Verisign is, of course, the company that once had a monopoly in the
registration of .com
names. That monopoly has been broken, but Verisign is still the maintainer
of the underlying database. This job is a nice cash cow for Verisign; all
it needs to do is keep the database running, and it can extract an annual
rent from every .com
domain out there. Many
people would be happy with such a business.
Verisign, it would seem, wants more than that. So, at the beginning of
this week, the company slipped a little "wild card" entry into the
databases for .com and .net. The wild card entry
provides an answer for any domain query that does not otherwise appear in
the database; it is a default answer which now appears instead of the "no
such domain" response that came before.
What does this wild card do? If you look up something that doesn't exist,
say "scolinuxlicense.com", you'll get back an IP address (currently
184.108.40.206). If you send mail to that address, you get the world's
stupidest SMTP server (if you're bored, try a command like "telnet
bogusverisignhost.net smtp" and type five lines of random junk at it).
Web queries, however, go to the company's "sitefinder" service. There, the
user is confronted with a search engine and paid links aimed to help said
The information provided through the VeriSign Services is not
necessarily complete and may be supplied by VeriSign's commericial
[sic] licensors, advertisers or others.
In other words, it's really just another low-class domain hijacking scam.
In this case, however, there is more to it. Verisign has, by making this
change, fundamentally altered the way the Internet operates. A whole class
of diagnostic information - the fact that a given domain lookup has failed
- is no longer part of the DNS protocol when .com and
.net are involved. This change was not discussed with any of the
affected users or other responsible parties, it was simply done. Verisign
may have lost its monopoly on front-line domain name registration, but it
still seems to think it owns the underlying domains.
The change has had real consequences. For example, spam filtering which
relies on domain name existence tests no longer works. Bouncing spam with
fake return addresses now has to go through a discussion with Sitefinder's
SMTP server. The change is a generally bad idea; to have simply made such
a change without so much as a "by your leave" is an act of great arrogance.
The internet, however, is built on free software. There is already a patch
available from ISC for BIND 9 which defeats the new wildcard entries.
Linux users can find a program on this page which
uses netfilter to fix Sitefinder replies; that page also has pointers to
patches for a number of DNS servers and mail transfer agents. Verisign may
or may not decide to back down on this "service," but, since we own the
infrastructure of our net, we can fix the problem regardless - this time,
at least. Verisign's next move may not be so easy to counter.
to post comments)