VeriSign Responds To ICANN's SiteFinder Advisory

dmehus writes "VeriSign's Naming and Directory Services division has written to ICANN President and CEO Paul Twomey regarding the recent advisory concerning VeriSign's DNS wildcard redirection service. In the letter, VeriSign's Rusty Lewis says that they are open to independent and objective technical concerns expressed by various Internet bodies; they have formed their own "independent" panel of industry leading experts to produce its own, separate report; and they will not voluntarily suspend SiteFinder. It's a very terse response, and frankly, I'd have expected more from them. Slashdot readers are encouraged to visit ICANNWatch for in-depth, expert discussion on this and other issues."

Huh?

From the letter to ICANN:

As to your call for us to suspend the service, I would respectfully suggest that it would be premature to decide on any course of action until we first have had an opportunity to collect and review the available data.

Well, I think that the world would have appreciated the same level of consideration before the system was ever even implemented in the first place.

Re:Huh?

Translation: We implemented something that may have broken large parts of the Internet, but we'll wait until everyone has given up on us fixing it before we decide whether to undo what we did.

By the time they decide if they really broke everything they broke, and whether they should temporarily suspend SiteFinder, everybody else will have routed around them.

BTW: Does anybody know what they're talking about when they claim that other TLDs have implemented something like SiteFinder?

Re:Huh?

http://verisignsucks.museum/ [verisignsucks.museum]

Just as an example.

I think *.museum is ok to have a wildcard for though, since not everybody can go out registering a museum domain name. It works similar to .com.au (unless .com.au changed recently). .com/.net and any other domain that requires no special terms to register domains for, should NOT have wildcards.

.museum versus .com

If one looks at the newsgroups as historically how something like this works, the .museum TLD is a highly restrictive, highly controlled domain. It's entire purpose is for respected institutions to be listed. So, them having a master index and a reply indicating an invalid domain makes sense, since the entire domain listing easily scrolls through a few screens only. It would be the equivalent of a comp or sci newsgroup; highly structured groups with moderation and content rules.

.com is the tld equivalent of alt., where anyone can create and post anything, without moderation, without structure. Attempting to impose structure, in the form of sitefinder, is stupid in this instance, since the organizations represented in .com are usually for-profit or attempting to jockey for position. If I have a business, do I now have to register every possible combination of my domain to keep idiots from being redirected to a customer of mine because they paid verisign to add them to the referral page for a misspelling of my domain name? I also have to worry about verisign giving precedence to domains registered through them in the recommended sites, and if I have a godaddy.com-registered domain, will I end up being denied business that would normally have realised that they made a typo, to fix it and come to me?

This is the real problem that I have with sitefinder. It being in the hands of a commercial organization who has exhibited a systematic behaviour of putting profit before anything else will only exploit this situation. They will start selling placement on messed up domain entries, they will start denying domains registered through other registrars the same regular placement as their own, and they will destroy what had been a fairly free and open system.

I'd recommend that if Verisign doesn't immediately stop this insanity that we write to our legislators and demand that control of the TLDs that versign manages be removed and handed to ICANN to deal with directly.

Re:Huh?

A wildcard GTLD was part of .museum's charter. Therefore it was approved and everything is fine. It was never part of the .com/.net GTLD contract and is not an authorized use of the domains.

Re:Huh?

Here is a little script that I whipped up to find out which TLDs have wildcard records.

#!/bin/sh
rm -f root.zone root.zone.gz
wget -q ftp://ftp.internic.com/domain/root.zone.gz
gunzip root.zone.gz
for i in $(grep ' NS ' root.zone | awk '{print $1'} | sort -u); do
host -ta "*.$i" 2>/dev/null
done
rm -f root.zone root.zone.gz

Examples in other TLDs

BTW: Does anybody know what they're talking about when they claim that other TLDs have implemented something like SiteFinder?

