Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×
The Internet News

VeriSign Responds To ICANN's SiteFinder Advisory 464

dmehus writes "VeriSign's Naming and Directory Services division has written to ICANN President and CEO Paul Twomey regarding the recent advisory concerning VeriSign's DNS wildcard redirection service. In the letter, VeriSign's Rusty Lewis says that they are open to independent and objective technical concerns expressed by various Internet bodies; they have formed their own "independent" panel of industry leading experts to produce its own, separate report; and they will not voluntarily suspend SiteFinder. It's a very terse response, and frankly, I'd have expected more from them. Slashdot readers are encouraged to visit ICANNWatch for in-depth, expert discussion on this and other issues."
This discussion has been archived. No new comments can be posted.

VeriSign Responds To ICANN's SiteFinder Advisory

Comments Filter:
  • Huh? (Score:5, Funny)

    by mrpuffypants ( 444598 ) * <mrpuffypants@@@gmail...com> on Monday September 22, 2003 @07:30PM (#7029269)
    From the letter to ICANN:

    As to your call for us to suspend the service, I would respectfully suggest that it would be premature to decide on any course of action until we first have had an opportunity to collect and review the available data.

    Well, I think that the world would have appreciated the same level of consideration before the system was ever even implemented in the first place.
    • Re:Huh? (Score:5, Funny)

      by McSpew ( 316871 ) on Monday September 22, 2003 @07:35PM (#7029315)

      Translation: We implemented something that may have broken large parts of the Internet, but we'll wait until everyone has given up on us fixing it before we decide whether to undo what we did.

      By the time they decide if they really broke everything they broke, and whether they should temporarily suspend SiteFinder, everybody else will have routed around them.

      BTW: Does anybody know what they're talking about when they claim that other TLDs have implemented something like SiteFinder?

      • It wasn't long ago I found one that was on a small set of islands, and any incorrect URL to one of their TLDs would go to a page specifying that it was an incorrect URL belonging to the islands.

        Can't for the life of me remember which one it was though.
      • Re:Huh? (Score:3, Insightful)

        by LostCluster ( 625375 )
      • Re:Huh? (Score:5, Insightful)

        by Ark42 ( 522144 ) <slashdot@morpheu ... t ['ftw' in gap]> on Monday September 22, 2003 @07:43PM (#7029365) Homepage

        http://verisignsucks.museum/ [verisignsucks.museum]

        Just as an example.

        I think *.museum is ok to have a wildcard for though, since not everybody can go out registering a museum domain name. It works similar to .com.au (unless .com.au changed recently). .com/.net and any other domain that requires no special terms to register domains for, should NOT have wildcards.
        • by TWX ( 665546 ) on Monday September 22, 2003 @08:07PM (#7029543)
          If one looks at the newsgroups as historically how something like this works, the .museum TLD is a highly restrictive, highly controlled domain. It's entire purpose is for respected institutions to be listed. So, them having a master index and a reply indicating an invalid domain makes sense, since the entire domain listing easily scrolls through a few screens only. It would be the equivalent of a comp or sci newsgroup; highly structured groups with moderation and content rules.

          .com is the tld equivalent of alt., where anyone can create and post anything, without moderation, without structure. Attempting to impose structure, in the form of sitefinder, is stupid in this instance, since the organizations represented in .com are usually for-profit or attempting to jockey for position. If I have a business, do I now have to register every possible combination of my domain to keep idiots from being redirected to a customer of mine because they paid verisign to add them to the referral page for a misspelling of my domain name? I also have to worry about verisign giving precedence to domains registered through them in the recommended sites, and if I have a godaddy.com-registered domain, will I end up being denied business that would normally have realised that they made a typo, to fix it and come to me?

          This is the real problem that I have with sitefinder. It being in the hands of a commercial organization who has exhibited a systematic behaviour of putting profit before anything else will only exploit this situation. They will start selling placement on messed up domain entries, they will start denying domains registered through other registrars the same regular placement as their own, and they will destroy what had been a fairly free and open system.

          I'd recommend that if Verisign doesn't immediately stop this insanity that we write to our legislators and demand that control of the TLDs that versign manages be removed and handed to ICANN to deal with directly.
          • Quit whining and run your own DNS server. When you are asked, you should willingly pony up the network bandwidth and server load to run a root server.

            You'd better get cracking too: there's a lot of RFCs to bone up on before you can achieve the status of the enlightened few who are above the controversy by sheer virtue of pure wisdom.

            If all the selfless people made it their livelihood to outproduce the demands of the greedy, would the demand diminish? Greed is foolishness, and a fool is self-defeating. Le

            • There was no problem...There are a number of unscrupulous registrars that also host tld's, and Verisign has recently proved itself to be the most sickeningly ballsy of them. If Verisign is allowed to generate revenue from a service that could never be competed against (and this specific one can't, without screwing things up worse than they already are), then why don't we just hand them the "keys to the internet" and walk away. Greed *is* foolishness, in this case as well as the one you pointed out.

