[IP] VeriSign prepares to relaunch "Site Finder" -- calls technologists "biased"
From Dave Farber's IP list... --------------------------- http://www.washingtonpost.com/wp-dyn/articles/A25819-2004Feb9_2.html VeriSign Reconsiders Search Service "Site Finder was not controversial with users, 84 percent of whom said they liked it as a helpful navigation service," said Tom Galvin, VeriSign's vice president of government relations. "We continue to look at ways we can offer the service while addressing the concerns that were raised by a segment of the technical community." Galvin said that the continued opposition stems from "an ideological belief by a narrow section of the technological community who don't believe you should innovate the core infrastructure of the Internet." Critics also claim that VeriSign must run the domains as a public trust, not a profit-making opportunity. VeriSign is the sole operator of the dot-com and dot-net registries under a contract with ICANN. "I don't begrudge them their profit, but someone in an effectively regulated monopoly position shouldn't use their power for their own profit, beyond the terms under which the community gave it to them," said Steven Bellovin, co-director of the Internet Engineering Task Force's Security Area. Paul Rothstein a law professor at Georgetown University and a paid VeriSign consultant, said that the critics have some legitimate objections but others are motivated by the scientific and technology communities' "bias on policy." Still, he added, it would be tough for VeriSign to win the public relations war because its opponents are highly regarded technologists. ICANN will reserve judgment until VeriSign decides to relaunch Site Finder, said General Counsel John Jeffrey. VeriSign assured ICANN that it would give 60 to 90 days' warning to resolve any remaining technological problems, Jeffrey said. In the meantime, ICANN is waiting for a final report on Site Finder from its Security and Stability Advisory Committee. Committee Chairman Steve Crocker said he doubts that Site Finder can be changed enough that it won't threaten the Internet's underlying infrastructure. "I thought people were relieved that they took it down and it's hard to believe that there would be any quietness if they brought it back," Crocker said. <SNIP> _____Related Coverage_____ <http://www.washingtonpost.com/wp-dyn/articles//wp-dyn/articles/A57670-2003Oct7.html> VeriSign Service Spawns More Criticism (washingtonpost.com, Oct 7, 2003) <http://www.washingtonpost.com/wp-dyn/articles//wp-dyn/articles/A42107-2003Oct3.html> VeriSign Agrees To Shut Down Search Service (The Washington Post, Oct 4, 2003) <http://www.washingtonpost.com/wp-dyn/articles//wp-dyn/articles/A64437-2003Sep25.html> With Site Finder, VeriSign Sparks Internet-wide Criticism (washingtonpost.com, Sep 25, 2003) _____ICANN Headlines_____ <http://www.washingtonpost.com/wp-dyn/articles//wp-dyn/articles/A13538-2004Feb4.html> Congress Eyes Internet Fraud Crackdown (washingtonpost.com, Feb 4, 2004) <http://www.washingtonpost.com/wp-dyn/articles//wp-dyn/articles/A23641-2004Jan16.html> XO Owner Again Bids For Telecom (The Washington Post, Jan 17, 2004) <http://www.washingtonpost.com/wp-dyn/articles//wp-dyn/articles/A47327-2003Dec8.html> U.N. Sets Aside Debate Over Control of Internet (The Washington Post,Dec 9, 2003) <http://www.washingtonpost.com/wp-dyn/technology/techpolicy> Tech Policy Section ------------------------------------- Archives at: http://www.interesting-people.org/archives/interesting-people/ ------------- End Forwarded Message ------------- ------------------------------------------------------------------- Gregory Hicks | Principal Systems Engineer Cadence Design Systems | Direct: 408.576.3609 555 River Oaks Pkwy M/S 6B1 | Fax: 408.894.3400 San Jose, CA 95134 | Internet: ghicks@cadence.com "The trouble with doing anything right the first time is that nobody appreciates how difficult it was." When a team of dedicated individuals makes a commitment to act as one... the sky's the limit. Just because "We've always done it that way" is not necessarily a good reason to continue to do so... Grace Hopper, Rear Admiral, United States Navy
Galvin said that the continued opposition stems from "an ideological belief by a narrow section of the technological community who don't believe you should innovate the core infrastructure of the Internet."
