Paul Vixie on VeriSign (O'ReillyNet) [LWN.net]

Paul Vixie on VeriSign (O'ReillyNet)

Posted Sep 24, 2003 20:38 UTC (Wed) by Baylink (subscriber, #755) [Link]

For those who missed the fuss, a couple weeks or so back, Verisign decided that if you sent a DNS query
for an unregistered domain in .com or .net, instead of getting the NXDOMAIN (domain doesn't exist) reply
specified by the standard, you should get the IP address of one of their servers, presenting a "we
couldn't fine it, try this" page similar to those presented by IE (until you turn it off, as I always
do).

This has, as you may imagine broken *lots* of stuff, including anti-spam programs which *need to know* if
a domain is valid or not, and inspired a thread on the North American Network Operators Group mailing
list titles "What *are* these people smoking?"

It's a fair question.

For me, it also raises questions about the supposed Chinese Wall between the registrar and registry sides
at Versign: the gtld servers are run by the *registry*, who are *supposed* to be engineers... they had
to hack the nameserver code to do this, I *think*. (Maybe bind will permit wildcarding the 2LD in the
zone files; I wouldn't expect it, but I'm not Albitz *or* Liu.)

FOLO: I will not listen to hearsay, I will not...

Posted Sep 24, 2003 20:52 UTC (Wed) by Baylink (subscriber, #755) [Link]

[ actually reads piece ]

I see that they *are* doing it with a wildcard.

I note that you could cast this as a Verisign v Microsoft power play, since *IE* used to provide this
screen, and Verisign is, effectively, taking it away from them...

Paul Vixie on VeriSign (O'ReillyNet)

Posted Sep 25, 2003 13:02 UTC (Thu) by marlow (subscriber, #8204) [Link]

I don't approve, what they are doing and don't know, what they are smoking. Also they are not the first to do stuff like this.

However, they did it in a namespace that matters. nu-names is doing the same thing (redirects you to a wanna buy page), however, nu-names is the official .nu operator so it doesn't really bug anybody seriously.

Since VeriSign is both registrator (competing with others) and handling the gtld servers, which should tell them to be more careful. They are going to piss others off very fast by doing stuff like this and the U.S. is known to be a place where a law-suit is coming up without much reason.

One thing is that they break stuff, that did rely on NXDOMAIN, the other thing is worse: It's about power and misuse of the power given to you. And it'll gonna cost them creditability, if they don't look out. People are allready looking on their fingers since many domains that expire at VeriSign end in domain pirates hands (i don't say, they work together with them, but they certainly don't do anything against it) and the thing sending "invoices" out to other registrators customers, moving the domains, if paid, etc. wasn't really a lucky move either.

Paul Vixie on VeriSign (O'ReillyNet)

Posted Sep 26, 2003 21:39 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

I don't know why Vixie even acknowledges the argument that Verisign owns .com and .net. If you look at the history, it's obvious no one ever intended for those top level domains (TLDs) to belong to Verisign. They just wanted Verisign to operate the registry and name servers. The agreements make it clear that ICANN, with consensus of the Internet community at large, is responsible for determining what sort of name service should exist.

I don't know the story on .nu, but I assume nu-names is more than just a company hired to run its name servers, but rather an entity that stands in the same position as ICANN. So while we may disagree with nu-names' opinion on what's best for .nu, at least everyone has agreed that nu-names' opinion is the one that matters. I assume a similar situation exists for .museum, which also has a wildcard.

If ICANN lets Verisign get away with this, then it also has to let Verisign do things like modify DNS so it works better with a Versign partner's DNS software, at the expense of everyone else's DNS software.