              If self

        • Re:Huh? (Score:4, Informative)

          by macdaddy ( 38372 ) on Monday September 22, 2003 @10:06PM (#7030351) Homepage Journal
          A wildcard GTLD was part of .museum's charter. Therefore it was approved and everything is fine. It was never part of the .com/.net GTLD contract and is not an authorized use of the domains.
      • Re:Huh? (Score:3, Informative)

        by questamor ( 653018 )
        .cc is one .cx another
      • Re:Huh? (Score:4, Interesting)

        by mendepie ( 228850 ) <mende&mendepie,com> on Monday September 22, 2003 @08:00PM (#7029490) Homepage
        Here is a little script that I whipped up to find out which TLDs have wildcard records.

        #!/bin/sh
        rm -f root.zone root.zone.gz
        wget -q ftp://ftp.internic.com/domain/root.zone.gz
        gunzip root.zone.gz
        for i in $(grep ' NS ' root.zone | awk '{print $1'} | sort -u); do
        host -ta "*.$i" 2>/dev/null
        done
        rm -f root.zone root.zone.gz
      • by marnanel ( 98063 ) <slashdot AT marnanel DOT org> on Monday September 22, 2003 @08:15PM (#7029584) Homepage Journal

        BTW: Does anybody know what they're talking about when they claim that other TLDs have implemented something like SiteFinder?

        Here: .ac [sillyexamp...lashdot.ac] .cc [sillyexamp...lashdot.cc] .cx [sillyexamp...lashdot.cx] .mp [sillyexamp...lashdot.mp] .nu [sillyexamp...lashdot.nu] .ph [sillyexamp...lashdot.ph] .pw [sillyexamp...lashdot.pw] .sh [sillyexamp...lashdot.sh] .td [sillyexamp...lashdot.td] .tk [sillyexamp...lashdot.tk] .tm [sillyexamp...lashdot.tm] .ws [sillyexamp...lashdot.ws] .museum [sillyexamp...dot.museum]. (I posted something similar last time a similar story came up.)

    • Re:Huh? (Score:5, Insightful)

      by rgmoore ( 133276 ) * <glandauer@charter.net> on Monday September 22, 2003 @07:46PM (#7029392) Homepage
      As to your call for us to suspend the service, I would respectfully suggest that it would be premature to decide on any course of action until we first have had an opportunity to collect and review the available data.
      That's an interesting thing for them to say, especially because earlier in the letter they said:
      All indications are that users, important members of the internet community we all serve, are benefiting from the improved web navigation offered by Site Finder.

      So which is it? Have they not yet had a chance to gather any data, or have they gathered the data and found that it's beneficial to users? Or, as seems most likely, are they just saying anything that they think will get ICANN off their backs for long enough for them to sell a bunch of registrations?

      • Re:Huh? (Score:3, Insightful)

        by macdaddy ( 38372 )
        It's even more interesting for them to come back with that when they themselves didn't do the very same data gathering and research before implementing the damned thing.
      • Re:Huh? (Score:3, Interesting)

        Previously: You think of a domain-name you want, go look at it. If it's not there, you can get it. If it's been taken by another company, or a domain squatter, you choose a different name.

        Now: You think of a domain-name you want, go look at it. It's been taken by a domain-squatter. The same thing happens for every one of the domains you try and check. You give up, and have to pay the person whose site is on the domain you want.

        Ignoring for a moment anybody technical enough to recognise Verisign scum
    • Re:Huh? (Score:5, Informative)

      by Anonymous Coward on Monday September 22, 2003 @07:46PM (#7029394)
      I don't think I've seen this posted before, but some people may find it interesting. Here's the contracts [icann.org] between ICANN and Verisign for .com and .net (.org is there also, but it no longer applies).
      • Re:Huh? (Score:5, Informative)

        by msaulters ( 130992 ) on Monday September 22, 2003 @10:41PM (#7030572) Homepage
        Somebody mod the parent up.

        Follow the link to the contract, choose 'functional specification' and then jump down to 'Nameserver functional specifications' which I quote:

        Nameserver operations for the Registry TLD shall comply with RFC 1034, 1035, and 2182.


        ICANN Please, Please, Please, Please, Please, PLEASE!!!! take that letter and offer to shove it up Verisign's ass gift-wrapped in their contract.

        OR

        <big giant cluebat>
        You *THWAP* DON'T! *THWAP* BREAK *THWAP* THE R *THWAP* F *THWAP* C! *THWAP*
        </big giant cluebat>
        • Re:Huh? (Score:5, Insightful)

          by Leto2 ( 113578 ) on Tuesday September 23, 2003 @12:16AM (#7031092) Homepage
          msaulters, for completeness, since you seem to be intimately knowledgeable on the RFCs, can you paste the relevant sections from these three RFCs that apply to Verisign's wildcarding?
          • Re:Huh? (Score:5, Informative)

            by trims ( 10010 ) on Tuesday September 23, 2003 @02:58AM (#7031743) Homepage

            Section 4.3.1 of RFC 1034 pretty clearly states that the response to a name query is to be:

            If recursive service is requested and available, the recursive response to a query will be one of the following:
            • The answer to the query, possibly preface by one or more CNAME RRs that specify aliases encountered on the way to an answer.
            • A name error indicating that the name does not exist. This may include CNAME RRs that indicate that the original query name was an alias for a name which does not exist.
            • A temporary error indication.
            If recursive service is not requested or is not available, the non-recursive response will be one of the following:
            • An authoritative name error indicating that the name does not exist.
            • A temporary error indication.
            • Some combination of:
            • RRs that answer the question, together with an indication whether the data comes from a zone or is cached.
            • A referral to name servers which have zones which are closer ancestors to the name than the server sending the reply.
            • RRs that the name server thinks will prove useful to the requester.