Here: .ac [sillyexamp...lashdot.ac] .cc [sillyexamp...lashdot.cc] .cx [sillyexamp...lashdot.cx] .mp [sillyexamp...lashdot.mp] .nu [sillyexamp...lashdot.nu] .ph [sillyexamp...lashdot.ph] .pw [sillyexamp...lashdot.pw] .sh [sillyexamp...lashdot.sh] .td [sillyexamp...lashdot.td] .tk [sillyexamp...lashdot.tk] .tm [sillyexamp...lashdot.tm] .ws [sillyexamp...lashdot.ws] .museum [sillyexamp...dot.museum]. (I posted something similar last time a similar story came up.)

Re:Huh?

As to your call for us to suspend the service, I would respectfully suggest that it would be premature to decide on any course of action until we first have had an opportunity to collect and review the available data.

That's an interesting thing for them to say, especially because earlier in the letter they said:

All indications are that users, important members of the internet community we all serve, are benefiting from the improved web navigation offered by Site Finder.

So which is it? Have they not yet had a chance to gather any data, or have they gathered the data and found that it's beneficial to users? Or, as seems most likely, are they just saying anything that they think will get ICANN off their backs for long enough for them to sell a bunch of registrations?

Re:Huh?

I don't think I've seen this posted before, but some people may find it interesting. Here's the contracts [icann.org] between ICANN and Verisign for .com and .net (.org is there also, but it no longer applies).

Re:Huh?

Somebody mod the parent up.

Follow the link to the contract, choose 'functional specification' and then jump down to 'Nameserver functional specifications' which I quote:

Nameserver operations for the Registry TLD shall comply with RFC 1034, 1035, and 2182.

ICANN Please, Please, Please, Please, Please, PLEASE!!!! take that letter and offer to shove it up Verisign's ass gift-wrapped in their contract.

OR

<big giant cluebat>
You *THWAP* DON'T! *THWAP* BREAK *THWAP* THE R *THWAP* F *THWAP* C! *THWAP*
</big giant cluebat>

Re:Huh?

msaulters, for completeness, since you seem to be intimately knowledgeable on the RFCs, can you paste the relevant sections from these three RFCs that apply to Verisign's wildcarding?

Re:Huh?

Section 4.3.1 of RFC 1034 pretty clearly states that the response to a name query is to be:

If recursive service is requested and available, the recursive response to a query will be one of the following:

• The answer to the query, possibly preface by one or more CNAME RRs that specify aliases encountered on the way to an answer.
• A name error indicating that the name does not exist. This may include CNAME RRs that indicate that the original query name was an alias for a name which does not exist.
• A temporary error indication.

If recursive service is not requested or is not available, the non-recursive response will be one of the following:

• An authoritative name error indicating that the name does not exist.
• A temporary error indication.
• Some combination of:
• RRs that answer the question, together with an indication whether the data comes from a zone or is cached.
• A referral to name servers which have zones which are closer ancestors to the name than the server sending the reply.
• RRs that the name server thinks will prove useful to the requester.

Now, the section thereafter goes on to talk about wildcards, so they are pretty much out of luck for saying that VeriSign isn't implementing the RFCs correctly. However, another portion of the RFC makes it very clear that wildcards are only for use within an entity's domain of control (that is, *.foo.com in DNS will not affect lookups under bar.com). The key here is that it is up to the OWNER of the domain in question as to the appropriateness of wildcards in DNS. VeriSign does NOT OWN THE .COM TLD. They merely ADMINISTER it for ICANN. Thus, there is a very good case for VeriSign being in breach of contract by failing to cary out the wishes of the OWNER of the .COM TLD. Which in this case is ICANN.

Basically, I would be a bit more thorough before going to VeriSign, but afterwards, I'd still wack them over the head with the contract and force them to remove the wildcard.

-Erik

There is only one correct response to this.

Unilateral Military Action.

Translation, for the doublespeak impaired

In case you are not a doubleplusgood duckspeaker [demon.co.uk], here is a helpful translation of Verisign's letter to ICANN.

Dear Paul:
Translation: Dear meddlesome twit:

This will respond to the ICANN Advisory concerning VeriSign's Deployment of DNS Wildcard Service dated 19 September 2003.
We're about to tell you where you can stick your "advisory".

