Resolving Everything: VeriSign Adds Wildcards 1291
"(VeriSign is a company which purchased Network Solutions, another company which was given the task by the US government of running the .COM and .NET top-level domains (TLDs). VeriSign has been exploiting the Internet's DNS infrastructure ever since.)
This will have the immediate effect of making network trouble-shooting much more difficult. Before, a mis-typed domain name in an email address, web browser, or other network configuration item would result in an obvious error message. You might not have known what to do about it, but at least you knew something was wrong. Now, though, you will have to guess. Every time.
Some have pointed out that this will make an important anti-spam check impossible. A common anti-spam measure is to check and make sure the domain name of the sender really exists. (While this is easy to force, every little bit helps.) Since all .COM and .NET domain names now exist, that anti-spam check is useless.
VeriSign has published white papers about their implementation and also made some recommendations."
joy (Score:5, Insightful)
How Long... (Score:3, Insightful)
What? (Score:5, Insightful)
Verisign would look nice in gasoline and flame (Score:5, Insightful)
Not only will mail have problems, as the "non-existent domain" check will always fail.. but this is completely criminal it seems.
I hate to mention, but they are giving Microsoft a dose of their own medicine.. taking away their ability to bring you to their 'search' page for non-existent domains.. and AOL's own feature similar to that. It hurts google, since Verisign teamed with yahoo on this one for search services (Although, google provides yahoos search functionality for now).
All
Further.. they'll be harvesting bounced email addresses for sure. If you get spammed from a bunk domain, and it gets returned.. or you typo and email address.. they are nice enough to run a mail daemon on port 25 to harvest those addresses. It lets you helo, from, rcpt, and data.. and then closes your connection.. just long enough to snag all the info it wants from you.
This entire thing is a mess, and seems like it should be highly illegal. Hopefully OpenSRS and GoDaddy and others will have a fit over it. This just seems completely wrong.
DDOS in the making (Score:5, Insightful)
Now let's see (Score:5, Insightful)
-psy
Re:Abusing the Power that be (Score:5, Insightful)
Re:network operators are pissed at this (Score:5, Insightful)
Re:This is a bitch (Score:5, Insightful)
Re:Windows already does this... (Score:3, Insightful)
Re:Windows already does this... (Score:3, Insightful)
I think Verisign now owes... (Score:1, Insightful)
What about Google? (Score:4, Insightful)
I hope they get sued by every mail filter vendor, registrar, and search engine that they just damaged with this. And the government needs to review the powers they are granting to name-server providers.
Re:network operators are pissed at this (Score:5, Insightful)
We'll need to hack the resolver libraries and/or DNS servers to translate 64.94.110.11 into "no such domain". Verisign will add some more numbers, and soon we'll have blacklists.
Abuse of monopoly will result in regulation. (Score:4, Insightful)
Sorry to say this, but this is going to be a precedent for Internet being regulated, this time for real. And you'll be able to thank Verisign for it. Perhaps that's a provocative step to achieve what they are really after - being regulated, which will guarantee them longevity.
Greedy bastards.
Re:Seeeing the future (Score:4, Insightful)
This was likely one of the primary motivations for this maneuver...to encourage formerly unnecessary registrations.
I've never registered mispellings of my companies domains, and the thought never even crossed my mind until now. I'm sure the crooks at Verisign saw this angle, in addition to the tons of free eyeballs.
Nope... (Score:2, Insightful)
tugrul@duality:~$ telnet dkfjdfkjdkfjdkjf.com 80
Trying 64.94.110.11...
Connected to sitefinder-idn.verisign.com.
Escape character is '^]'.
^]
telnet> c
Connection closed.
tugrul@duality:~$ telnet it.really.is.a.wildcard.dkfjdfkjdkfjdkjf.com 80
Trying 64.94.110.11...
Connected to sitefinder-idn.verisign.com.
Escape character is '^]'.
