Resolving Everything: VeriSign Adds Wildcards

DragonHawk writes "As of a little while ago (it is around 7:45 PM US Eastern on Mon 15 Sep 2003 as I write this), VeriSign added a wildcard A record to the .COM and .NET TLD DNS zones. The IP address returned is 64.94.110.11, which reverses to sitefinder.verisign.com. What that means in plain English is that most mis-typed domain names that would formerly have resulted in a helpful error message now results in a VeriSign advertising opportunity. For example, if my domain name was 'somecompany.com,' and somebody typed 'soemcompany.com' by mistake, they would get VeriSign's advertising." Read on below for some more information.

"(VeriSign is a company which purchased Network Solutions, another company which was given the task by the US government of running the .COM and .NET top-level domains (TLDs). VeriSign has been exploiting the Internet's DNS infrastructure ever since.)

This will have the immediate effect of making network trouble-shooting much more difficult. Before, a mis-typed domain name in an email address, web browser, or other network configuration item would result in an obvious error message. You might not have known what to do about it, but at least you knew something was wrong. Now, though, you will have to guess. Every time.

Some have pointed out that this will make an important anti-spam check impossible. A common anti-spam measure is to check and make sure the domain name of the sender really exists. (While this is easy to force, every little bit helps.) Since all .COM and .NET domain names now exist, that anti-spam check is useless.

VeriSign has published white papers about their implementation and also made some recommendations."

wonder of wonders

what are the chances - using the [verisign.com]
search page that comes up at the
verisign site to search for "register" we find at the top of the
list a link to networksolutions.com (a verisign company). we also
note that searching for the same word at google [google.com]
does not result in that site being present in at least the first four pages of results.

yeah - thats a real useful search tool verisign has there - thanks so much.

Re:wonder of wonders

You at least have an option of turning off this "helpful" page in IE. No such feature from NSI.

Re:wonder of wonders

Sure you do, if you have a REAL router (or a DSL router even) you should be able to null-route that IP. Or actually, you might even be able to convince your ISP to do it with a short, friendly letter to the admin.

Stewey

Contact ICANN comments@icann.org

If you want this "feature" of verisign's turned off (I know I sure do), contact ICANN now. This is yet another example of Verisign having far too much unchecked power over the .COM and .NET registries.

Already discussed on the ICANN/GNSO mailing list

This is discussed on the ICANN/GNSO mailing list [icann.org]. A vote saying

gTLD Registry operators WILL return NXDOMAIN for ALL DNS queries for which there is not a REGISTERED domain name.

has been suggested. Sure seems like a good idea to me.

Complaint Form ICANN

The ICANN website [icann.org] has an online complaint form [internic.net].

To quote from the site in question:

Although ICANN's limited technical mission does not include resolving individual customer-service complaints, ICANN does monitor such complaints to discern trends.

Let your voices be heard!

Complaint submitted - the text

This complaint is regarding Verisign's recent decision to claim all non-registered .com and .net domain names for itself. It has done this by inserting a wildcard into the DNS registers, meaning an IP of 64.94.110.11 is returned for any domain name that has not yet been registered. That page is an advert for Verisign's domin registration services This is unfair competition with existing registrars - there is no means for myself, for example, to gain a similar foothold without actually purchasing each and every currently unregistered .com/.net name. It is also a technical breach of trust - the internet is not merely the web, and unknown domains should return errors rather than constantly try to contact Versign advert servers. Non web-based applications, such as ftp clients etc., will now incorrectly log that they have contacted the host you asked for when in fact they should have returned an error 'hostname unknown'. The same for traceroute, ping...any of these will not behave in a manner expected. I would be grateful if you could investigate this matter. Yours, Ian McCall

Re:Contact ICANN comments@icann.org

What is this, better living through DDoS?

No, this is receiving feedback from the affected administrators, engineers and other interested persons; said feedback hopefully leading ICANN to do the give Verisign a short, sharp lesson in "WHOA!".

You know, the job that they are supposed to be doing and all that kind of thing.

Re:Contact ICANN comments@icann.org

Sorry, but bullshit.

ICANN is responsible for, among other things, ensuring that it's registrars perform their duties properly. If an issue such as this one crops up, and the /. community (trolls and non-trolls alike) decide to make their complaints known using the established protocol that ICANN itself has provided for such matters, so be it. Yes, this will generate an enormous volume of sometimes absurd attempts at flaming, and yes, someone at ICANN has probably filtered all that traffic - although I suspect not to a circular file as you seem to suggest, but to a count-aggregation file to provide a record of public comment.