            Now, the section thereafter goes on to talk about wildcards, so they are pretty much out of luck for saying that VeriSign isn't implementing the RFCs correctly. However, another portion of the RFC makes it very clear that wildcards are only for use within an entity's domain of control (that is, *.foo.com in DNS will not affect lookups under bar.com). The key here is that it is up to the OWNER of the domain in question as to the appropriateness of wildcards in DNS. VeriSign does NOT OWN THE .COM TLD. They merely ADMINISTER it for ICANN. Thus, there is a very good case for VeriSign being in breach of contract by failing to cary out the wishes of the OWNER of the .COM TLD. Which in this case is ICANN.

            Basically, I would be a bit more thorough before going to VeriSign, but afterwards, I'd still wack them over the head with the contract and force them to remove the wildcard.

            -Erik

    • ...at least on the DNS servers I control. Just redirect lookups on the .verisign.com (and .net and .org) domains to my local DNS servers which strangely enough don't seem to point the inquiries to verisign... Just had to clear it with Management first as a "privacy issue"...
    • Phew! (Score:3, Funny)

      by daVinci1980 ( 73174 )
      Good to see that verisignsucks.it [verisignsucks.it] still does the proper thing.

      And doesn't suck it.

      Sometimes you have to watch those crafty Italians.

  • by Anonymous Coward on Monday September 22, 2003 @07:30PM (#7029270)
    Unilateral Military Action.
  • by RobertB-DC ( 622190 ) * on Monday September 22, 2003 @07:31PM (#7029278) Homepage Journal
    In case you are not a doubleplusgood duckspeaker [demon.co.uk], here is a helpful translation of Verisign's letter to ICANN.

    Dear Paul:
    Translation: Dear meddlesome twit:

    This will respond to the ICANN Advisory concerning VeriSign's Deployment of DNS Wildcard Service dated 19 September 2003.
    We're about to tell you where you can stick your "advisory".

    In the footsteps of several other registries that have done the same, we recently deployed a wildcard in the .com and .net zones.
    Verisign has no problem being just as sleazy and underhanded as any of our competitors.

    This was done after many months of testing and analysis and in compliance with all applicable technical standards.
    Marketing sees dollar signs, and legal says we can get away with it.

    All indications are that users, important members of the internet community we all serve, are benefiting from the improved web navigation offered by Site Finder.
    None of the lusers who installed "The Internet" on their computers has a clue that we've even done anything.

    These results are consistent with the findings from the extensive research we performed.
    They are, however, clicking the pretty buttons, just like we hoped they would.

    We are, of course, very interested in any objective technical information ICANN may have received concerning the service and would welcome the opportunity to work with you to review such data. To that end, we have reached out to schedule meetings... of leading experts in the field.
    Let's have a meeting. Then another. Then another. Then, we'll codify the new de facto "standard".

    As to your call for us to suspend the service, I would respectfully suggest that it would be premature to decide on any course of action until we first have had an opportunity to collect and review the available data.
    We're going to get our way, because we can, and there's nothing you can do about it. Weenie.

    After completing an assessment of any operational impact of our wildcard implementation, we will take any appropriate steps necessary.
    And if we don't get our way, we'll pay off anyone we need to.

    I look forward to continuing to work with you on this issue.
    Kiss our ass.

    Best Regards,
    See you in Hell,

    Russell Lewis
    Executive Vice President, General Manager
    VeriSign Naming and Directory Services
  • Something that seems to be mildly overlooked here, in my opinion, is that this has the power to give VeriSign "ownership" of the web in many users' minds.

    If my mom tries to go to http://www.gooodhousekeeping.com and gets a VeriSign message and a search box, well it doesn't take much of that before she starts thinking that VeriSign == The WWW, because VeriSign is who always tells her what she typed wrong and where she should be going.

    What this comes down to is a company trying to "brand" the web. In many
    • Call me stupid, but who exactly has the power? I think that is a very key piece of missing information in this whole debacle.

      Who do we ask to take action?
      • by ADRA ( 37398 ) on Monday September 22, 2003 @08:03PM (#7029517)
        ICANN can revoke their authorization last I heard. They are pretty much push-overs for corporations so I don't see any top down remedies to this blatent miss-representation of their powers.

        On second thought, here is my idea: Have Verisign pay ICANN for every bogus returned DNS request, since technically Verisign has registered billions of domains, I'd say that ICANN is entitled to a mightly large chunk of Verisign revenues. More than the service is worth? One can only hope.
    • by Atario ( 673917 ) on Monday September 22, 2003 @07:41PM (#7029353) Homepage
      ...that enough of a ruckus will be kicked up over this that someone will have the following bright idea:

      Let's make this illegal!

      Voila. Government steps in to take over .net, .com., and .org. Everyone's screwed. So much for the free, cooperative, works-of-our-own-free-will Internet. Thanks, Verisign.
      • In a way that's what already happened. The US government were the ones that gave Verisign their monopoly, after all.