^]
telnet> c
Connection closed.
tugrul@duality:~$
This is just evil
File a complaint at ICANN (Score:2, Insightful)
Re:Agreement by typo. (Score:5, Insightful)
Re:But they do manage those TLD's (Score:3, Insightful)
Contact ICANN comments@icann.org (Score:5, Insightful)
Re:Complain to ICANN *NOW* (Score:5, Insightful)
Re:I can't confirm this is true.... (Score:1, Insightful)
Verisign is evil.
WHY?!?! (Score:2, Insightful)
Verisign is neither multiple nor moving. Instead of sullying our libraries with this stupidity, put your effort [icann.org] into beating Verisign into submission to common decency.
Misplaced root of trust? (Score:5, Insightful)
Re:What about Google? (Score:5, Insightful)
User-agent: *
Disallow:
Re:Strike Back with Poor Typing (Score:3, Insightful)
There is no Internet (Score:5, Insightful)
I feel it is worthwhile to post a more general response to this point as well.
There is this myth that "the Internet" exists as a single, cohesive network. It does not, and never has. "The Internet" is a network of networks. What that means is that a bunch of independent network operators have agreed to exchange traffic with each other because it benefits them. When you dial in to your ISP of choice (or plug in your Ethernet cable or whatever), you're not connecting to the Internet. You're connecting to your ISP. Your ISP probably connects to their ISP. Their ISP (if you're lucky) connects to several other ISPs, who connect to other ISPs, and so on. All these independent network operators form "the Internet". So, "the Internet" exists as an abstract concept (and a useful one), but not as something you can touch. Not even as something you can route traffic through. All you can do is connect to some other guy's network and hope for the best.
The reason this is important is because we are already seeing ISPs implementing countermeasures against this VeriSign move. Some are null-routing that IP address at layer two; others are using DNS tricks to give us the old behavior. If enough ISPs do this, VeriSign's move will be largely ineffective. In effect, ISPs as a community can veto VeriSign or anyone else. It only works if most of them agree and take action, of course, and it remains to be seen if they will do that. And, of course, some of these countermeasures may themselves be easily defeated, leading to an arms race (like the spammer vs anti-spam arms race).
The possible consequences of all this are, shall we say, interesting.
(BTW, I don't disagree with the OP's suggested course of action, nor with the principle behind it. I'm just pointing out that things are, as usual, more complicated then they might appear.)
Re:What? (Score:3, Insightful)
Re:What about Google? (Score:3, Insightful)
Comment removed (Score:3, Insightful)
Not much of a workaround (Score:3, Insightful)
In the case of SMTP traffic, the sender will waste time and bandwidth retrying.
Note also that Mockapetris explicitly intended for wildcarding to be supported in RFC1034 - unfortunately, I don't think he foresaw the crass exploitation of the internet by ICANN 16 years ago.
Re:Misplaced root of trust? (Score:3, Insightful)
Re:wonder of wonders (Score:2, Insightful)
I don't see anyway a search engine could prevent this. It has no prior knowledge of the domain in the link until it tries to resolve it.
Re:wonder of wonders (Score:4, Insightful)
Re:Contact ICANN comments@icann.org (Score:5, Insightful)
No, this is receiving feedback from the affected administrators, engineers and other interested persons; said feedback hopefully leading ICANN to do the give Verisign a short, sharp lesson in "WHOA!".
You know, the job that they are supposed to be doing and all that kind of thing.
Re:Strike Back with Poor Typing (Score:2, Insightful)
Indeed. But not as right a thing, surely, as not returning IPs for these non-existent domains anyway.
If nothing else, they're sucking bandwidth. It's not much, surely, but -- OK. We send out an email newsletter at work (legitimate, opt-in, unsubscribable -- calm down) which goes to 200,000+ people. Say 5,000 people have their domain wrong -- htomail.com or something (no idea if that's accurate, but it's probably not massively far off).
As it was, our mail server would do 5000 dns lookups, get 5000 NXDOMAINs, and ignore them. Instead, it does 5000 lookups, gets this address, connects to the mail server, sends a HELO, gets a response, sends a MAIL FROM, gets a response, sents a RCPT TO, gets a 550. That's an extra... what... couple of hundred bytes of network traffic? Say in the order of 1-2 MB for the lot. Down here in expensive-bandwidth-land, that's about 30 cents Australian it costs us. Not much, I know, but even so, it's there. Not to mention the additional load on our servers for trying to send, making port-25 connections, etc, compared to just giving up.
