An open letter to the Ombudsman at the Washington Post Please also forward to David McGuire I would like to correct some errors of fact and some potentially erroneous perceptions conveyed in Mr. McGuire's article. I would appreciate it if Washington Post would correct these in a subsequent article. Perception: 1. There is no reason to believe that turning off the wildcard records in the DNS is a temporary move. ICANN has said that if there is significant evidence that these changes are not doing harm to the internet (they most definitely are), they would consider making changes to allow them to be turned back on. 2. Verisign initiated the changes without notice to ICANN, IETF, or the community at large. ICANN is, essentially, the top-level authority in such matters. IETF is the body entrusted with the engineering, design, and specifications development for the internet through the RFC process. 3. Verisign was politely asked to stop breaking the internet by ICANN quite some time before this demand letter. Verisign chose to refuse that request. Facts: 1. Verisign changed the behavior of a critical component of Internet infrastructure without hearing, notice, or even a heads up to the community until after it was implemented and the public outcry began. ICANN, while, not holding a formal hearing prior to this action, did solicit community input and review from the various organizations responsible for these issues. ICANN has not asked Verisign to change a functional part of the internet, but, to undo the changes Verisign made without hearing. This is not unreasonable and shouldn't require a hearing process that the changes didn't go through in the first place. 2. This is just the latest in a string of abuses by Verisign of their position in control of these aspects of the namespace. 3. The engineers and scientists you refer to as a close-knit group are anything but. We are a very diverse group of people from an even more diverse set of geographies. There are a number of different organizations which contain various fragments of this group, but, to my knowledge, not a single one which contains all of us. In general, our agendas are so diverse that we have tremendous trouble coming to consensus on even basic things such as the minimum IP allocation boundary. In reality, this move angered virtually everyone running any operational part of the Internet. This is the most united I have _EVER_ seen the operational portion of the Internet Community. Some further information for your consideration: 1. The Site Finder service isn't about helping lost internet users. It's about hijacking typos for profit. Verisign is trying to line it's profits while preventing others from providing similar services. Currently, an ISP can capture NXDOMAIN responses at the resolver level and, (although few do, and, most would think this was as bad as Verisign's move), redirect it to their own error handling servers. Even if an ISP does this, however, users have the option of configuring other resolvers to get their DNS services from. With Verisign placing these wildcards in the top-level zone files they have disabled this NXDOMAIN functionality for everyone. This prevents mail servers from verifying that a sender domain (or even a recipient domain) even actually exists (they all do according to DNS with the wildcard). 2. Verisign can claim that the claims are overblown all they want. They are actually mostly understated. Verisign had no right to make this change to critical infrastructure which they are operating in the public trust. The key problem here is that Verisign seems to think they own that and it is theirs to do with as they wish. The reality is that it is held in the public trust by ICANN and it's stewardship is contracted out to Verisign. 3. The statement that there is no data to indicate the core operation of DNS or the stability of the Internet has been adversely affected is a very carefully chosen set of words. While it is technically true, it creates a very different impression from what it actually says. The impression it intends to create is that there is no evidence that this broke anything. In fact, it broke quite a number of things. It did not break DNS per se, but, it did change one functional aspect of DNS in a way that was incompatible with existing systems implementations (it didn't break DNS, but, it broke several things that depend on DNS). The "stability of the internet" can be said to relate specifically to the ability to forward packets from one host to another. While it didn't impact this ability, it did affect a number of applications in an adverse manner. 4. ICANN is using anecdotal and isolated issues -- This is a most specious claim. ICANN is using real reports of real damage to functioning systems on the internet from real operators of those facilities. Sure, that's annecdotal, but, it's also annecdotal if a patient tells a doctor on the phone that his wrist has been cut and he is bleeding profusely. No rational doctor would tell this patient not to call an ambulance. No rational person in ICANNs position would not tell Verisign to undo this change post haste. 5. Verisign's claim that this is an attempt to regulate non-registry services is also untrue. The contents of the DNS zone files for the top level .com and .net zones is very much a registry service. Placing stuff in there that does not serve the public trust for which those files are contracted is very much a non-registry service, and, such things don't belong in those zone files. ICANN does not care what non-registry services Verisign wants to provide. ICANN does care about damaging polution being added to the DNS namespace by the company entrusted as a registry to manage that namespace. ICANNs right to regulate that is anything but dubious, and, Verisigns claims that it is dubious are an obvious attempt to hijack this power for yet more abuse of their contract privileges. The issues are not isolated, they are wide spread. In summary, I ask you to print an appropriate update to the facts of Mr. McGuire's piece. I ask you to check your facts and examine the situation better in order to present a less biased approach to stories about the internet in the future. I realize that because the internet operational community is so diverse it is hard to find a "spokesman". I also understand that it is easy to find the chosen spokesperson for Verisign. However, I believe that as reporters, especially for an institution like the Washington Post, you have an obligation to put in the effort to find a sampling of communities that have no designated spokespeople so that you can get their side of the story as well. In short, I don't think Mr. McGuire's biases in this article are the result of malice, but, I think they demonstrate a certain amount of laziness and nonfeasance of his journalistic responsibilities. Sincerely, Owen DeLong owen@delong.com P.S. The other email address I sent this to is a list which contains some portion of the North American Operations community. It might be a good resource for further comment/investigation on these issues.