Stories
Slash Boxes
Comments

News for nerds, stuff that matters

Resolving Everything: VeriSign Adds Wildcards

Posted by timothy on Mon Sep 15, 2003 08:23 PM
from the gotcha dept.
DragonHawk writes "As of a little while ago (it is around 7:45 PM US Eastern on Mon 15 Sep 2003 as I write this), VeriSign added a wildcard A record to the .COM and .NET TLD DNS zones. The IP address returned is 64.94.110.11, which reverses to sitefinder.verisign.com. What that means in plain English is that most mis-typed domain names that would formerly have resulted in a helpful error message now results in a VeriSign advertising opportunity. For example, if my domain name was 'somecompany.com,' and somebody typed 'soemcompany.com' by mistake, they would get VeriSign's advertising." Read on below for some more information.

"(VeriSign is a company which purchased Network Solutions, another company which was given the task by the US government of running the .COM and .NET top-level domains (TLDs). VeriSign has been exploiting the Internet's DNS infrastructure ever since.)

This will have the immediate effect of making network trouble-shooting much more difficult. Before, a mis-typed domain name in an email address, web browser, or other network configuration item would result in an obvious error message. You might not have known what to do about it, but at least you knew something was wrong. Now, though, you will have to guess. Every time.

Some have pointed out that this will make an important anti-spam check impossible. A common anti-spam measure is to check and make sure the domain name of the sender really exists. (While this is easy to force, every little bit helps.) Since all .COM and .NET domain names now exist, that anti-spam check is useless.

VeriSign has published white papers about their implementation and also made some recommendations."

This discussion has been archived. No new comments can be posted.
Display Options Threshold:
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1) | 2 | 3 | 4 | 5
  • wonder of wonders (Score:5, Interesting)

    by wherley (42799) * on Monday September 15 2003, @08:24PM (#6970369)
    (http://jrw.sphinx.org/)
    what are the chances - using the [verisign.com]
    search page that comes up at the
    verisign site to search for "register" we find at the top of the
    list a link to networksolutions.com (a verisign company). we also
    note that searching for the same word at google [google.com]
    does not result in that site being present in at least the first four pages of results.

    yeah - thats a real useful search tool verisign has there - thanks so much.
  • joy (Score:5, Insightful)

    by digitalsushi (137809) * <slashdot@digitalsushi.com> on Monday September 15 2003, @08:24PM (#6970376)
    (Last Journal: Friday August 19 2005, @05:44PM)
    this should make troubleshooting dns records as a netadmin much more fun with all those glorious false positives... guess that means i'll have to learn how to spell finally!
  • Seeeing the future by Unregistered (Score:2) Monday September 15 2003, @08:25PM
    • Re:Seeeing the future by Robotech_Master (Score:2) Monday September 15 2003, @08:35PM
    • Re:Seeeing the future (Score:4, Insightful)

      by SwellJoe (100612) on Monday September 15 2003, @08:51PM (#6970732)
      (http://www.virtualmin.com/)
      How big a problem will this be as most people/companies register common mispellings along with the right domain and make the mispellings point to the right site?

      This was likely one of the primary motivations for this maneuver...to encourage formerly unnecessary registrations.

      I've never registered mispellings of my companies domains, and the thought never even crossed my mind until now. I'm sure the crooks at Verisign saw this angle, in addition to the tons of free eyeballs.

      [ Parent ]
  • But... by Anonymous Coward (Score:2) Monday September 15 2003, @08:25PM
    • Re:But... by HanClinto (Score:1) Monday September 15 2003, @08:28PM
      • Re:But... by alehmann (Score:1) Monday September 15 2003, @08:39PM
  • This is a bitch by Mohammed Al-Sahaf (Score:1) Monday September 15 2003, @08:25PM
    • Re:This is a bitch by josecanuc (Score:2) Monday September 15 2003, @08:28PM
      • Re:This is a bitch by josecanuc (Score:2) Monday September 15 2003, @08:30PM
      • Re:This is a bitch (Score:5, Informative)

        by SSpade (549608) on Monday September 15 2003, @08:33PM (#6970499)
        (http://samspade.org/)

        Those spam-catching tools work by doing a reverse-dns lookup of the IP address that is trying to send the mail. This is different than doing a "forward"-dns lookup.

