bob@xxxxxxxxxxx>
Date: Thu, 18 Sep 2003 16:39:33 -0400 (EDT)
I will start out by warning readers that Geek is my first language, all spelling, grammar and language errors are in fact that english is a second language for me, and I tend to slip into Geek Speak when I get angry :) 

On monday  9/15/2003 Verisign made a small change in the way all .COM and .NET internet addresses are resolved to numeric addresses. More precisely they redirecting all unresolved addresses to a portal search engine for commercial purposes. As both an Internet Service Provider and holder of a Registered Trademark, I find this redirection to be totally unacceptable!

Those of you that know what I am talking about can skip my feeble attempt to explain how the system works.  An understanding of how the system works, will help one to better understand both the implications of this action, and how it could happen.

The Dynamic Name Servers or DNS, provide the necessary  translate of human  language domain.names to the numeric IP addressing system used to route information or traffic across/around the Internet.  For this example we will assume that the cached IP address for www.inta.org  and www.cave.com have expired and  "the system" is forced to go to the root level servers at the core of the internet to resolve the addresses. 

First we will look at www.inta.org because it is in the .org "name space " (or zone in geek speak) and is unaffected by the Verisign latest action.  
First the DNS resolver checks with the root zone servers for reference to the servers responsible for all  the ".org" domains (TLDs in geek speak). A second request to the .org root server will return the addresses of DNS servers responsible for the inta.org zone or Domain in english. 
The third and all subsequence references will be made directly to the Authoritative Zone servers responsible for the detail records for that domain. 
This is an important point: The top level root servers only provide a redirection to an Authoritative Zone Server. It is the Authoritative server owned and operated by the ISP on behalf of our clients that are responsible for the detail configuration or master DNS record for each name. It is these details that make up what a domain "is" and dictates how it interacts with the 
rest of the world. 

It is from the Authoritative zone servers that we retrieve the actual IP address for the www host that resides within the inta.org namespace. 
In this case the DNS system promptly replies that 216.118.122.142 the IP address of the system responsible to reply to all HTTP request from webpages. 
Any attempt to send email to inta.org domain will resolve to 207.237.47.2 the IP address for mail.inta.org where it will be accepted. Why all this indirection you may ask ?

IP addresses change from time to time, There is a big renumbering job underway as the the internet begins to move from a 4 byte address to a 6 byte address, not to mention all the take-overs and mergers in this industry. 

Now lets look at what  happens when I typo,  and the system attempts to resolve
wwwinta.org because I forgot the delimiting period, between the computer name
and the domain name, in the host.domain.zone format. The first lookup determines
that there are no authoritative servers for a domain name wwwinta.org and returns a not found error, period the end, any attempt to send e-mail to wwwinta.org would abort and bounce all is right with the world. The rejection of e-mail with bogus return addresses has become a front line defense in the war on spam at the ISP level.

Let's look at what Verisign has done with their new redirection. 

Same example using wwwcave.com wild yeld a DNS record from the root level server
that ultimately points you to 64.94.110.11 sitefinder-idn.verisign.com. 
Not only is Verisign responding to web requests at that address but they are also responding to mail server requests. mailcave.com resolves to sitefinder-idn.verisign.com with a  functioning mail server running on that system that replies and handshakes with mail servers.

As the Registration Holder of CAVE(r) Reg number 2288047 I am not happy that every unassigned word containing the letters CAVE, not currently registered are the property of and for the sole commercial use of Verisign !

The fact that they are harvesting these requests for the purpose of referring them to a directory of potential competitors should have every Domain name holder up in arms.

Verisign was able to do this because they own and operate the Authoritative Zone servers for ALL .com and .net domains and there seams to be no one to stop them.

I see three classes of victim, Trademark Holders, Domain Administrators, and the ISP that are affected by this. As an ISP will tell you this little stunt of their has broken a lot of anti-spam programs who have begun either passing everything through or blocking everything depending on how they were configured before unexpectedly changed the rules we communicate by on monday.

end rant...