Again, the close knit community responds: _ INNOVATE THIS! _ |_| |_| | | /^^^\ | | _| |_ (| "o" |) _| |_ _| | | | _ (_---_) _ | | | |_ | | | | |' | _| |_ | `| | | | | | | / \ | | \ / / /(. .)\ \ \ / \ / / / | . | \ \ \ / \ \/ / ||Y|| \ \/ / \__/ || || \__/ () () || || ooO Ooo
If they give us 90 days headstart, by the time its supposed to start it'd be blocked everywhere and Microsoft and Netscape would have released a fix to redirect users to the page of their choice. If 90 days is not enough to release such updates to software, lawyers can make sure its delayed in court long enough so that everyone is ready to block it. But I don't think we need to spend OUR resources to create application workaround for the problem that does not need to exist in the first place! On Mon, 9 Feb 2004, Gregory Hicks wrote:
From Dave Farber's IP list...
---------------------------
http://www.washingtonpost.com/wp-dyn/articles/A25819-2004Feb9_2.html
VeriSign Reconsiders Search Service
"Site Finder was not controversial with users, 84 percent of whom said they liked it as a helpful navigation service," said Tom Galvin, VeriSign's vice president of government relations. "We continue to look at ways we can offer the service while addressing the concerns that were raised by a segment of the technical community."
Galvin said that the continued opposition stems from "an ideological belief by a narrow section of the technological community who don't believe you should innovate the core infrastructure of the Internet."
Critics also claim that VeriSign must run the domains as a public trust, not a profit-making opportunity. VeriSign is the sole operator of the dot-com and dot-net registries under a contract with ICANN.
"I don't begrudge them their profit, but someone in an effectively regulated monopoly position shouldn't use their power for their own profit, beyond the terms under which the community gave it to them," said Steven Bellovin, co-director of the Internet Engineering Task Force's Security Area.
Paul Rothstein a law professor at Georgetown University and a paid VeriSign consultant, said that the critics have some legitimate objections but others are motivated by the scientific and technology communities' "bias on policy."
Still, he added, it would be tough for VeriSign to win the public relations war because its opponents are highly regarded technologists.
ICANN will reserve judgment until VeriSign decides to relaunch Site Finder, said General Counsel John Jeffrey. VeriSign assured ICANN that it would give 60 to 90 days' warning to resolve any remaining technological problems, Jeffrey said.
In the meantime, ICANN is waiting for a final report on Site Finder from its Security and Stability Advisory Committee. Committee Chairman Steve Crocker said he doubts that Site Finder can be changed enough that it won't threaten the Internet's underlying infrastructure.
"I thought people were relieved that they took it down and it's hard to believe that there would be any quietness if they brought it back," Crocker said.
<SNIP>
_____Related Coverage_____ <http://www.washingtonpost.com/wp-dyn/articles//wp-dyn/articles/A57670-2003Oct7.html> VeriSign Service Spawns More Criticism (washingtonpost.com, Oct 7, 2003)
<http://www.washingtonpost.com/wp-dyn/articles//wp-dyn/articles/A42107-2003Oct3.html> VeriSign Agrees To Shut Down Search Service (The Washington Post, Oct 4, 2003) <http://www.washingtonpost.com/wp-dyn/articles//wp-dyn/articles/A64437-2003Sep25.html> With Site Finder, VeriSign Sparks Internet-wide Criticism (washingtonpost.com, Sep 25, 2003)
_____ICANN Headlines_____
<http://www.washingtonpost.com/wp-dyn/articles//wp-dyn/articles/A13538-2004Feb4.html> Congress Eyes Internet Fraud Crackdown (washingtonpost.com, Feb 4, 2004)
<http://www.washingtonpost.com/wp-dyn/articles//wp-dyn/articles/A23641-2004Jan16.html> XO Owner Again Bids For Telecom (The Washington Post, Jan 17, 2004)
<http://www.washingtonpost.com/wp-dyn/articles//wp-dyn/articles/A47327-2003Dec8.html> U.N. Sets Aside Debate Over Control of Internet (The Washington Post,Dec 9, 2003)
<http://www.washingtonpost.com/wp-dyn/technology/techpolicy> Tech Policy Section
-------------------------------------
Archives at: http://www.interesting-people.org/archives/interesting-people/
------------- End Forwarded Message -------------
------------------------------------------------------------------- Gregory Hicks | Principal Systems Engineer Cadence Design Systems | Direct: 408.576.3609 555 River Oaks Pkwy M/S 6B1 | Fax: 408.894.3400 San Jose, CA 95134 | Internet: ghicks@cadence.com
"The trouble with doing anything right the first time is that nobody appreciates how difficult it was."
