FYI. Sent yesterday : Submission by the London Internet Exchange to the ICANN Security and Stability Advisory Committee Regarding Verisign's Deployment of Wildcard DNS Records The London Internet Exchange (LINX) is Europe's largest Internet exchange point. Owned mutually by nearly 140 member Internet Service Providers and Content Services Providers, LINX members carry the overwhelming majority of Internet traffic within the United Kingdom. Most of the Internet traffic exchanged between ISPs within the UK by public peering is passed across the LINX. LINX is concerned about Verisign's insertion of wildcard records into the .com and .net zones, and about the use of these wildcards to direct traffic that would otherwise have resulted in a "no domain" response to Verisign's own hosts. LINX views the DNS tree as extremely important to the smooth operation of Internet services: anything that damaged confidence in the integrity and unified nature of the DNS tree would be very unfortunate. LINX is concerned that Verisign's actions may undermine confidence in the DNS. In particular, LINX fears that individual networks may implement workarounds to avoid the effect that Verisign is seeking to create, and that this could result in reduced confidence in the DNS system continuing as a single coherent tree. Once the prospect of DNS resolvers choosing not to honour the DNS tree appears we have to consider the possibility of further fragmentation of the DNS through individual networks suborning the Domain Name System in order to pursue other commercial or policy interests. Another avenue of concern lies in the area of respecting end user privacy. While we take note of and welcome Verisign's assurances that they are not logging traffic to its mail servers, end users around the world are forced to rely on the promise offered by a commercial entity operating in a single national jurisdiction. The United States does not share the same data protection laws offered in some other countries, and most end users would have no practical or legal recourse if Versign were to fail to adhere to its policy, either for its own purposes or for those of the relevent legal authorities. There is therefore a powerful argument that end users should not have to take the promise not to retain private data on trust. In contrast to these concerns, there is Verisign's own interest in preserving its freedom of action and ability to pursue its commercial success. We are not persuaded that in this case Verisign's private interests outweigh the considerable public concerns that have been expressed by LINX and others on behalf of the wider Internet community. The longer term implications of such DNS fragmentation are directly relevent to the stability of Internet service, and thus to the work of ICANN's Security and Stability Advisory Committee. We believe that these implications would be quite regretable, and that it is appropriate to take steps to ensure that this does not occur. LINX endorses the statement of the Internet Architecture Board and recommends that Verisign is asked to remove the wildcard records it has inserted in the .com and .net zones.