ICANN Demands Verisign Stop SiteFinder Service

  • Bigwebmaster
  • Site Admin
  • Site Admin
  • User avatar
  • Posts: 9193
  • Loc: Seattle, WA & Phoenix, AZ

Post 3+ Months Ago

For all these reasons below, ICANN has insisted that VeriSign suspend the SiteFinder service, and restore the .com and .net top-level domains to the way they were operated prior to 15 September 2003. If VeriSign does not comply with this demand by 6:00 PM PDT on 4 October 2003, ICANN will be forced to take the steps necessary to enforce VeriSign's contractual obligations.

On 15 September 2003, VeriSign unilaterally instituted a number of changes to the .com and .net Top Level Domain zones, including the deployment of a "wildcard" service. VeriSign's wildcard creates a registry-synthesized address record in response to lookups of domains that are not otherwise present in the zone (including reserved names, names in improper non-hostname format, unregistered names, and registered but inactive names). The VeriSign wildcard redirects traffic that would otherwise have resulted in a "no domain" response to a VeriSign-operated website with links to alternative choices and to a search engine.

Since that time, there have been widespread expressions of concern about the impact of these changes on the security and stability of the Internet, the DNS and the .com and .net domains. The Internet Architecture Board concluded that the changes made by VeriSign had a variety of impacts on third parties and applications, including (1) eliminating the display of "page not found" in the local language and character set of the users when given incorrect URLs rooted under these top-level domains, and instead causing those browsers to display an English language search page from a web server run by VeriSign; (2) causing all mail to non-existent hostnames in the .com and .net TLDs to flow to VeriSign's server (in addition to other effects on certain email programs and servers); (3) eliminating the ability of some applications to inform their users as to whether a domain name is valid before actually sending a communication; (4) rendering certain spam filters inoperable or ineffective; (5) affecting interaction with other protocols in a number of ways; (6) adversely affecting the performance of certain automated tools; (7) in some cases (where volume-based charging is applicable) increasing the user cost simply by increasing the size of the response to an incorrectly entered domain name; (8) creating a single point of failure that is likely to be attractive to deliberate attacks; (9) raising serious privacy issues; (10) interfering with standard approaches to reserved names; and (11) generating undesirable workarounds by affected third parties.

The combination of these effects, according to the IAB, "had wide sweeping effects on other users of the Internet far beyond those enumerated by the zone operator, created several brand new problems, and caused other internet entities to make hasty, possibly mutually incompatible and possibly deleterious (to the internet as a whole) changes to their own operations in an attempt to react to the change.”

The ICANN Security and Stability Advisory Committee, consisting of approximately 20 technical experts from industry and academia, issued a statement on 22 September 2003 that concluded that:

VeriSign's change appears to have considerably weakened the stability of the Internet, introduced ambiguous and inaccurate responses in the DNS, and has caused an escalating chain reaction of measures and countermeasures that contribute to further instability.

VeriSign's change has substantially interfered with some number of existing services which depend on the accurate, stable, and reliable operation of the domain name system.
  • Many email configuration errors or temporary outages which were benign have become fatal now that the wildcards exist.
  • Anti-spam services relied on the RCODE 3 response to identify forged email originators.
  • In some environments the DNS is one of a sequence of lookup services. If one service fails the lookup application moves to the next service in search of the desired information. With this change the DNS lookup never fails and the desired information is never found.

VeriSign's action has resulted in a wide variety of responses from ISPs, software vendors, and other interested parties, all intended to mitigate the effects of the change. The end result of such a series of changes and counterchanges adds complexity and reduces stability in the overall domain name system and the applications that use it. This sequence leads in exactly the wrong direction. Whenever possible, a system should be kept simple and easy to understand, with its architectural layers cleanly separated.

You can see much more about it here:

  • Genius
  • Genius
  • User avatar
  • Posts: 6367
  • Loc: twitter.com/unflux

Post 3+ Months Ago

let's take em all down! :blackeye:

Post Information

  • Total Posts in this topic: 2 posts
  • Users browsing this forum: No registered users and 42 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum

© 1998-2017. Ozzu® is a registered trademark of Unmelted, LLC.