Face it - sometimes, being responsible for a little thing like the internet can be a bitch. Most of us do have to deal with inane crap as a part of our daily grind, although I admit that getting 20,000 emails suggesting I view a goatsex link in a single day would probably be unusual for me at least. But at least ICANN has said outright that they aren't going to read all of them :) But that's their job, and the closetfull of people who work for ICANN get paid to do it, knowing fulll well that things like this will happen. Big deal. Such is life, such is work. Or do you have a job where your responsibility is guaranteed to be 100% hassle-free? If so, I applaud and doubt you.

Waste of time

As another person mentioned this already, e-mailing them is a waste of time unless you're a corporation with extra cash.

How do you fix this problem? DON'T USE THE ICANN ROOT SERVERS. Easy as that.

Plug: OpenNIC (for ICANN users) [unrated.net] and OpenNIC (for OpenNIC (and its peers) users) [opennic.glue]

Re:Waste of time

If your ISP won't switch over or you don't want to run your own nameserver.. there is a list [unrated.net] of publicly available tier 2 servers that you can switch to that are offered by OpenNIC members.

Boycott Thawte (Verisign's SSL subsidiary)

If you have SSL certificates from Thawte [thawte.com] (a subsidiary of Verisign), you can send them a message today.

Email your Thawte rep to explain why you or, better yet, your huge organization :) won't be renewing your certificates with Thawte.

You can tell them "it's a trust thing" (their own motto).

Re:Boycott Thawte (Verisign's SSL subsidiary)

Email your Thawte rep to explain why you or, better yet, your huge organization :) won't be renewing your certificates with Thawte.

Superb idea, ajks. Have a cookie (or a certificate).

Here's a form-letter version of the email I'm about to shoot off to our rep, the delightful(!) Barbara:

Dear [Thawte Rep Name],

I am an employee (and listed CSO) of [company name], which purchases 128-bit SSL certificates from Thawte. We purchase approximately [x] certificates a year, which works out to approximately $US[y] per year.

As you might be aware, Verisign, parent company of Thawte, has recently introduced a deceptive and misleading practise with regards to DNS resolution of non-existent domains. Any attempt to locate the IP address of a domain which is not registered (www.non-existent-domain.com) will, rather than returning an error message, return the address of a Verisign advertising server.

This practice is not only ethically dubious, it is also something which promises to cause untold headaches for network administrators all over the world, as well as confusion for end-users of the Internet, all purely for the financial benefit of Verisign.

I am not writing this letter to you in an official capacity as representative of my company: however, I wish to advise you that come certificate renewal time, I will be strongly recommending to my company that we change to an alternate SSL certificate provider, rather than Thawte, if this practice of Verisign's is still in place.

As the listed CSO of this company, I strongly expect that my stance will result in the direct and immediate loss of this $US[y] worth of annual business to Thawte.

This is an selfish and narrow-minded move on the part of Verisign, and I have no hesitation in recommending that my company withdraw its business from Thawte.

Kind Regards,

[Your Name],
[Your location]

We're a small company: but even in our case, [x] and [y] are are 10 and 3000 respectively. It won't take that many to make a sizeable hole in Thawte's pockets.

Re:wonder of wonders

It is not that bad. At least if you enter "Verisign sucks big donkey balls", two of the three first results are from Slashdot.

Re:wonder of wonders

More fun with sitefinder.verisign.com [verisign.com]

Hmm, cross-site scripting. Seems harmless enough, but I wonder if VeriSign stores anything important in the verisign.com cookie...

Re:wonder of wonders

No, the real fun is that if you misspell verisign like this:
http://www.veirsign.com [veirsign.com]
Looks like someone beat them at their own game. :)

Re:wonder of wonders

Actually, the verisign search seems to be pretty good. A search for FUCK VERISIGN [verisign.com] returns a slashdot article about verisign sending out deceptive domain renewal mail as the second result.

Complain to ICANN *NOW*

In order to get this rather unwelcome act of Verisign's reversed, EVERYONE should contact ICANN immediately.

comments@icann.org

Re:Complain to ICANN *NOW*

If ICANN was still there for the good of the internet, yeah, that should work. Otherwise, you should only bother complaining if you're a CEO.