It's not much, but it IS costing us some small amount of bandwidth and some server time. Screw them.
This is the most #@^%ed-up #@#$ of @#*&ing !@%^ that I've ever #$@@ed in my %$#*.
I'm voting with my feet. Bye bye Verisign. (Score:2, Insightful)
Re:wonder of wonders (Score:2, Insightful)
(Actually MSN Sucks and no one uses it despite that).
It's interesting, that the VeriSign page has a Terms of Use. I don't think they legally can require me to abide by SHIT if I got their because of a wildcard, e.g. they trapped me into getting there, not because I intended to go there. And a privacy policy? I didn't _intend_ to access their server, so I don't think I have to grant them rights to do whatever the hell they want with my info or whatever, if I don't want to.
Someone should sue them, or something.
Re:PLEASE DO NOT CLICK ON ANY SEARCH ENGINE RESULT (Score:4, Insightful)
The whole thing was done exactly with this
purpose, but I think it can be used to break the
system. If enough bots (and bots only)
constantly "click" on the ads, their price will
plummet. Since now they cannot tell if a person
saw the ad, they "pay per click" becomes
pointless. (and boy they will be mad when find
out they paid all that money for nothing)
On the other other hand if every slashdoter
would ping the thing it would be way more fun.
Come one everybody just type : ping 64.94.110.11
(at -t if you are in windows)
Re:Boycott Thawte (Verisign's SSL subsidiary) (Score:5, Insightful)
Superb idea, ajks. Have a cookie (or a certificate).
Here's a form-letter version of the email I'm about to shoot off to our rep, the delightful(!) Barbara:
We're a small company: but even in our case, [x] and [y] are are 10 and 3000 respectively. It won't take that many to make a sizeable hole in Thawte's pockets.
my complaint, as submitted to ICANN (Score:2, Insightful)
Clearly this is not ethical: all others need to pay a yearly fee for registration, while Verisign does not. This must be corrected.
Specifically, Verisign is using all un-registered domain names as aliases (redirects) to their own business sites. This can realistically be a significant step towards ending the internet as we know it - every single internet user puts an immense amount of trust into "the system" every day she or he uses a web browser to surf the web. Verisign threatens to end our trust in the system, with serious consequences for us all.
Re:Contact ICANN comments@icann.org (Score:5, Insightful)
ICANN is responsible for, among other things, ensuring that it's registrars perform their duties properly. If an issue such as this one crops up, and the
Face it - sometimes, being responsible for a little thing like the internet can be a bitch. Most of us do have to deal with inane crap as a part of our daily grind, although I admit that getting 20,000 emails suggesting I view a goatsex link in a single day would probably be unusual for me at least. But at least ICANN has said outright that they aren't going to read all of them
Re:Who is going to be the first to hack it? (Score:1, Insightful)
Re:wonder of wonders (Score:3, Insightful)
Indeed. And, if the Mozilla and Konqueror people had balls, they could set up a default option on their browsers so this page is blocked. You could uncheck it, but it should be on by default.
This would be a cool way to protest!
Re:What about Google? (Score:1, Insightful)
What gave you that silly idea? Virtual servers will all have the same IP address. Hundreds of domain names could use the same IP on a single server and all have unique content that needs to be indexed or cached.
DDoS/attack/"testing"? (Score:4, Insightful)
It really sounds like Verisign wants traffic destined for every mistyped or invalid hostname. I say let them have it. Surely they're aware that the Internet is not just the web.
Re:Despicable.. But they're not the first... (Score:3, Insightful)
The MS only affected MSIE users for web browsing. The Verison issue affects ALL Internet clients, not just web browsers.
It's actually worse for other clients than web and email as Verizon's machine does not return an error for any other protocol, it just says "connection refused".
DNS wasn't designed to do what Verizon wants it to do, and there's no way to only offer the fake address for queries for web sites.