        Typical modus operandi, government action messes things up, more action will fix it! (And if you believe that, just check out how they've fixed the war on (some) drugs.)

      • by kindbud ( 90044 ) on Monday September 22, 2003 @10:24PM (#7030467) Homepage
        Government steps in to take over .net, .com., and .org. Everyone's screwed. So much for the free, cooperative, works-of-our-own-free-will Internet.

        You're posting from your AOL account, the one you just got with your first PC purchase. Am I right?

        If I am not right, and you've been connected to the internet for more than six minutes, then how can you possibly not know that the dot-com and dot-net servers were run by the US government for over a decade prior to Verisign, and domains were free of charge, and none of this crap happened.

        Far from everyone being screwed, the NSF ought to take it over again.
    • Bah. I remember when friggin Network Solutions (no owned by Verisign) did own the web. I remember when there wasn't all this gull durn "choice" to confuse people registering domains. I never used to get asked "hey, who do you register domains with?". It was always "hey, can you help me fill out the text form and email it to the InterNIC?"

      All these changes to the good ol' Internet. Back in my day there was one registrar, and we liked it. And none of this "broadband" hooey. We had real modems that ma

  • by Bull999999 ( 652264 ) on Monday September 22, 2003 @07:33PM (#7029296) Journal
    The same "independent" panel of industry leading experts recommends SCO's Linux license and conducted a study showing that Windows is indeed cheaper than Linux and BSD.
  • by jdunlevy ( 187745 ) on Monday September 22, 2003 @07:33PM (#7029297) Homepage
    In the footsteps of several other registries that have done the same, we recently deployed a wildcard in the .com and .net zones.
    Which ones?
  • by ikewillis ( 586793 ) on Monday September 22, 2003 @07:34PM (#7029301) Homepage
    I think it's time for ICANN to look for someone else to run the NET and COM TLDs. Not only are they unwilling to suspend SiteFinder after an enormous public outcry and a direct request from ICANN, but they didn't even bother telling anyone they were going to do this in the first place ahead of time. This is absolutely terrible, and I hope ICANN finds someone else to manage these TLDs
  • by daeley ( 126313 ) * on Monday September 22, 2003 @07:35PM (#7029311) Homepage
    We'll know if these "negotiations" fall apart if "www.icannwatch.org" suddenly displays SiteFinder.
  • For us non Sysadmins (Score:4, Interesting)

    by rritterson ( 588983 ) * on Monday September 22, 2003 @07:36PM (#7029318)
    Okay, so I can see and understand the effect wildcarding had on the domains, and why it's bad thing.

    I'm also familar with the basic structure of the DNS network. However, I'm not familar with the regulatory system.

    Can someone explain who regulates who gets to control what domains? Can ICANN revoke Verisign's control of the .net and .com domains? If not, who can?
  • by ikewillis ( 586793 ) on Monday September 22, 2003 @07:39PM (#7029339) Homepage
    of SiteFinder is the fact that non-English speakers no longer receive an error message in their own language, but are confounded with some bizarre English language site which certainly wasn't where they were trying to get to.
  • by samj ( 115984 ) * <samj@samj.net> on Monday September 22, 2003 @07:40PM (#7029347) Homepage
    Obviously this project has a significant return - otherwise they would not have invested some amount of time and energy into its implementation, knowing the backlash that was to be expected. That said, you really thought they'd give it up without a fight, especially considering the damage they've already done to their brand? Oh the arrogance.
  • NULL ROUTE (Score:2, Insightful)

    by CEO Guy ( 690800 )
    I just null routed their ENTIRE array of IP addresses in my router. Now I can't even get to their site and accidentally buy a domain there. I also moved any domains I had with them to GoDaddy. if everyone else tells everyone they know to use another registrar or use another SSL key company they will see a loss :-) If ISP's null route them your defense is.. Well, you changed the rules why cant I?
  • Check out the TOS (Score:5, Informative)

    by TedTschopp ( 244839 ) on Monday September 22, 2003 @07:44PM (#7029371) Homepage
    Here is something interesting: Check out the Terms of Service:

    http://sitefinder.verisign.com/terms.jsp

    Is there anyway I can turn this service off? I disagree with the terms.

    Ted
    • Re:Check out the TOS (Score:2, Informative)

      by sikpig ( 618887 )
      Check out point 14. If you spell a domain incorrectly, your accept the terms:
      14. AGREEMENT TO BE BOUND.
      By using the service(s) provided by VeriSign under these Terms of Use, you acknowledge that you have read and agree to be bound by all terms and conditions here in and documents incorporated by reference.
      • But I didn't spell a domain name incorrectly, someone else did on their website in their URL. And actually they didn't misspell it, they spelled it correctly, the site is down becuase they failed to pay to keep their domain name registered.

        Ted
      • Re:Check out the TOS (Score:5, Interesting)

        by gregmac ( 629064 ) on Monday September 22, 2003 @08:07PM (#7029541) Homepage
        Check out point 14. If you spell a domain incorrectly, your accept the terms:
        14. AGREEMENT TO BE BOUND.
        By using the service(s) provided by VeriSign under these Terms of Use, you acknowledge that you have read and agree to be bound by all terms and conditions here in and documents incorporated by reference.