When a team of dedicated individuals makes a commitment to act as one... the sky's the limit.
Just because "We've always done it that way" is not necessarily a good reason to continue to do so... Grace Hopper, Rear Admiral, United States Navy
"Gregory" == Gregory Hicks <ghicks@cadence.com> writes:
Gregory> From Dave Farber's IP list... Gregory> VeriSign Reconsiders Search Service This is an interesting suggestion that I saw on another list. It may or may not be feasible, but it is certainly interesting, I must say. srs
There's an easy way to kill sitefinder stone cold dead.
ICANN is entitled to a cut of every domain registered - IIRC it's about $5
By wildcarding *.com, every typoed domain is being created by Verisign on the fly - and ICANN should be entitled to their pound of flesh.
It would be trivial to create a bot to start walking through every possible 20 letter domain name - and if ICANN held them to the rules, Verisign would be rather poorer in short order.
This should be rather easier than trying to litigate sitefinder out of existance and I feel it would work within the existing contract structure.
This is an interesting suggestion that I saw on another list. It may or may not be feasible, but it is certainly interesting, I must say.
why? that is, why kill sitefinder? there's been plenty of invective on both sides, and a lot of unprofessional behaviour toward verisign employees at a recent nanog meeting, which tends to bolster verisign's claim that only the outlying whackos are actually opposed to sitefinder. this is nanog@. if you think sitefinder poses an operational problem then please describe it (dispassionately). if you think there is an operational thing that ought to be done in response to sitefinder, then please describe that (dispassionately). the response you included...
There's an easy way to kill sitefinder stone cold dead. ... It would be trivial to create a bot to start walking through every possible 20 letter domain name - and if ICANN held them to the rules, Verisign would be rather poorer in short order.
...does not describe an operational problem, and gives a financial remedy. -- Paul Vixie
Paul Vixie wrote:
why? that is, why kill sitefinder? there's been plenty of invective on both sides, and a lot of unprofessional behaviour toward verisign
As I said, the measure may or may not be feasible - in fact, given that the domains are not registered, it most certainly is not feasible.
this is nanog@. if you think sitefinder poses an operational problem then please describe it (dispassionately). if you think there is an operational thing that ought to be done in response to sitefinder, then please describe that (dispassionately). the response you included...
You are of course right. The problem posed by sitefinder in its previous form has been discussed already, and our bind / djbdns resolvers have been patched appropriately to ignore the aberrant behavior introduced by verisign. There ends the operational impact of verisign's decision, till such time as they revive sitefinder, and till such time as resolver patches in existence are modified if necessary to cope with the new edition of sitefinder. regards -srs
--On Tuesday, February 10, 2004 10:21 +0530 Suresh Ramasubramanian <suresh@outblaze.com> wrote: <>
You are of course right. The problem posed by sitefinder in its previous form has been discussed already, and our bind / djbdns resolvers have been patched appropriately to ignore the aberrant behavior introduced by verisign.
There ends the operational impact of verisign's decision, till such time as they revive sitefinder, and till such time as resolver patches in existence are modified if necessary to cope with the new edition of sitefinder.