In the footsteps of several other registries that have done the same, we recently deployed a wildcard in the .com and .net zones.
Verisign has no problem being just as sleazy and underhanded as any of our competitors.

This was done after many months of testing and analysis and in compliance with all applicable technical standards.
Marketing sees dollar signs, and legal says we can get away with it.

All indications are that users, important members of the internet community we all serve, are benefiting from the improved web navigation offered by Site Finder.
None of the lusers who installed "The Internet" on their computers has a clue that we've even done anything.

These results are consistent with the findings from the extensive research we performed.
They are, however, clicking the pretty buttons, just like we hoped they would.

We are, of course, very interested in any objective technical information ICANN may have received concerning the service and would welcome the opportunity to work with you to review such data. To that end, we have reached out to schedule meetings... of leading experts in the field.
Let's have a meeting. Then another. Then another. Then, we'll codify the new de facto "standard".

As to your call for us to suspend the service, I would respectfully suggest that it would be premature to decide on any course of action until we first have had an opportunity to collect and review the available data.
We're going to get our way, because we can, and there's nothing you can do about it. Weenie.

After completing an assessment of any operational impact of our wildcard implementation, we will take any appropriate steps necessary.
And if we don't get our way, we'll pay off anyone we need to.

I look forward to continuing to work with you on this issue.
Kiss our ass.

Best Regards,
See you in Hell,

Russell Lewis
Executive Vice President, General Manager
VeriSign Naming and Directory Services

Re:Gimme a break

Why do you seek to portray Verisign as such a sleazy company?

Because they are and always have been.

Besides using the fact that they run the root servers to hijack all unused addresses, in the past they've sent misleading correspondance to domain name owners to get them to switch registrars to verisign when all they want to do is renew.

Re:Gimme a break

It was Network Solutions (a company that was absorbed by Verisign) that created the concept of paying for domain names in the first place... there was a day when domains were free to the end users.

Re:Gimme a break

Why do you seek to portray Verisign as such a sleazy company?

If you ever had a domain with them, you'd think they're sleazy too.

I spent months trying to transfer a domain away from them, and when I finally thought I'd be able to do it, they told me "You can't transfer your domain when there are less than 30 days to the renewal date" - essentially, they made me pay $35 for 4 more days. Luckily, easyDNS [easydns.com] is nice enough to honor the remaining time on your domains.

Re:The real danger in Verisign's practices

ICANN can revoke their authorization last I heard. They are pretty much push-overs for corporations so I don't see any top down remedies to this blatent miss-representation of their powers.

On second thought, here is my idea: Have Verisign pay ICANN for every bogus returned DNS request, since technically Verisign has registered billions of domains, I'd say that ICANN is entitled to a mightly large chunk of Verisign revenues. More than the service is worth? One can only hope.

Another real danger is...

...that enough of a ruckus will be kicked up over this that someone will have the following bright idea:

Let's make this illegal!

Voila. Government steps in to take over .net, .com., and .org. Everyone's screwed. So much for the free, cooperative, works-of-our-own-free-will Internet. Thanks, Verisign.

Re:Another real danger is...

Government steps in to take over .net, .com., and .org. Everyone's screwed. So much for the free, cooperative, works-of-our-own-free-will Internet.

You're posting from your AOL account, the one you just got with your first PC purchase. Am I right?

If I am not right, and you've been connected to the internet for more than six minutes, then how can you possibly not know that the dot-com and dot-net servers were run by the US government for over a decade prior to Verisign, and domains were free of charge, and none of this crap happened.

Far from everyone being screwed, the NSF ought to take it over again.

Translated...

Dear Paul

After the extensive research of how IE directs bad names to MSN Search, we decided that we couldn't let the bastards at MS be only ones that makes money off of poor saps who can't type their URLs right.

We really don't give a rat's ass about what ICANN thinks but just to shut your whiney mouth off, I hires a review panel of leading experts in the field. They include Linux code reviewers from SCO, the guy who thought of domain parking for Register.COM, and the guy who invented One-Click shopping.