Complain to Verisign as well

They don't seem to have an e-mail address for the category of "Subversion of the global DNS," so pick one of the following e-mail addresses and use it to CC your complaint to Verisign:

authenticode-support@verisign.com,
billing@veri sign.com,
channel-partners@verisign.com,
clientp ki@verisign.com,
consultingsolutions@verisign.com ,
dbms-support@verisign.com,
dcpolicy@verisign.c om
digitalbranding@verisign.com,
dnssales@verisi gn.com,
enterprise-pkisupport@verisign.com,
ente rprise-sslsupport@verisign.com,
info@verisign-grs .com,
internetsales@verisign.com,
IR@verisign.co m,
jobs@verisign.com,
mss@verisign.com,
objects igning-support@verisign.com,
paymentsales@verisig n.com,
practices@verisign.com,
premiersupport@ne tworksolutions.com,
press@verisign.com,
privacy@ networksolutions.com,
renewal@verisign.com,
supp ort@verisign.com,
verisales@verisign.com,
vps-su pport@verisign.com,
vts-csrgroup@verisign.com,
v ts-mktginfo@verisign.com,
webhelp@verisign.com,
websitesales@verisign.com,
websitesupport@verisig n.com

Re:Complain to ICANN *NOW*

Well, regardless of whether it will work, I tried:

Verisign has continually been abusing the power that has been handed out to them. Two such examples are its mailing of false renewal notices, and its most recent exploit: sitefinder.verisign.com. Now, nearly all mistyped names will be sent to Verisign where they can do whatever they like to the unwitting user. There are even categories on sitefinder.verisign.com where one can browse and go to sites which are undoubtedly paying Verisign for the space.

Please take this, and the hundreds or thousands of e-mails you will receive, into consideration, and exercise the power that ICANN has. Verisign has continually been abusing and tricking people through deceptive business practices, and this should be the last straw. Verisign should not only be removed from it's post, but it should also be fined for its numerous escapades designed to make money.

Sincerely,
Michael B****

I've got to wonder: where do they come up with such evil ideas? Verisign must have a beowulf cluster of insensitive clods...

Re:wonder of wonders

Speaking of search engines. What would happen if a significant number of web sites put links on every page to a poison page. This poison page would generate 10,000 random links of the form "www.verisignblows948950948393903848585.com", with the number obviously being random. How long would it take for all the search engines and web crawlers to hit this and have a serious impact on verisigns servers?

Now, I'm not suggesting anybody do this, I'm just asking the question.

Re:wonder of wonders

No, that won't work at all.

First, Verisign put an exclude: / in their robots.txt.

Second, do you really think Google doesn't know how to handle wildcards by now? Think about it for a second. Even Slashdot has a wildcard - anything dot slashdot.org goes to the homepage. Does Google index Slashdot an infinite amount of times? Of course not. Why should it be different for anything dot com?

Re:wonder of wonders

Do you know how a DNS wildcard works? Apparently not. There is a SINGLE record that resolves all nonexistent .com and .net addresses to Verisign's sitefinder. Although I'm sure Google's massive server farm can handle storing 10,000 addresses it won't even have to. As soon as it sees the domain resolves to the same address it can move on.

Re:wonder of wonders

It's a single record for verisign, but there's no difference in the DNS response record. This means that a caching DNS has to keep every record that it gets back. This means that you could overload Google, but verisign would be unlikely to be affected.

And you can't ignore domains that resolve to identical addresses. Virtual web servers share the same address with different domain names. The web server uses the name to decide which set of web pages to serve up.

Re:wonder of wonders

From VeriSign global registry services... I have access to them - you just need to sign a contract with them. It's not hard.

Google caches IP info a good deal longer than is specified by TTL and such, and a lot of other fancy bandwidth reducing (but frustrating) tricks). Its known by people who pay a lot of attention to google, based on observations. Many people have good reason to pay attention to google - they make their living from the traffic they get from google.

joy

this should make troubleshooting dns records as a netadmin much more fun with all those glorious false positives... guess that means i'll have to learn how to spell finally!

Re:Seeeing the future

How big a problem will this be as most people/companies register common mispellings along with the right domain and make the mispellings point to the right site?

This was likely one of the primary motivations for this maneuver...to encourage formerly unnecessary registrations.

I've never registered mispellings of my companies domains, and the thought never even crossed my mind until now. I'm sure the crooks at Verisign saw this angle, in addition to the tons of free eyeballs.

Re:This is a bitch

Those spam-catching tools work by doing a reverse-dns lookup of the IP address that is trying to send the mail. This is different than doing a "forward"-dns lookup.