But that's a HUGE operational impact. Now we're all expected to go around and run patched versions of our resolvers or nameservers to get around a company using shady tactics to just increase it's bottom line! Lets say it takes on average about 10 minutes per machine to do the necessary changes, I'll have to spend several hours installing patched software for something that is harmful. They remove the ONLY method for testing if a domain exists or not, and certainly the only 'lightweight' method. Not to mention there is no guarantee the patch will continue to work. Well already know of a few ways in which it can break, and anything we do to get around those surely introduces maintenance or other headaches. Who's going to pay me to maintain these parts of systems that until now just worked? Who's going to pay any of us? Not VeriSign. But they'll be making quite likely millions off of the hijacked hits. So I ask again, who's going to pay for my time to that? Last time they turned this thing on globally I also spent at least two hours on the phone trying to explain it to various users. And what about the systems or platforms that *CAN'T* be patched? What about systems that have long depended on the way things are supposed to work? -- Michael Loftis
At 08:51 PM 2/9/2004, Suresh Ramasubramanian wrote:
till such time as resolver patches in existence are modified if necessary to cope with the new edition of sitefinder.
Suresh, You clearly aren't having enough fun playing Whack-A-Mole with spammers, now you get to play Whack-A-Mole with Verisign too! jc -- p.s. Please do not cc me on replies to the list. Please reply to the list only, or to me only (as you prefer) but not to both.
On Tue, 10 Feb 2004 04:37:09 GMT, Paul Vixie <vixie@vix.com> said:
this is nanog@. if you think sitefinder poses an operational problem then please describe it (dispassionately). if you think there is an operational thing that ought to be done in response to sitefinder, then please describe that (dispassionately). the response you included...
Has Verisign published a in-depth technical discussion of what they are thinking of deploying, including details such as what happens to MX entries, what they intend to do with mail misrouted to them, and so on? (Yes, that's an operational issue - if they are harvesting and selling a list of known-good From: addresses on misrouted mail, this will eventually end up adding to spam - and that's operational)
(Yes, that's an operational issue - if they are harvesting and selling a list of known-good From: addresses on misrouted mail, this will eventually end up adding to spam - and that's operational)
Site Finder on its own added to spam; spam volumes increased as the number of "sender domain does not resolve" bounces dropped away. Also customers' sending addresses no longer underwent this simple sanity check as all domain misspellings resolved. Although a solution to that part may be a second wildcard: *.com. IN MX 127.0.0.1 Mailers changed to drop mail for hosts MX'd to 127.0.0.1 This would also fix even more spam -- as people are swamped by spam bounces they sometimes change their own MX to 127.0.0.1. So adding a 127.0.0.1 check to the nonexistent domain check would actually be useful on it's own and mean then wildcard A record wouldn't have the negative impact on email. But it would take some time for people to roll out new mailers/configs with the new rule if it was to be a solution. David.
On Tue, 10 Feb 2004, David Luyer wrote:
Site Finder on its own added to spam; spam volumes increased as the number of "sender domain does not resolve" bounces dropped away.
That is a myth: http://www.xtdnet.nl/paul/spam/graphs/versign.png If you want to blame spam on a single corporatin, the graphs clearly show to blame microsoft. Besides, they have more money then Verisign anyway :) Paul
On Tue, 10 Feb 2004, David Luyer wrote:
Site Finder on its own added to spam; spam volumes increased as
the number
of "sender domain does not resolve" bounces dropped away.
That is a myth: http://www.xtdnet.nl/paul/spam/graphs/versign.png
If you want to blame spam on a single corporatin, the graphs clearly show to blame microsoft. Besides, they have more money then Verisign anyway :)
Paul
Were you or any of your upstream resolvers implimenting the patch durring that window? If so that may skew the results. Joshua Coombs
Paul Wouters wrote:
On Tue, 10 Feb 2004, David Luyer wrote:
Site Finder on its own added to spam; spam volumes increased as the number of "sender domain does not resolve" bounces dropped away.
That is a myth: http://www.xtdnet.nl/paul/spam/graphs/versign.png
If you want to blame spam on a single corporatin, the graphs clearly show to blame microsoft. Besides, they have more money then Verisign anyway :)
Perhaps you didn't (or don't) use a filter that header checks the domain in the envelope. We did, and we had a tremendous increase in spam allowed through the servers. It receded as soon as we installed the BIND fix (as I've posted to the list at that time). -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
Speaking on Deep Background, the Press Secretary whispered:
why? that is, why kill sitefinder? there's been plenty of invective on both sides, and a lot of unprofessional behaviour toward verisign employees at a recent nanog meeting, which tends to bolster verisign's claim that only the outlying whackos are actually opposed to sitefinder.