As to your call for us to suspend the service, I'd like to politely say "go fuck yourself" with the upmost respect ICANN's Chairman, Vint Cerf, and ICANN's Security and Stability Advisory Committee, Steve Crocker. Crocker, now that's a funny name, just like ICANN.

If you send any more letters, I will personally wipe my ass with it.

Go to hell,

Russell Lewis
Executive Vice President, General Manager
All Your Typos Are Belong To Us, Inc.

Re:The bottom line...

If your domain registration site is using a DNS lookup to check if a domain is registered, it is a very poor domain registration site. There is no guarantee that if a domain is registered, there are nameserver records for it anywhere except the gTLD root nameservers.

Registrars should be using the SRS system provided by VeriSign Naming and Directory Services to check if a domain is registered. This is the same system that they use to register domains with the registry (run by VNDS). This system can and does provide a definite yes or no as to whether a domain may be registered.

Love VeriSign or hate it, but get your facts straight.

Re:+4 Informative ?

Not really. You posted anonymously, I didn't. Nothing against you (since I have no idea who you are, obviously), but I set very little stock by anything posted without a name. I understand that there are reasons to post anonymously, such as to not bring down the wrath of an employer. However, there's still the concept of if you won't even sign your name to what you've said, how much can it be worth? Additionally, a lot of moderators take the tact of never moderating AC posts up. And you also started your post with a personal insult, which a lot of people automatically view as flamebait.

Either way, the important thing is that someone got modded up to point out how wrong that guy was. And that he got modded down.

-Todd

On the other news...

The same "independent" panel of industry leading experts recommends SCO's Linux license and conducted a study showing that Windows is indeed cheaper than Linux and BSD.

"several other registries"??

In the footsteps of several other registries that have done the same, we recently deployed a wildcard in the .com and .net zones.

Which ones?

Re:"several other registries"??

Which ones?

dot .ws, for one: try this [nowebsiteiaosdfjik.ws]. I think many other countries' 2-letter codes do the same, especially if the country has sold their national online identity for cold, hard cash.

This is the last straw

I think it's time for ICANN to look for someone else to run the NET and COM TLDs. Not only are they unwilling to suspend SiteFinder after an enormous public outcry and a direct request from ICANN, but they didn't even bother telling anyone they were going to do this in the first place ahead of time. This is absolutely terrible, and I hope ICANN finds someone else to manage these TLDs

Bound to happen eventually

We'll know if these "negotiations" fall apart if "www.icannwatch.org" suddenly displays SiteFinder.

For us non Sysadmins

Okay, so I can see and understand the effect wildcarding had on the domains, and why it's bad thing.

I'm also familar with the basic structure of the DNS network. However, I'm not familar with the regulatory system.

Can someone explain who regulates who gets to control what domains? Can ICANN revoke Verisign's control of the .net and .com domains? If not, who can?

Perhaps the biggest concern...

of SiteFinder is the fact that non-English speakers no longer receive an error message in their own language, but are confounded with some bizarre English language site which certainly wasn't where they were trying to get to.

So who actually expected them to cooperate?

Obviously this project has a significant return - otherwise they would not have invested some amount of time and energy into its implementation, knowing the backlash that was to be expected. That said, you really thought they'd give it up without a fight, especially considering the damage they've already done to their brand? Oh the arrogance.

Check out the TOS

Here is something interesting: Check out the Terms of Service:

http://sitefinder.verisign.com/terms.jsp

Is there anyway I can turn this service off? I disagree with the terms.

Ted

Re:Check out the TOS

Check out point 14. If you spell a domain incorrectly, your accept the terms:
14. AGREEMENT TO BE BOUND.
By using the service(s) provided by VeriSign under these Terms of Use, you acknowledge that you have read and agree to be bound by all terms and conditions here in and documents incorporated by reference.

IANAL, but is there any legal precidence about this type of licence? Isn't this the same sort of thing as having to open a sealed box to be able to read the licence, which then states that by unsealing the box you've agreed to the licence?