        Not so.

        A common spam filtering method is to check the envelope sender to see if the domain exists. Any mail that is sent with a faked envelope sender to which bounces can't be sent is spam.

        That means querying for either an MX record or A record for that domain, and bouncing all the spam that doesn't have either. Now, thanks to verisign, all spam sent with forged envelope senders in .com or .net wil go straight through this spam filter, increasing the amount of spam in many peoples mailboxes.

        Yes, in theory you could look for the magic A record returned, but to do so is something of an operational nightmare, and impossible to do with most current MTAs.

        [ Parent ]
      • Re:This is a bitch by StewedSquirrel (Score:2) Monday September 15 2003, @08:33PM
    • Re:This is a bitch (Score:5, Insightful)

      by pavon (30274) on Monday September 15 2003, @08:31PM (#6970477)
      I vote that we concider anything from 64.94.110.11 to be spam. That should take care of the problem for spam filters.
      [ Parent ]
    • Re:This is a bitch by sould (Score:2) Monday September 15 2003, @08:32PM
  • Abusing the Power that be by guinness_duck (Score:1) Monday September 15 2003, @08:25PM
    • Re:Abusing the Power that be (Score:5, Insightful)

      by ScrewMaster (602015) on Monday September 15 2003, @08:29PM (#6970455)
      Verisign has forgotten that they don't own the Internet: they were granted the power to run the root servers and manage primary DNS by the federal government. That government-granted monopoly is revocable. This is a risky maneuver, as it will have global implications. They will probably get their wrists slapped.
      [ Parent ]
      • But they do manage those TLD's by nurb432 (Score:2) Monday September 15 2003, @08:50PM
      • ICANN by DragonHawk (Score:2) Monday September 15 2003, @08:55PM
        • Re:ICANN by leerpm (Score:2) Monday September 15 2003, @08:58PM
        • Re:ICANN by ScrewMaster (Score:2) Monday September 15 2003, @09:06PM
        • Re:ICANN by Hal9000_sn3 (Score:1) Monday September 15 2003, @10:23PM
      • There is no Internet (Score:5, Insightful)

        by DragonHawk (21256) on Monday September 15 2003, @09:19PM (#6971003)
        (http://slashdot.org/ | Last Journal: Saturday November 18 2006, @08:52AM)
        (Pre-emptive strike: Insert Matrix-spoon reference here.)

        I feel it is worthwhile to post a more general response to this point as well.

        There is this myth that "the Internet" exists as a single, cohesive network. It does not, and never has. "The Internet" is a network of networks. What that means is that a bunch of independent network operators have agreed to exchange traffic with each other because it benefits them. When you dial in to your ISP of choice (or plug in your Ethernet cable or whatever), you're not connecting to the Internet. You're connecting to your ISP. Your ISP probably connects to their ISP. Their ISP (if you're lucky) connects to several other ISPs, who connect to other ISPs, and so on. All these independent network operators form "the Internet". So, "the Internet" exists as an abstract concept (and a useful one), but not as something you can touch. Not even as something you can route traffic through. All you can do is connect to some other guy's network and hope for the best.

        The reason this is important is because we are already seeing ISPs implementing countermeasures against this VeriSign move. Some are null-routing that IP address at layer two; others are using DNS tricks to give us the old behavior. If enough ISPs do this, VeriSign's move will be largely ineffective. In effect, ISPs as a community can veto VeriSign or anyone else. It only works if most of them agree and take action, of course, and it remains to be seen if they will do that. And, of course, some of these countermeasures may themselves be easily defeated, leading to an arms race (like the spammer vs anti-spam arms race).

        The possible consequences of all this are, shall we say, interesting.