Well, as I got my name in lights for saying at the 2nd meeting... Of the ?8 problems they admitted to, Verisign would have to fix two, and the rest of us six. Thus, SiteFinder was an unfunded mandate on us. I suggest you bill VS for your time, each and every one of us... -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
: this is nanog@. if you think sitefinder poses an operational problem : then please describe it (dispassionately). if you think there is an : operational thing that ought to be done in response to sitefinder, then : please describe that (dispassionately). the response you included... I brought this issue up (dispassionately) offline at the last NANOG conference. As most everyone knows, the Windows resolver has its share of problems under the hood. Well, we ran into a rather interesting glitch when Verisign did away with the NXDOMAIN. In our internal enterprise, we have DNS search suffixes defined on client workstations. If a user enters a plain hostname it will impute the suffixes automatically to find a matching winner within the various internal subdomains. Never had a problem with it prior to this. However, Microsoft's imputing implementation has an undocumented flaw (at least from the command line that we could determine). If you enter more than 5 search suffixes, the MS resolver, at least in NT and 2000, demonstrates irrational behavior. In this scenario, the resolver will actually append all of the search suffixes, instead of just one at a time, and make one big request with all the domains separated by commas. In our case we had 6 search suffix entries for internal subdomains and the root domain. When a request was made for a plain hostname, the client would send a request that looked like: plainhostname.a.domain.com,b.domain.com,c.domain.com,d.domain.com.e.domain.com,domain.com When our internal DNS server received the request it parsed the root domain as com,domain.com. Our DNS servers, of course, would end up forwarding the request out to the root servers and then receive back the lovely Sitefinder IP address, instead of NXDOMAIN. We actually lost quite a bit of time in remote troubleshooting during an application test out of Amsterdam the day Sitefinder came online because of this issue. We were making internal DNS changes for a test and using dynamic DNS. We were having a user run nslookups from the command line and they kept getting back the bogus Sitefinder address, which we couldn't figure out where it was coming from. (It can pay to stay current on this list) Oddly, the browser still resolved the name correctly in the end and was able to function, even though command line still showed this very strange behavior. When NXDOMAIN returned, the issue disappeared and we haven't tested it again. -- Scott Savage scott(at)thewaystation.com www.thewaystation.com Random Quote: Strange Laws: It is against the law for a monster to enter the corporate limits of Urbana, Illinois.
On Tuesday, February 10, 2004 1:02 AM [GMT-5=EST], Scott Savage <scott@thewaystation.com> wrote:
When NXDOMAIN returned, the issue disappeared and we haven't tested it again.
I can confirm this same type of issue with several clients of mine that run microsoft networking stuff, suddenly were unable to locate devices on the network (like printers and NT file servers) as soon as the Verisign sitefinder stuff came online. I'll have to let my clients know who to bill when they do this again :-) Actually, I wrote about alot of the issues in my paper at: http://www.sosdg.org/papers/VSGNWCD.html Its not really geared to technical people, but might be useful if talking to end users about the problems associated with sitefinder. Should probably update it with some of the newer issues I've been finding. Unfortunately, when you talk about SiteFinder, what ends up happening is that you can't avoid the financial end of it. There is no technical reason why SiteFinder needs to exist. It is purely a financial reason why SiteFinder exists. If they weren't concerned about money, Verisign would be offering all of the other registars an oppertunity to get involved too, and they wouldn't be selling ads on the site and paid search listings. AOL, MSN, and god knows how many other ISPs implement this internally on their networks without affecting the rest of the world. Of course, I already know that Verisign is going to start saying that you can opt-out of it this time around and how it wont break everything again. We all know that their claims are, well, full of crap. But, its going to end up being how fast Verisign can spin it in their favor. I mean, look at SCO, and compare it to what Verisign is doing. They both don't seem to care how the rest of the world views them, and don't seem to have a problem turning the rest of the world against themselves. Of course, neither realizes that because of their actions, they will face opposition for the rest of their existance. People don't just forget stuff like this. Especially not when it happens multiple times. Anyways, enough of my moaning about the problem for now. If anyone has any real life examples and stories they'd like to share with me so I can add to my paper on the SiteFinder issue, let me know offlist, and I'll add it. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
[I'm sure that Paul Vixie knows the difference but others may not and the Washington Post paper, mentioned at the beginning of the thread, was quite confused.] On Tue, Feb 10, 2004 at 04:37:09AM +0000, Paul Vixie <vixie@vix.com> wrote a message of 22 lines which said:
why? that is, why kill sitefinder?