        IANAL, but is there any legal precidence about this type of licence? Isn't this the same sort of thing as having to open a sealed box to be able to read the licence, which then states that by unsealing the box you've agreed to the licence?

        I have a feeling that their licence would totally fall over in court - since there is no consent - which means that nothing in the licence would be enforcable, and despite what section 12 says (they're not liable for damages/whatever resulting from their 'service'), you could probably do something like.. sue them for any spam (provided your jurisdiction has laws against spam) that got past your spam filters because it failed the valid domain name check.

        • Re:Check out the TOS (Score:4, Interesting)

          by gregmac ( 629064 ) on Monday September 22, 2003 @08:15PM (#7029587) Homepage
          Oh, I espessially liked this one:
          10. SOLE REMEDY

          Your use of the verisign services is at your own risk. If you are dissatisfied with any of the materials, results or other contents of the verisign services or with these terms and conditions, our privacy statement, or other policies, your sole remedy is to discontinue use of the verisign services or our site.
          Translation: If you don't like what we did, stop using DNS.

          (btw, /. wouldn't let me post that as it was, in all caps. Why do lawyers do that? It is a proven fact that people often skip past sections of text like that, since it seems like noise and the brain just filters it out.. Is that just another tactic by lawyers (besides making licence agreements inane, long, and boring in the first place) to make you skip over certain sections? Make you think you read it all and agree anyways, even though your brain just filtered out the part removing them of all liablity..

    • Re:Check out the TOS (Score:5, Interesting)

      by delta407 ( 518868 ) <slashdot@lerfjha ... m minus language> on Monday September 22, 2003 @08:41PM (#7029759) Homepage
      Is there anyway I can turn this service off? I disagree with the terms.
      I've been discussing this with Verisign for a week now, and Verisign legal is supposed to get back to me on that exact question.

      From the Terms of Service:
      10. Sole Remedy.
      YOUR USE OF THE VERISIGN SERVICES IS AT YOUR OWN RISK. IF YOU ARE DISSATISFIED ... YOUR SOLE REMEDY IS TO DISCONTINUE USE OF THE VERISIGN SERVICES OR OUR SITE.
      My question to Verisign was "I'm dissatisfied. What does 'to discontinue use of the Verisign services' mean? I can move many domains to other TLDs, pull the Verisign root certificates from a few hundred workstations, cancel a PayFlow account that handles a few hundred thousand dollars per month, and have my clients cancel several thousand dollars worth of SSL certificates. Is that what you want me to do?"

      Again, no response as yet. :-)
  • Either we all decide ICANN has no teeth because they've been ignored by these larrikins, or we rally behind them... I wonder which it'll be?
  • Come on guys (Score:3, Informative)

    by dachshund ( 300733 ) on Monday September 22, 2003 @07:48PM (#7029407)
    This is just bad business. We all know how this is going to turn out-- it'll bounce back and forth from Verisign to ICANN to the tech press and eventually to the mainstream press until the negative publicity reaches the point where Verisign won't have any alternative but to yank it.

    See, two days ago this was a technical issue that only a handful of nerds cared about. Two months from now it's going to be "Verisign, the organization granted a monopoly on control of the entire Internet and insists on defyingthe rest of the Internet community." People who never even heard of DNS will come away from this thinking that Verisign means shady.

    Save us all the time and dozens of inevitable Slashdot stories (+ dupes) and dump the thing.

  • by TyrranzzX ( 617713 ) on Monday September 22, 2003 @07:49PM (#7029413) Journal
    WAR!

    Lauch the blacklists!!!

    Verisign just lost it's monopoly over DNS with this stunt methinks. They pised off ICANN, EFF, Slashdot, 99% of the tech industry, and instead of putting their foot in to test the water and going "oh, the shark that just bit my foot off might be a problem" they say "eh, it's just a foot". Everyone is justifyable angry about this.

    So, they took of their glove, slapped a couple million people in the face, threw the glove to the ground and drew their sword, to have a mideval analogy.

    I say we blacklist their entire domain of advertising websites. A form of blackmail and protest; if nobody can get to their website to register, then they can't very well do buisness effectivly now can they? Sure, people'll get angry about how they can't reregister. The whole point is to show verisign what happens when you piss us off. Lets make a mess so big out of this that they'll never recover!
  • by xenoweeno ( 246136 ) on Monday September 22, 2003 @07:52PM (#7029431)
    It appears that Network Solutions may have learned to tuck tail and run whenever anyone comes asking what the hell their parent company is doing.

    When they responded to me last week [slashdot.org], they told me that Verisign was "well within the guidelines" that Verisign set up in the document they created for their own "service."

    Now I only get form responses from NetSol drones: "It seems you are having trouble with the SiteFinder service. Please read the SiteFinder FAQ at: ..."
  • by effer ( 155937 ) on Monday September 22, 2003 @07:52PM (#7029435)
    If not, what better target for a lawsuit!
    • The response you get depends on the interface you use, which affects whether it's readable by the blind. If you're typing DNS queries by hand, for instance, it will tell you that nonexistent-domain-24324324.com has IP address 64.94.110.11, which isn't correct, but it's the same lie they tell sighted people.
      If you use email, your email system will give you a message like

      : host verisignsucks12232.com[64.94.110.11] said: 550 : Client host rejected: The domain you are trying to send mail to does not exist.