I have a feeling that their licence would totally fall over in court - since there is no consent - which means that nothing in the licence would be enforcable, and despite what section 12 says (they're not liable for damages/whatever resulting from their 'service'), you could probably do something like.. sue them for any spam (provided your jurisdiction has laws against spam) that got past your spam filters because it failed the valid domain name check.

Re:Check out the TOS

Oh, I espessially liked this one:

10. SOLE REMEDY

Your use of the verisign services is at your own risk. If you are dissatisfied with any of the materials, results or other contents of the verisign services or with these terms and conditions, our privacy statement, or other policies, your sole remedy is to discontinue use of the verisign services or our site.

Translation: If you don't like what we did, stop using DNS.

(btw, /. wouldn't let me post that as it was, in all caps. Why do lawyers do that? It is a proven fact that people often skip past sections of text like that, since it seems like noise and the brain just filters it out.. Is that just another tactic by lawyers (besides making licence agreements inane, long, and boring in the first place) to make you skip over certain sections? Make you think you read it all and agree anyways, even though your brain just filtered out the part removing them of all liablity..

Re:Check out the TOS

Is there anyway I can turn this service off? I disagree with the terms.

I've been discussing this with Verisign for a week now, and Verisign legal is supposed to get back to me on that exact question.

From the Terms of Service:

10. Sole Remedy.
YOUR USE OF THE VERISIGN SERVICES IS AT YOUR OWN RISK. IF YOU ARE DISSATISFIED ... YOUR SOLE REMEDY IS TO DISCONTINUE USE OF THE VERISIGN SERVICES OR OUR SITE.

My question to Verisign was "I'm dissatisfied. What does 'to discontinue use of the Verisign services' mean? I can move many domains to other TLDs, pull the Verisign root certificates from a few hundred workstations, cancel a PayFlow account that handles a few hundred thousand dollars per month, and have my clients cancel several thousand dollars worth of SSL certificates. Is that what you want me to do?"

Again, no response as yet. :-)

Come on guys

This is just bad business. We all know how this is going to turn out-- it'll bounce back and forth from Verisign to ICANN to the tech press and eventually to the mainstream press until the negative publicity reaches the point where Verisign won't have any alternative but to yank it.

See, two days ago this was a technical issue that only a handful of nerds cared about. Two months from now it's going to be "Verisign, the organization granted a monopoly on control of the entire Internet and insists on defyingthe rest of the Internet community." People who never even heard of DNS will come away from this thinking that Verisign means shady.

Save us all the time and dozens of inevitable Slashdot stories (+ dupes) and dump the thing.

Of course, we all know what this means...

WAR!

Lauch the blacklists!!!

Verisign just lost it's monopoly over DNS with this stunt methinks. They pised off ICANN, EFF, Slashdot, 99% of the tech industry, and instead of putting their foot in to test the water and going "oh, the shark that just bit my foot off might be a problem" they say "eh, it's just a foot". Everyone is justifyable angry about this.

So, they took of their glove, slapped a couple million people in the face, threw the glove to the ground and drew their sword, to have a mideval analogy.

I say we blacklist their entire domain of advertising websites. A form of blackmail and protest; if nobody can get to their website to register, then they can't very well do buisness effectivly now can they? Sure, people'll get angry about how they can't reregister. The whole point is to show verisign what happens when you piss us off. Lets make a mess so big out of this that they'll never recover!

Network Solutions responded to me once again...

It appears that Network Solutions may have learned to tuck tail and run whenever anyone comes asking what the hell their parent company is doing.

When they responded to me last week [slashdot.org], they told me that Verisign was "well within the guidelines" that Verisign set up in the document they created for their own "service."

Now I only get form responses from NetSol drones: "It seems you are having trouble with the SiteFinder service. Please read the SiteFinder FAQ at: ..."

Is it accessible to the blind?

If not, what better target for a lawsuit!

Reach these idiots directly

Hey, if you feel strongly about this issue, you can reach them directly. Just call 703 925 6999. That's the direct line for VeriSign Naming and Directory Services. I tried to get Rusty on the line, but they're on the East coast and he had already left the office.