Nobody suggested to kill SiteFinder. Despite Verisign's lies, SiteFinder is alive and well (well, Verisign suppressed the A record for sitefinder.versigin.com but it is their decision, they could recreate the A record at anytime) and never stopped. Anyone is free to create a Sitefinder-like service if they want. Many people opposed WILDCARDS in ".com", not SiteFinder. The bad action was not to launch SiteFinder, it was to add wildcards.
there's been plenty of invective on both sides, and a lot of unprofessional behaviour toward verisign employees at a recent nanog meeting,
Wake up: the Internet is no longer a commune of happy geeks working together for a common goal. It is now a social infrastructure and there are fights for its control. There is no longer any reason to be nice with everybody, specially with people trying to divert the common resource for their own profit.
Date sent: Tue, 10 Feb 2004 09:51:38 +0100 From: Stephane Bortzmeyer <bortzmeyer@nic.fr> To: nanog@merit.edu Subject: Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls Organization: NIC France
there are fights for its control. There is no longer any reason to be nice with everybody, specially with people trying to divert the common resource for their own profit.
Your are right. So, how do you explain that NIC France accepts the use of linux.fr to someone who pretends to be the author & proprietary of the name "linux" and who IS NOT Linus Torvalds? This is contravening the French law [CPI L 711-4]. Why to be so nice with "people trying to divert the common resource for their own profit." ? Guy Coslado. http://www.coslado.com Bots & Smart Agents Pour la Guilde des metiers du logiciel: admin@fr.scguild.org http://www.fr.scguild.com
At 08:37 PM 2/9/2004, Paul Vixie wrote:
the response you included...
There's an easy way to kill sitefinder stone cold dead. ... It would be trivial to create a bot to start walking through every possible 20 letter domain name - and if ICANN held them to the rules, Verisign would be rather poorer in short order.
...does not describe an operational problem, and gives a financial remedy.
It's apparent that some of today's network operation problems simply do not have an "operational" solution - but these problems are still network operational in nature even if the solution is not operational in nature. Take spam, for example. We are mere weeks from the 10 year anniversary of Canter and Siegel's green card spam of April 1994. The network operations community has been trying to develop and implement an "operational fix" for this problem ever since; instead the problem exponentially grows worse. It has become clear that the only possible technical solution to spam will be one that replaces our present Simple Mail Transport Protocol with something else - something certainly less simple - even if it's just an end-to-end authentication protocol laid over the present SMTP. Just as Canter and Siegel's green card spam was a novel way to (ab)use SMTP for Canter and Siegel's profit, ten years later Verisign develops Sitefinder [1] - a novel way to (ab)use DNS requests for Verisign's profit. Both are abuses because they break the existing protocol - making it less functional for those who use it the way it was designed to be used. Both require that network operators patch their systems to try to keep the abuse from negatively impacting their networks. Just as spammers keep on finding ways around the anti-spam patches, expect to see Verisign find and implement new ways around anti-Sitefinder "patches". Whack-A-Mole over DNS, here we come. Those who do not know their history are doomed to repeat it. I believe that there is no good "operational" way to solve either problem. It is my opinion that we will not solve the spam problem until we do one of two things: Change the protocol so that spam is simply no longer possible, or change the financial cost of spam via legal remedies (fines and jail terms) worldwide, along with courage and resolve to enforce those remedies (worldwide). It is also my opinion that we will not solve the Sitefinder problem without resorting to a similar financial sword, as Verisign has shown no signs of caring what the operational community says about the wisdom of their breaking this key fundamental infrastructure protocol for their selfish corporate financial gain. Changing DNS worldwide so that Sitefinder is impossible would be impossibly and horribly painful - we haven't managed to change email to a secure protocol despite 10 years of abuse so what chance do we have of changing DNS? The biggest problem with the proposed "financial" solution is that it assumes that ICANN has the courage and resolve to enforce their contract with Verisign. If ICANN was interested in firmly enforcing their contract with Verisign, they could simply yank the root database management contract from Verisign, citing the several well documented instances of Verisign failing to properly manage this public resource as a public trust and instead using it as their "owned" property. In reality, ICANN is useless and powerless because key people do not have the courage or resolve to take strong action when strong action is clearly called for. If this isn't a call to arms to everyone in the operational community to take back control over ICANN, I don't know what is. jc [1] Where I use "Sitefinder", I am referring to Verisign's entire project of adding wildcard records to .com and then pointing all the NXDOMAIN domain records to the Sitefinder service. -- p.s. Please do not cc me on replies to the list. Please reply to the list only, or to me only (as you prefer) but not to both.