  • by SlapAyoda ( 6041 ) on Monday September 22, 2003 @07:53PM (#7029443) Homepage
    Hey, if you feel strongly about this issue, you can reach them directly. Just call 703 925 6999. That's the direct line for VeriSign Naming and Directory Services. I tried to get Rusty on the line, but they're on the East coast and he had already left the office.

    I just spoke with a nice secretary lady whom told me that she was 'sad to hear' that I, "an investor", was going to sell my "2000 shares" of Verisign first thing in the morning due to their horrible wildcard DNS policies.

    When I asked why they are doing this, she told me it was a "marketing decision" and that "somebody in the marketing department" thought it up.

    She said that I was the first person she had heard complain about it, though she had read somewhere that it was "controversial".

    If anybody has any success getting through to these people, post any interesting tidbits you find out. Thanks.
    • by Anonymous Coward
      I just called got someone on the line pretty quickly (less then a minute)

      I asked politly how I can turn off the Sitefinder service (yes I know exactly how it works, but I figured that would be a good way to approach it.)

      The person then asked for my name and email (which I gladly gave)

      He then respond with, at this time we have no plans to turn off the site finder service.

      For which I responded, I read your TOS and it says that if I don't agree to the terms that I shouldn't use the service, and repeated
      • by jelevy01 ( 574941 ) on Monday September 22, 2003 @08:48PM (#7029824)
        Here is the response I got back:

        Subject:Site Finder Discontinuation Request

        Dear xxx,

        Thank you for contacting VeriSign Customer Service.

        Thank you for your feedback on the Site Finder service. It is not possible to opt out of the service. The Site Finder response is incurred when a non-existent domain name query in com/net is directed to us. It is not a service in which someone would subscribe to or sign up for.

        For more information please refer to our FAQs: http://www.verisign.com/nds/naming/sitefinder/

        We remain committed to ensuring that Site Finder improves Web navigation and the user experience.

        Thank you.

        If you require further assistance please contact us by replying to this email.

        Best Regards,

        David Reid
        Customer Service
        VeriSign, Inc.
        www.verisign.com
        sitefinder@verisign-grs.com
  • Interesting (Score:5, Informative)

    by WndrBr3d ( 219963 ) on Monday September 22, 2003 @07:55PM (#7029448) Homepage Journal
    I think it's interesting how ICANN is coming at this situation. I think you have to realize how much money VeriSign makes ICANN. I'd dare to say that over 70% of all of ICANNs revenue is generated from VeriSign.

    So It's sort of the same situation that we are in with Middle Eastern Oil. We're trying to tell them, 'Hey, make it cheaper and give us more' but we cant strong arm them. 'cause if they up and leave we're left high and dry.

    If VeriSign were to be revoked their registrar status, ICANN would stand to lose millions.
    • if Verisign's contract is revoked ICANN wil just choose another registar and will still make their moeny..

    • Re:Interesting (Score:3, Insightful)

      If VeriSign were to be revoked their registrar status, ICANN would stand to lose millions.

      Right, but then they'd make someone else the registrar and get those millions from them.
    • Re:Interesting (Score:3, Insightful)

      by burns210 ( 572621 )
      correct me if i am wrong, but i though the US gov(or was it ICANN) gave verisign the registrat power over .com and .net...

      first, why can't we just take it back?
      second, why should so much power dealing with the interent be given to a corporation, why not a common non-profit organization handle the .com and .net(and .org, .tv, .info even.... excluding individual contries' domains)?

      The internet should be free, open, and very welcoming. domain registration should cost only enough to maintain the systems(the v
  • yet they don't even trust themselves. The seal at the Verisign owned THAWTE site [thawte.com] currently says:

    Invalid Certificate
    2003-09-23

    and when you click on it:

    This page (thawte.com/html/ISP/index.html) is not permitted to display the Thawte Site Seal.

    Irrelevant, but amusing nonetheless.
  • Sign the petition (Score:5, Informative)

    by AlanWay ( 470656 ) on Monday September 22, 2003 @07:56PM (#7029456)
    If you havent allready signed it, there's a petition at http://www.whois.sc/verisign-dns/ [whois.sc] to encourage Verisign to rack-off.

  • by lightspawn ( 155347 ) on Monday September 22, 2003 @07:57PM (#7029461) Homepage
    Dear verisign,

    The recent update to BIND contains a feature you should be aware of.

    In 1 month, every lookup for any domain registered directly with verisign will fail with %0.1 probability.

    The probability will increase by %0.1 per day until the wildcard issue is resolved or until verisign becomes useless as a registrar.

    We look forward to a prompt and amicable resolution.

    Best wishes,
    The Internet.
  • by jpetts ( 208163 ) on Monday September 22, 2003 @07:58PM (#7029475)
    In the footsteps of several other registries that have done the same, we recently deployed a wildcard in the .com and .net zones.

    You need to know what's going on to understand this bit. What they want people to think is that other registries are also deploying wildcards in the .com and .net zones, but in actuality what they are saying is "Other registries have deployed wildcards, and we are doing the same, but in the .com and .net domains".