I just spoke with a nice secretary lady whom told me that she was 'sad to hear' that I, "an investor", was going to sell my "2000 shares" of Verisign first thing in the morning due to their horrible wildcard DNS policies.

When I asked why they are doing this, she told me it was a "marketing decision" and that "somebody in the marketing department" thought it up.

She said that I was the first person she had heard complain about it, though she had read somewhere that it was "controversial".

If anybody has any success getting through to these people, post any interesting tidbits you find out. Thanks.

Re:Reach these idiots directly

Here is the response I got back:

Subject:Site Finder Discontinuation Request

Dear xxx,

Thank you for contacting VeriSign Customer Service.

Thank you for your feedback on the Site Finder service. It is not possible to opt out of the service. The Site Finder response is incurred when a non-existent domain name query in com/net is directed to us. It is not a service in which someone would subscribe to or sign up for.

For more information please refer to our FAQs: http://www.verisign.com/nds/naming/sitefinder/

We remain committed to ensuring that Site Finder improves Web navigation and the user experience.

Thank you.

If you require further assistance please contact us by replying to this email.

Best Regards,

David Reid
Customer Service
VeriSign, Inc.
www.verisign.com
sitefinder@verisign-grs.com

Interesting

I think it's interesting how ICANN is coming at this situation. I think you have to realize how much money VeriSign makes ICANN. I'd dare to say that over 70% of all of ICANNs revenue is generated from VeriSign.

So It's sort of the same situation that we are in with Middle Eastern Oil. We're trying to tell them, 'Hey, make it cheaper and give us more' but we cant strong arm them. 'cause if they up and leave we're left high and dry.

If VeriSign were to be revoked their registrar status, ICANN would stand to lose millions.

Sign the petition

If you havent allready signed it, there's a petition at http://www.whois.sc/verisign-dns/ [whois.sc] to encourage Verisign to rack-off.

Fantasy email

Dear verisign,

The recent update to BIND contains a feature you should be aware of.

In 1 month, every lookup for any domain registered directly with verisign will fail with %0.1 probability.

The probability will increase by %0.1 per day until the wildcard issue is resolved or until verisign becomes useless as a registrar.

We look forward to a prompt and amicable resolution.

Best wishes,
The Internet.

Masterful piece of SCOspeak

In the footsteps of several other registries that have done the same, we recently deployed a wildcard in the .com and .net zones.

You need to know what's going on to understand this bit. What they want people to think is that other registries are also deploying wildcards in the .com and .net zones, but in actuality what they are saying is "Other registries have deployed wildcards, and we are doing the same, but in the .com and .net domains".

However, most people who are unhappy with VeriSlime will easily see through this piece of doublespeak.

Useful In Blocking Verisign?

I am a Mac OS X user and recently read an interesting hint [macosxhints.com] on the Mac OS X Hints [macosxhints.com] website.

It appears that simply blocking sitefinder.versign.com leads to a rather unpleasant 'timeout' error in a browser: a long wait prior to a timeout is hardly better than an instant appearance of VeriSign's SiteFinder service.

However, one of the users, in the comments on the hint, noted that "[w]hen you type an incorrect URL, the Verisign DNS server actually returns an IP address, which is that of sitefinder-idn.verisign.com."

He continues, "Blocking the sitefinder-idn.verisign.com server in the manner recommended in this hint would save a fraction of a second but the main problem with this hint is that it suggests blocking the response when a far more efficient method would be to block the outgoing request. The system tells the browser that permission is denied for this request and the browser passes that information along immediately. Thus, the rule I use is:

sudo ipfw add 1170 deny tcp from any to 64.94.110.11 setup

I have been using this rule without any noticeable problems. Perhaps it might be of use to others?

Re:Useful In Blocking Verisign?

Haha, I just turned it on (thanx, by the way) and I noticed when I went to a "creative" fake domain I made up, it still remembered the Verisign /favicon.ico bookmark icon from when I tried it before, even though the site obviously no longer responded...

Seriously though, someone should write a Windows virus that disables this thing from half the internet...