nanog@vo.cnchost.com (JC Dill) writes:
Just as Canter and Siegel's green card spam was a novel way to (ab)use SMTP for Canter and Siegel's profit, ten years later Verisign develops Sitefinder [1] - a novel way to (ab)use DNS requests for Verisign's profit. ...
while i won't fault your analogy on structural grounds, i challenge it on factual grounds. the c&s green card imbroglio came from nntp, not smtp.
I believe that there is no good "operational" way to solve either problem.
and yet, the place to discuss non-operational solutions is not nanog@. i suspect that you will find plenty of places to make your proposals, wherein many other people will also make their own proposals, with nobody reading anybody else's proposals. sort of like here, except politics not operations. -------- wb8foz@nrk.com (David Lesher) writes:
... Thus, SiteFinder was an unfunded mandate on us.
while i think that's a true statement i don't think it goes far enough. in the washpost article the other day some looney fringe technical zealot said: "This is a form of theft by most legal definitions, if you're going to shift costs unilaterally toward another group of people to increase your own profits. It's certainly unethical and immoral and it would be illegal if you were to do it with physical goods." -- Paul Vixie
At 04:25 PM 2/10/2004, Paul Vixie wrote:
nanog@vo.cnchost.com (JC Dill) writes:
Just as Canter and Siegel's green card spam was a novel way to (ab)use SMTP for Canter and Siegel's profit, ten years later Verisign develops Sitefinder [1] - a novel way to (ab)use DNS requests for Verisign's profit. ...
while i won't fault your analogy on structural grounds, i challenge it on factual grounds. the c&s green card imbroglio came from nntp, not smtp.
Yes, the Green Card spam of 4/94 was on usenet, my bad. But in early 1994 *email* spam also became a problem. I've found various references that say email spam started becoming a problem in January 1994 (starting with the "Global Alert for All: Jesus is Coming" spam to usenet, followed by email spam), and in April 1994 (starting with C&S's Green Card spam to usenet, followed by email spam). I can't pin down an exact date or email for the first unsolicited bulk/commercial email spam spew of 1994 - I keep on finding cites to the "first spam" referring back to the DEC spam on ARPANET in 1978. <http://www.templetons.com/brad/spamterm.html> <http://www.templetons.com/brad/spamreact.html> In any event, UCE/UBE email spam was clearly a big problem by July 1994 when it was the topic of a Time Magazine article: "Battle for the Soul of the Internet", by Philip Elmer-Dewitt TIME Domestic, July 25, 1994 Volume 144, No. 4 It is 2004 now, and we have not accomplished a single thing to actually stop the exponentially increasing spew of spam.
I believe that there is no good "operational" way to solve either problem.
and yet, the place to discuss non-operational solutions is not nanog@. i suspect that you will find plenty of places to make your proposals, wherein many other people will also make their own proposals, with nobody reading anybody else's proposals. sort of like here, except politics not operations.
Are you REALLY saying that: A) When someone proposes something that will break the operation of the Internet as we know it; and B) There is no immediately apparent or obvious "operational" solution besides playing Whack-A-Mole with the abuser(s); C) We shouldn't discuss it here - to attempt to keep it from being implemented or to see if someone discovers a true "operational" solution? How can we consider the pros and cons of various (operational/social/legal) solutions to network operations problems if we can't discuss and consider *all* possible solutions? jc -- p.s. Please do not cc me on replies to the list. Please reply to the list only, or to me only (as you prefer) but not to both.