    However, most people who are unhappy with VeriSlime will easily see through this piece of doublespeak.
  • Or can we poison their database? If the SiteFinder page brings up links to pages of 'similar' nature that have been paid for, then can we put in a million requests for sitefindersucksdonkeys.com and make their db useless, just like the spam tarpits?
  • by WCityMike ( 579094 ) on Monday September 22, 2003 @08:02PM (#7029506)
    I am a Mac OS X user and recently read an interesting hint [macosxhints.com] on the Mac OS X Hints [macosxhints.com] website.

    It appears that simply blocking sitefinder.versign.com leads to a rather unpleasant 'timeout' error in a browser: a long wait prior to a timeout is hardly better than an instant appearance of VeriSign's SiteFinder service.

    However, one of the users, in the comments on the hint, noted that "[w]hen you type an incorrect URL, the Verisign DNS server actually returns an IP address, which is that of sitefinder-idn.verisign.com."

    He continues, "Blocking the sitefinder-idn.verisign.com server in the manner recommended in this hint would save a fraction of a second but the main problem with this hint is that it suggests blocking the response when a far more efficient method would be to block the outgoing request. The system tells the browser that permission is denied for this request and the browser passes that information along immediately. Thus, the rule I use is:

    sudo ipfw add 1170 deny tcp from any to 64.94.110.11 setup

    I have been using this rule without any noticeable problems. Perhaps it might be of use to others?
    • A better solution is to use something like dnsmasq [thekelleys.org.uk], which is capable of blocking VeriSign's wildcard responses directly. This way, you'll get a proper NXDOMAIN response. This should be perfectly usable under MacOSX, since it's just a straight-up Unix daemon.
    • Some other VeriSign IP addresses

      64.94.110.11 sitefinder-idn.verisign.com
      65.205.249.60 www.verisign.net
      216.168.253.68 digitalid.verisign.net
      216.168.254.20 bay-w1-inf5.verisign.net
      216.168.254.21 goldengate-w2-inf6.verisign.net
      198.41.3.39 ns1.crsnic.net
    • Timeout (Score:3, Interesting)

      by jefu ( 53450 )
      curl 2342323432423432.com
      took 3 minutes and 20 seconds to timeout.

      curl 2342323432423432.org
      returned a resolver error in less than two tenths of a second.

      curl 2342323432423432.gov
      returned a resolver error in less than a tenth of a second.

      Will anyone really wait three minutes for a web page?

    • by goon america ( 536413 ) on Tuesday September 23, 2003 @12:34AM (#7031165) Homepage Journal
      Haha, I just turned it on (thanx, by the way) and I noticed when I went to a "creative" fake domain I made up, it still remembered the Verisign /favicon.ico bookmark icon from when I tried it before, even though the site obviously no longer responded...

      Seriously though, someone should write a Windows virus that disables this thing from half the internet...

  • Dear Verisign,

    I have heard that you guys are running a very useful website where I can get information about how to find other web sites (called sitefinder or something like that). Would you be so kind as to provide for me the URL for this website?

    Best, a user
  • some folks with control of their own name servers just added their own replacement entries, say pointing verisign.com to some random IP? While it might not have as broad an effect, sufficient implementation could still cause some aggravation. Any thoughts on the legalities of this? Their being at the top does not exclude other players from the game of IP hijack.
  • by m0nkyman ( 7101 ) on Monday September 22, 2003 @08:05PM (#7029530) Homepage Journal
    Because apparently www.fuckverisignuptheass.com leads to their wonderful service.
  • by Anonymous Coward on Monday September 22, 2003 @08:17PM (#7029599)
    Has anyone noticed that they are tracking the clickthroughs of the search results. (Note: google does not do this)

    They are building a huge database of behavior. It is tied to your ip address. I wonder what their policy is on releasing that information to the government? (they originally were government chartered)

    Hell. I wonder if they were put up to it by the Department of Homeland Securiy.

    At the very least, it will prove to be an invaluable, and highly marketable database.
  • by Jim McCoy ( 3961 ) on Monday September 22, 2003 @08:30PM (#7029697) Homepage
    I will leave aside the hysterical responses others have proposed and suggest two simple actions that you can take to deal with this attempted coup by Verisign.
    • Contact your ISP (or do yourself if you run your own DNS) and be sure that they have implemented the update to BIND which locks out this behavior. The truly obsessives will also go out and start finding random DNS servers and testing them to see if they are allowing anything more than delegation from *.com and *.net and then notifying DNS admins as appropriate.
    • Make your feelings known to the other co-conspirator in this system: Overture. They are providing the back-end to this service and since they have been recently acquired by a publicly traded company (Yahoo) you may feel the need to contact Yahoo to express your opinion on this particular product line (or perhaps express your views in forums where Yahoo shareholders may be found.

    Hit them where it hurts, in the bottom-line. Complaining to everyone may get this fixed, but patching your nameserver and then going after the back-end may also get results.
  • Alexa (Score:4, Interesting)

    by adpowers ( 153922 ) on Monday September 22, 2003 @08:45PM (#7029800)
    If you check out Verisigns traffic page at Alexa (http://www.alexa.com/data/details/traffic_details ?q=&url=http://www.verisign.com [alexa.com]), you can see why they aren't easily giving up their sitefinder project.
  • by jafiwam ( 310805 ) on Monday September 22, 2003 @09:14PM (#7029996) Homepage Journal
    ISC.org has come out with a couple new versions of BIND (on several platforms) that makes the Verisign thing irrelevant.