I hope they check their logs...

Because apparently www.fuckverisignuptheass.com leads to their wonderful service.

Re:I'm lost, please help.

There are a variety of problems with this.

• The most fundamental one from a systems-management standpoint (and the internet itself is one huge systems-management nightmare) is that DNS lookup is a core function that affects a lot more than just web browsing. You don't change such a core function without thoroughly testing the impact of such a change. At the very least, the co-operative nature of the internet requires that you at least tell everyone you're going to do it. And when people complain that you've just broken something, you damn well better put it back the way it was.
• A case in point: A lot of anti-spam software uses DNS look-ups to identify bogus return addresses. Since DNS for .com and .net is no longer returning "not found" for bogus domains, this function is now failing.
• Various legislatures and/or courts have passed/interpretted laws to forbid "squatters" from registering other people's trademarks (or typos of them) for themselves. Verisign has effectively just "registered" every unregistered/mistyped trademark and pointed it to their web site. For example, there's a local business who hasn't registered their name (a trademark) as a domain name. If someone asks for (thisbusinessname).com, Verisign will direct them to a web site (theirs) which instead suggests several other web sites. For the right price, a competitor of this business can have their web site listed here. This is no different from a competitor or unauthorised squatter registering the domain name... which they could be successfully sued for doing. The fact that Verisign is now profiting from the use of trademarks it does not own puts it on very shaky legal ground.
• This is a classic case of abuse of monopoly power. In much the same way that (for example) the US FCC licenses broadcasters to use the public airwaves in ways consistent with the public good, Network Solutions (now owned by Verisign) was assigned responsibility for the .com and .net top-level-domains to be operated in ways consistent with the good of the internet community. Reckless management of that responsility, resulting in technical problems which it refuses to correct, and taking financial advantage of that trust in a way unavailable to any other entity... adds up to a "problem".

THEY ARE TRACKING CLICKTHROUGHS

Has anyone noticed that they are tracking the clickthroughs of the search results. (Note: google does not do this)

They are building a huge database of behavior. It is tied to your ip address. I wonder what their policy is on releasing that information to the government? (they originally were government chartered)

Hell. I wonder if they were put up to it by the Department of Homeland Securiy.

At the very least, it will prove to be an invaluable, and highly marketable database.

What you can do about SiteFinder

I will leave aside the hysterical responses others have proposed and suggest two simple actions that you can take to deal with this attempted coup by Verisign.

• Contact your ISP (or do yourself if you run your own DNS) and be sure that they have implemented the update to BIND which locks out this behavior. The truly obsessives will also go out and start finding random DNS servers and testing them to see if they are allowing anything more than delegation from *.com and *.net and then notifying DNS admins as appropriate.
• Make your feelings known to the other co-conspirator in this system: Overture. They are providing the back-end to this service and since they have been recently acquired by a publicly traded company (Yahoo) you may feel the need to contact Yahoo to express your opinion on this particular product line (or perhaps express your views in forums where Yahoo shareholders may be found.

Hit them where it hurts, in the bottom-line. Complaining to everyone may get this fixed, but patching your nameserver and then going after the back-end may also get results.

Alexa

If you check out Verisigns traffic page at Alexa (http://www.alexa.com/data/details/traffic_details ?q=&url=http://www.verisign.com [alexa.com]), you can see why they aren't easily giving up their sitefinder project.

Call your ISP, ask em to upgrade BIND

ISC.org has come out with a couple new versions of BIND (on several platforms) that makes the Verisign thing irrelevant.

Essentially, here's how it works;

Rather than simply accepting any response from any root DNS server, the new version of bind only accepts an NS record (that states the authoritative DNS server) rather than an A Record (which maps a hostname or domain to an IP address). So the root servers can only do what they are supposed to do; tell your local DNS servers where to find the authoritative servers. Even if they are configured to do something differently, BIND responds by forwarding an NXDOMAIN back to the querying client. Esentially, if an IP address comes back from the server, the response from the browser then becomes "DNS Error".