        (BTW, I don't disagree with the OP's suggested course of action, nor with the principle behind it. I'm just pointing out that things are, as usual, more complicated then they might appear.)
        [ Parent ]
        • Oops by DragonHawk (Score:1) Tuesday September 16 2003, @07:58PM
        • 1 reply beneath your current threshold.
      • Re:Abusing the Power that be by boomi (Score:1) Tuesday September 16 2003, @09:27AM
      • Re:Abusing the Power that be by Excarnate (Score:1) Wednesday September 17 2003, @07:30AM
  • How Long... (Score:3, Insightful)

    by jlaxson (580785) * <jlaxson@NoSPAm.mac.com> on Monday September 15 2003, @08:25PM (#6970391)
    (Last Journal: Friday April 09 2004, @01:09AM)
    until we get gator-type forced advertising (not just incidental unrelated ads on the page) whenever you make the slightest domain mistake? I get the feeling this doesn't bode well for the continued freedom of the internet, if one company can unilaterally do something of this magnitude. (But then again, Mr. Bush seems to get along fine.)
    • Re:How Long... (Score:5, Interesting)

      by dnoyeb (547705) on Monday September 15 2003, @09:00PM (#6970828)
      (http://www.rigidsoftware.com/ | Last Journal: Saturday September 24 2005, @11:58PM)
      This happened to my mother just yesterday. She calls me complaining about "my computer has a virus!" I countered that their was no way her computer could know. This went on for a while..

      My mother is visually impared. She was trying to go to www.biblegateway.com, but she went to www.gatewaybible.com. sacreligious scum.

      It's hard for her to find the stupid MODAL popup windows when she is using a screen magnifier and the whole screen is not even showing...

      A DNS error would have been MUCH nicer. She would not have even called me costing my employer productivity. Currently I know somebody is wasting money on those parked domains. This verisign situation is just sad.
      [ Parent ]
  • How can we undo this? (Score:3, Interesting)

    by Anonymous Coward on Monday September 15 2003, @08:26PM (#6970395)
    Anyone have any information on whom to contact to put an end to this absurdity?
    • Re:How can we undo this? (Score:5, Funny)

      by Anonymous Coward on Monday September 15 2003, @08:31PM (#6970483)
      Anyone have any information on whom to contact to put an end to this absurdity?

      I think you mean Commander Taco. Or were you talking about that dns thing?
      [ Parent ]
    • Re:How can we undo this? (Score:4, Interesting)

      by pirodude (54707) <andyNO@SPAMmbrez.com> on Monday September 15 2003, @08:47PM (#6970679)
      (http://www.mbrez.com/)
      ICANN and DoJ
      [ Parent ]
    • Re:How can we undo this? (Score:4, Interesting)

      by r_weaver (563014) on Monday September 15 2003, @08:58PM (#6970809)
      I checked their site [verisign.com], and found a Domain Names & Related Services contact number (888-642-9675), and gave it a try.

      Unfortunately, the rep that answered the phone was unable to help, he said that he works for Network Solutions, and can only help with domain registration issues, and that the Verisign parent company runs the root nameservers. He was unable to give me a contact number for Verisign. However, you may want to try calling this number yourself to see if maybe a different rep has the contact number for Verisign.

      I did a whois on the verisign.com domain, and came up with the main contact number for Verisign: 650-961-7500, but it's been ringing for the past 5 minutes, with no answer. One would think that they would have an automated voice-response system on their main number, so I think that they are being innudated with calls.

      [ Parent ]
    • Type whatever you want... by Ieshan (Score:3) Monday September 15 2003, @09:07PM
    • Re:How can we undo this? by bahamat (Score:2) Monday September 15 2003, @09:41PM
    • Patch to djbdns by Russ Nelson (Score:3) Monday September 15 2003, @10:38PM
    • 1 reply beneath your current threshold.
  • Strike Back with Poor Typing (Score:4, Funny)

    by nightsweat (604367) on Monday September 15 2003, @08:26PM (#6970396)
    As a Denial of Service Attack Iwill continue to manually typ