    Essentially, here's how it works;

    Rather than simply accepting any response from any root DNS server, the new version of bind only accepts an NS record (that states the authoritative DNS server) rather than an A Record (which maps a hostname or domain to an IP address). So the root servers can only do what they are supposed to do; tell your local DNS servers where to find the authoritative servers. Even if they are configured to do something differently, BIND responds by forwarding an NXDOMAIN back to the querying client. Esentially, if an IP address comes back from the server, the response from the browser then becomes "DNS Error".

    This has several advantages:

    - it doesnt matter what ICANN does or what Verisign does, responses to DNS queries happen as they should.

    - the patch fixes ALL of the TLDs, so it doesnt matter what the .RU or .CX or whatever registrars do.

    - it can be done on the ISP level. Though I have no proof, I think there are BIG ISPs out there that have done this already (Earthlink has been mentioned).

    - no routing, blocking or other stuff that could cause problems in the future is involved

    - Joe Grandpa Internet User never needs to know, and doesnt notice anything different when the fix happens

    I do not know about MS DNS Server, or other non-BIND DNS servers, but I am sure there will be patches or upgrades from your publisher.

    If you run servers, go to ISC.org and read up about the upgrades. If you dont, check your publisher's web site. If you dont run DNS call or email your ISP and ask them to upgrade their BIND at their earliest conveneince.

    Though I think it would be better if RFCs were binding, or if they were followed voluntarily... there is more than one way to get the right thing done.
  • by release7 ( 545012 ) on Monday September 22, 2003 @09:16PM (#7030008) Homepage Journal
    In the days before the Federal Radio Commission (FRC) came onto the scene, the precursor to the FCC in the US, the radio spectrum was an absolute mess. Broadcasters could blast out a signal on any frequency at any time and drown out abutting programs. That's because where there are no laws or rules, there can only be chaos.

    Could we be witnessing the same thing happening to the Internet? Will it slowly evolve into a near useless channel of communication as it becomes more and more corporatized and balkanized? If it does, it won't be long before Internet jockeys start demanding regulation and some kind of government cop to enforce standards and other general agreements for how the Internet should behave.

    When will that day come? Who knows. Maybe 5 years, maybe 25. Perhaps it'll happen during the gale force wind of anti-corporate sentiment that's currently brewing in middle America. But the real trick will be to stop the corporations from dominating the regulatory process like they did with radio and television. I hope and pray the ideals the Internet was founded upon survive this process. We'll have to wait and see and petition hard for our respective governments to do the right thing.

  • by Ceadda ( 625501 ) on Monday September 22, 2003 @09:33PM (#7030114)
    It may seem like a lot of effort, but, if everyone who hates this service just sends them a few words saying so, by email, by putting the following list of every address they have into their send line, they wont have an email system at all :) And it might be just a little fun too! Here they are :) All 1 line, with , inserted, so you can just copy and paste it :) consultingsolutions@verisign.com, websitesales@verisign.com, verisales@verisign.com, clientpki@verisign.com, internetsales@verisign.com, paymentsales@verisign.com, dnssales@verisign.com, digitalbranding@verisign.com, vts-mktginfo@verisign.com, channel-partners@verisign.com, premiersupport@networksolutions.com, authenticode-support@verisign.com, objectsigning-support@verisign.com, enterprise-sslsupport@verisign.com, vps-support@verisign.com, webhelp@verisign.com, practices@verisign.com, renewal@verisign.com, vts-csrgroup@verisign.com, info@verisign-grs.com
  • by SEE ( 7681 ) on Tuesday September 23, 2003 @01:23AM (#7031371) Homepage
    1. The Department of Commerce [mailto]; VeriSign's contract to operate .com and .org was originally with them.
    2. The Federal Communications Commission [fcc.gov], which oversees telecommunications.
    3. The Senate Commerce Committee's Subcommittee on Communications [senate.gov]; contact the committee itself [senate.gov], the chairman [senate.gov], the ranking member [senate.gov], and any of the other members you'd like.
    4. The House Subcommittee on Telecommunications and the Internet [house.gov], including the committee itself [house.gov], the chairman [house.gov], the vice-chairman [house.gov], and the ranking member [house.gov].

    By email, phone, fax, telegram, or letter (or better, several of these), let them know what you think. These are the people who can give Verisign reasons to change their behavior.

  • by chris_sawtell ( 10326 ) * on Tuesday September 23, 2003 @02:05AM (#7031574) Journal
    ... of the all the top level domains to a supra-national organisation, because the current system is so demonstably open to abuse. Entire domains being effectively stolen from small countries, unused sub-domains being stolen wholus-bolus. This criminal behaviour is totally unacceptable to any fair thinking person.

    It's time that the rest of the world took control of the DNS away from the corrupt outfit that has highjacked it and the Government which allowed that to happen.

    Perhaps UNESCO [unesco.org] should run the DNS?
    That's the United Nations Educational, Scientific, and Cultural Organisation.

I haven't lost my mind -- it's backed up on tape somewhere.

Working...