Bob Bradlee
Flames and Spam will be ignored :)

PS.  you can blame Joe Dreitler at Jones Day for this rant, he referred "my what in god's name is going on here?" question to this list. :)

Some background. 
Time warner has an agreement with microsoft that allow them to redirect all 
rejected domain lookups to the Microsoft Network Search page as a service for
their customers. This redirection is an added feature that is prompted by the Failure to Resolve only affecting their customers and and not by using a wildcard default at the root level that affects everyone. Many of the ISP's here in the US have chosen to Block/Black Hole the verisign address and "Patched" versions of DNS resolvers that test for and ignore Verisign's redirection began live testing within hours by the most offended of the ISP's

This will get ugly ...... 
Verisign's Contact page.
http://www.verisign.com/corporate/about/contact/index.html

The following have been "lifted from the North American Network Operating Group 
(NANOG) Mailing List for the purpose of background, as I am sure very few of you are watching that list.

Matt Larson wrote:

>Today VeriSign is adding a wildcard A record to the .com and .net
>zones.  The wildcard record in the .net zone was activated from
>10:45AM EDT to 13:30PM EDT.  The wildcard record in the .com zone is
>being added now.  We have prepared a white paper describing VeriSign's
>wildcard implementation, which is available here:

>http://www.verisign.com/resources/gd/sitefinder/implementation.pdf 

>By way of background, over the course of last year, VeriSign has been
>engaged in various aspects of web navigation work and study.  These
>activities were prompted by analysis of the IAB's recommendations
>regarding IDN navigation and discussions within the Council of
>European National Top-Level Domain Registries (CENTR) prompted by DNS
>wildcard testing in the .biz and .us top-level domains.  Understanding
>that some registries have already implemented wildcards and that
>others may in the future, we believe that it would be helpful to have
>a set of guidelines for registries and would like to make them
>publicly available for that purpose.  Accordingly, we drafted a white
>paper describing guidelines for the use of DNS wildcards in top-level
>domain zones.  This document, which may be of interest to the NANOG
>community, is available here:

>http://www.verisign.com/resources/gd/sitefinder/bestpractices.pdf

>Matt
>Matt Larson <mlarson@xxxxxxxxxxxx>
>VeriSign Naming and Directory Services

Chris Adams <cmadams@xxxxxxxxxx> 
That a number of TLD's have appear to have wildcard records:

>ac
>cc
>com
>cx
>mp
>museum
>net
>nu
>ph
>pw
>sh
>tk
>tm

>The following TLDs answer for '*.tld' but do not appear to have wildcard records:

>bz
>cn
>tw


Several people have commented on the Nice terms of service at 
http://sitefinder.verisign.com/terms.jsp :

	The VeriSign Services are provided only for your personal and
	non-commercial use. You are not authorized to modify, copy, display,
	transmit, license, create derivative works from, transfer, distribute
	or sell any information, software, products or services obtained
	from the services VeriSign provides through this web site. You may
	not "meta-search" the VeriSign Services. If you want to make
	commercial use of the VeriSign Services, you must enter into an
	agreement with us to do so in advance.


There was an article, easily overlooked, in the NY Times this
morning.  Link below. (free, registration required.)

http://www.nytimes.com/2003/09/15/technology/15MISS.html

Here is a SlashDot link
http://slashdot.org/articles/03/09/16/1327248.shtml?tid=126&tid=172

Washington Post link
http://www.washingtonpost.com/wp-dyn/articles/A996-2003Sep12.html
Interesting this one was filed on the 12 dated the 15th about something
that happened on the 15th Mabe we know why Verisign Jumped the 
gun on this.

More as time and interest permits...
Bob
Current Thread
<- PreviousIndexNext ->
(INTA-list) (INTA list) Individual,, FUTURE Thread (INTA-list) (INTA list) Verisign Hi, John Berryhill Ph.D.
(INTA-list) (INTA list) Individual,, FUTURE Date (INTA-list) (INTA list) Question on, Peter Chan
Month