Not so.

A common spam filtering method is to check the envelope sender to see if the domain exists. Any mail that is sent with a faked envelope sender to which bounces can't be sent is spam.

That means querying for either an MX record or A record for that domain, and bouncing all the spam that doesn't have either. Now, thanks to verisign, all spam sent with forged envelope senders in .com or .net wil go straight through this spam filter, increasing the amount of spam in many peoples mailboxes.

Yes, in theory you could look for the magic A record returned, but to do so is something of an operational nightmare, and impossible to do with most current MTAs.

Re:This is a bitch

I vote that we concider anything from 64.94.110.11 to be spam. That should take care of the problem for spam filters.

Re:Abusing the Power that be

Verisign has forgotten that they don't own the Internet: they were granted the power to run the root servers and manage primary DNS by the federal government. That government-granted monopoly is revocable. This is a risky maneuver, as it will have global implications. They will probably get their wrists slapped.

There is no Internet

(Pre-emptive strike: Insert Matrix-spoon reference here.)

I feel it is worthwhile to post a more general response to this point as well.

There is this myth that "the Internet" exists as a single, cohesive network. It does not, and never has. "The Internet" is a network of networks. What that means is that a bunch of independent network operators have agreed to exchange traffic with each other because it benefits them. When you dial in to your ISP of choice (or plug in your Ethernet cable or whatever), you're not connecting to the Internet. You're connecting to your ISP. Your ISP probably connects to their ISP. Their ISP (if you're lucky) connects to several other ISPs, who connect to other ISPs, and so on. All these independent network operators form "the Internet". So, "the Internet" exists as an abstract concept (and a useful one), but not as something you can touch. Not even as something you can route traffic through. All you can do is connect to some other guy's network and hope for the best.

The reason this is important is because we are already seeing ISPs implementing countermeasures against this VeriSign move. Some are null-routing that IP address at layer two; others are using DNS tricks to give us the old behavior. If enough ISPs do this, VeriSign's move will be largely ineffective. In effect, ISPs as a community can veto VeriSign or anyone else. It only works if most of them agree and take action, of course, and it remains to be seen if they will do that. And, of course, some of these countermeasures may themselves be easily defeated, leading to an arms race (like the spammer vs anti-spam arms race).

The possible consequences of all this are, shall we say, interesting.

(BTW, I don't disagree with the OP's suggested course of action, nor with the principle behind it. I'm just pointing out that things are, as usual, more complicated then they might appear.)

How Long...

until we get gator-type forced advertising (not just incidental unrelated ads on the page) whenever you make the slightest domain mistake? I get the feeling this doesn't bode well for the continued freedom of the internet, if one company can unilaterally do something of this magnitude. (But then again, Mr. Bush seems to get along fine.)

Re:How Long...

This happened to my mother just yesterday. She calls me complaining about "my computer has a virus!" I countered that their was no way her computer could know. This went on for a while..

My mother is visually impared. She was trying to go to www.biblegateway.com, but she went to www.gatewaybible.com. sacreligious scum.

It's hard for her to find the stupid MODAL popup windows when she is using a screen magnifier and the whole screen is not even showing...

A DNS error would have been MUCH nicer. She would not have even called me costing my employer productivity. Currently I know somebody is wasting money on those parked domains. This verisign situation is just sad.

How can we undo this?

Anyone have any information on whom to contact to put an end to this absurdity?

Re:How can we undo this?

Anyone have any information on whom to contact to put an end to this absurdity?

I think you mean Commander Taco. Or were you talking about that dns thing?

Re:How can we undo this?

ICANN and DoJ

Re:How can we undo this?

I checked their site [verisign.com], and found a Domain Names & Related Services contact number (888-642-9675), and gave it a try.

Unfortunately, the rep that answered the phone was unable to help, he said that he works for Network Solutions, and can only help with domain registration issues, and that the Verisign parent company runs the root nameservers. He was unable to give me a contact number for Verisign. However, you may want to try calling this number yourself to see if maybe a different rep has the contact number for Verisign.

I did a whois on the verisign.com domain, and came up with the main contact number for Verisign: 650-961-7500, but it's been ringing for the past 5 minutes, with no answer. One would think that they would have an automated voice-response system on their main number, so I think that they are being innudated with calls.

Strike Back with Poor Typing

As a Denial of Service Attack Iwill continue to manually typ