This has several advantages:

- it doesnt matter what ICANN does or what Verisign does, responses to DNS queries happen as they should.

- the patch fixes ALL of the TLDs, so it doesnt matter what the .RU or .CX or whatever registrars do.

- it can be done on the ISP level. Though I have no proof, I think there are BIG ISPs out there that have done this already (Earthlink has been mentioned).

- no routing, blocking or other stuff that could cause problems in the future is involved

- Joe Grandpa Internet User never needs to know, and doesnt notice anything different when the fix happens

I do not know about MS DNS Server, or other non-BIND DNS servers, but I am sure there will be patches or upgrades from your publisher.

If you run servers, go to ISC.org and read up about the upgrades. If you dont, check your publisher's web site. If you dont run DNS call or email your ISP and ask them to upgrade their BIND at their earliest conveneince.

Though I think it would be better if RFCs were binding, or if they were followed voluntarily... there is more than one way to get the right thing done.

Is this a sign of the end times?

In the days before the Federal Radio Commission (FRC) came onto the scene, the precursor to the FCC in the US, the radio spectrum was an absolute mess. Broadcasters could blast out a signal on any frequency at any time and drown out abutting programs. That's because where there are no laws or rules, there can only be chaos.

Could we be witnessing the same thing happening to the Internet? Will it slowly evolve into a near useless channel of communication as it becomes more and more corporatized and balkanized? If it does, it won't be long before Internet jockeys start demanding regulation and some kind of government cop to enforce standards and other general agreements for how the Internet should behave.

When will that day come? Who knows. Maybe 5 years, maybe 25. Perhaps it'll happen during the gale force wind of anti-corporate sentiment that's currently brewing in middle America. But the real trick will be to stop the corporations from dominating the regulatory process like they did with radio and television. I hope and pray the ideals the Internet was founded upon survive this process. We'll have to wait and see and petition hard for our respective governments to do the right thing.

Lets all let them know how we feel! Email here...

It may seem like a lot of effort, but, if everyone who hates this service just sends them a few words saying so, by email, by putting the following list of every address they have into their send line, they wont have an email system at all :) And it might be just a little fun too! Here they are :) All 1 line, with , inserted, so you can just copy and paste it :) consultingsolutions@verisign.com, websitesales@verisign.com, verisales@verisign.com, clientpki@verisign.com, internetsales@verisign.com, paymentsales@verisign.com, dnssales@verisign.com, digitalbranding@verisign.com, vts-mktginfo@verisign.com, channel-partners@verisign.com, premiersupport@networksolutions.com, authenticode-support@verisign.com, objectsigning-support@verisign.com, enterprise-sslsupport@verisign.com, vps-support@verisign.com, webhelp@verisign.com, practices@verisign.com, renewal@verisign.com, vts-csrgroup@verisign.com, info@verisign-grs.com

Whom You Should Complain To:

1. The Department of Commerce [mailto]; VeriSign's contract to operate .com and .org was originally with them.
2. The Federal Communications Commission [fcc.gov], which oversees telecommunications.
3. The Senate Commerce Committee's Subcommittee on Communications [senate.gov]; contact the committee itself [senate.gov], the chairman [senate.gov], the ranking member [senate.gov], and any of the other members you'd like.
4. The House Subcommittee on Telecommunications and the Internet [house.gov], including the committee itself [house.gov], the chairman [house.gov], the vice-chairman [house.gov], and the ranking member [house.gov].

By email, phone, fax, telegram, or letter (or better, several of these), let them know what you think. These are the people who can give Verisign reasons to change their behavior.

It's Time to Transfer the Administration ...

... of the all the top level domains to a supra-national organisation, because the current system is so demonstably open to abuse. Entire domains being effectively stolen from small countries, unused sub-domains being stolen wholus-bolus. This criminal behaviour is totally unacceptable to any fair thinking person.

It's time that the rest of the world took control of the DNS away from the corrupt outfit that has highjacked it and the Government which allowed that to happen.

Perhaps UNESCO [unesco.org] should run the DNS?
That's the United Nations Educational, Scientific, and Cultural Organisation.