Re: Root Server Operators (Re: What *are* they smoking?)
So, Verisign just returns a NS pointer to another name server Verisign controls which then answers the queries with Verisign's "helpful" web site.
Half-life of the patch: 1 day?
i don't think so. verisign is on public record as saying that the reason they implemented the wildcard was to enhance the services offered to the internet's eyeball population, who has apparently been clamouring for this. in this story, for example... http://story.news.yahoo.com/news?tmpl=story&u=/ap/20030916/ap_on_hi_te/internet_typos_4 ...it was thus spake: VeriSign spokesman Brian O'Shaughnessy said Tuesday that individual service providers were free to configure their systems so customers would bypass Site Finder. But he questioned whether releasing a patch to do so would violate Internet standards. Vixie acknowledged that it could -- standards call for operators like VeriSign to have complete control over their directories -- but he said not releasing a patch would create greater chaos. therefore i believe that while they may have to change the A RR from time to time according to their transit contracts, verisign won't insert an NS RR into the sitefinder redirection. if they do, and if bind's user community still wants to avoid sitefinder, they can declare the second server "bogus", with no new code changes from isc. but that all seems terribly unlikely.
On Wed, 17 Sep 2003, Paul Vixie wrote:
So, Verisign just returns a NS pointer to another name server Verisign controls which then answers the queries with Verisign's "helpful" web site.
Half-life of the patch: 1 day?
i don't think so. verisign is on public record as saying that the reason they implemented the wildcard was to enhance the services offered to the internet's eyeball population, who has apparently been clamouring for this.
Verisign is on public record as saying many things over the years. Following Internet Standards and to improve performance for all Internet users, what if Verisign decided to start including other A records directly in the .COM/.NET zones? For example, the A records for the servers for the .COM/.NET zones? Or "interesting" sites that Verisign has a relationship with? What would it do to website's Keynote performance to eliminate another name lookup by having their www.something.com records served directly from Verisign's gtld-servers? Of course, ISC's non-standard BIND change will break Verisign's attempt to "improve" the Internet's performance by including A records in the .COM/.NET zones. Verisign's lobbyists are 3,000 miles closer to Washington DC than ISC's lobbyists. And history has demonstrated what Verisign lacks in Internet clue, they make up for in Washington clue. I wouldn't be surprised if tomorrow, Verisign is the playing the victim and calling ISC the out-of-control hooligans.
On Wed, Sep 17, 2003 at 01:39:56AM -0400, Sean Donelan wrote:
I wouldn't be surprised if tomorrow, Verisign is the playing the victim and calling ISC the out-of-control hooligans.
Paul an out of control hooligan, say it isn't so ! :) Actually I'd trust ISC/Vixie/ to always do the real right thing when it comes to root-ops and global DNS. and I'd trust the Verisign people that run A and J to do reasonable things with those boxes. They are good people, when they wear those hats. I'd almost never trust Verisign to do whats right for the public / internet when it comes to dealing with .COM, .NET and such. Thats their cash cow and they will milk it for all its worth, and then some. speaking as a shareholder of Verisign, I'm NOT HAPPY with the way they handled this wildcard deal, nor am I happy about them doing it all. As a *shareholder* I'd cast my vote that they *remove* it.
On Wed, 17 Sep 2003, John Brown wrote:
speaking as a shareholder of Verisign, I'm NOT HAPPY with the way they handled this wildcard deal, nor am I happy about them doing it all. As a *shareholder* I'd cast my vote that they *remove* it.
You have no control over operations of the company. However, you may vote Verisign officers out of the office... if you can get other shareholders to see the benefits of giving business ethics preference over short-term profits. --vadim
On Wed, 17 Sep 2003, Sean Donelan wrote:
What would it do to website's Keynote performance to eliminate another name lookup by having their www.something.com records served directly from Verisign's gtld-servers?
Now, that would be a real problem, considdering the person who owns something.com is a good friend of mine, and hosts it on my servers. If they start touching actual registered and in-use domains I believe they will loose their contract. :-) (Which also means PLEASE don't use something.com to test !) -Chris ========================================================== Chris Candreva -- chris@westnet.com -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
On Wed, Sep 17, 2003 at 05:13:45AM +0000, Paul Vixie wrote:
therefore i believe that while they may have to change the A RR from time to time according to their transit contracts, verisign won't insert an NS RR into the sitefinder redirection. if they do, and if bind's user community still wants to avoid sitefinder, they can declare the second server "bogus", with no new code changes from isc. but that all seems terribly unlikely.
I for one expect a small arms race over this - I'm not implementing the end-all solution quite yet as I expect some further moves by VRSN. -- http://www.PowerDNS.com Open source, database driven DNS Software http://lartc.org Linux Advanced Routing & Traffic Control HOWTO
On Wed, 17 Sep 2003, Paul Vixie wrote:
i don't think so. verisign is on public record as saying that the reason they implemented the wildcard was to enhance the services offered to the internet's eyeball population, who has apparently been clamouring for this.
My question is, if this was to serve some need of internet users, why does port 25 work and not port 80? So, I'm curious as to your opinion about the bigger issue. Maybe it has been stated somewhere else, and if it has, please direct me to it. I've read all of your posts about this on nanog, and you do an excellent job of staying neutral. You point out that what Verisign is doing is technically valid and therefore shouldn't be addressed with a technical "solution", but you also release a patch for Bind to accomodate obvious demand (and to save users the hassle of implementing half-assed patches with hardcoded A records). However, you do so without actually stating whether or not you think the wildcards are a (policy) problem or not. You point out that there is high-level ambiguity about the relationship between DOC, ICANN, and Verisign, and about whether or not Verisign should have the public's interest in mind. Do you think they should have the public's interest in mind? And do you think the wildcards are in the public's interest? I can certainly empathize with wanting to stay neutral, but I think we need somebody who carries substantial influence in the name resolution community to have strong opinions about such a poor policy decision. Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 ---
participants (7)
-
Andy Dills
-
bert hubert
-
Christopher X. Candreva
-
John Brown
-
Paul Vixie
-
Sean Donelan
-
Vadim Antonov