I still maintain that what sitefinder is trying to do is not really wrong but it's the wrong way to go about it. This is functionality that is strictly for web users. Why should every other protocol that relies on domain name service be subject to this garbage? If they want to partner with someone to include functionality in their browser such that if gethostbyname() returns NX Domain and subsequently redirect to that site, this is fine by me. But I don't want everything else (ssh, ftp, smtp, pop, imap, etc, etc, etc) to have to compensate for the wildcard record. Making everyone else adjust just so that Verisign can earn another penny per share is just wrong. On Tue, Feb 10, 2004 at 04:37:09AM +0000, Paul Vixie wrote:
This is an interesting suggestion that I saw on another list. It may or may not be feasible, but it is certainly interesting, I must say.
why? that is, why kill sitefinder? there's been plenty of invective on both sides, and a lot of unprofessional behaviour toward verisign employees at a recent nanog meeting, which tends to bolster verisign's claim that only the outlying whackos are actually opposed to sitefinder.
this is nanog@. if you think sitefinder poses an operational problem then please describe it (dispassionately). if you think there is an operational thing that ought to be done in response to sitefinder, then please describe that (dispassionately). the response you included...
There's an easy way to kill sitefinder stone cold dead. ... It would be trivial to create a bot to start walking through every possible 20 letter domain name - and if ICANN held them to the rules, Verisign would be rather poorer in short order.
...does not describe an operational problem, and gives a financial remedy. -- Paul Vixie
--- Wayne Bouchard web@typo.org Network Dude http://www.typo.org/~web/
--On Tuesday, February 10, 2004 08:58 -0700 "Wayne E. Bouchard" <web@typo.org> wrote:
I still maintain that what sitefinder is trying to do is not really wrong but it's the wrong way to go about it. This is functionality that is strictly for web users. Why should every other protocol that relies on domain name service be subject to this garbage?
Precisely! Only web users "benefit" from this "service." And you know what? None of my users did. Caused LOTS of confusion. Does anyone know of a way to get Gartner Group, Nielsen, or some other fairly non-biased large group to do an actual poll/study on this in the next couple of months?
If they want to partner with someone to include functionality in their browser such that if gethostbyname() returns NX Domain and subsequently redirect to that site, this is fine by me. But I don't want everything else (ssh, ftp, smtp, pop, imap, etc, etc, etc) to have to compensate for the wildcard record. Making everyone else adjust just so that Verisign can earn another penny per share is just wrong.
We've all been saying this all along....Question is how to make it heard? Who has contacts in the media? Who would be willing to submit to interviews? Etc. It's totally ridiculous, but this is a political issue being allowed to effect the technical system, and as is almost always the case, it's a miserable failure. -- Michael Loftis
On Tuesday, February 10, 2004, at 11:24 AM, Michael Loftis wrote:
--On Tuesday, February 10, 2004 08:58 -0700 "Wayne E. Bouchard" <web@typo.org> wrote:
I still maintain that what sitefinder is trying to do is not really wrong but it's the wrong way to go about it. This is functionality that is strictly for web users. Why should every other protocol that relies on domain name service be subject to this garbage?
Precisely! Only web users "benefit" from this "service." And you know what? None of my users did. Caused LOTS of confusion. Does anyone know of a way to get Gartner Group, Nielsen, or some other fairly non-biased large group to do an actual poll/study on this in the next couple of months?
Easy to do if you have $20K+ to pay them.
If they want to partner with someone to include functionality in their browser such that if gethostbyname() returns NX Domain and subsequently redirect to that site, this is fine by me. But I don't want everything else (ssh, ftp, smtp, pop, imap, etc, etc, etc) to have to compensate for the wildcard record. Making everyone else adjust just so that Verisign can earn another penny per share is just wrong.
We've all been saying this all along....Question is how to make it heard? Who has contacts in the media? Who would be willing to submit to interviews? Etc.
It's totally ridiculous, but this is a political issue being allowed to effect the technical system, and as is almost always the case, it's a miserable failure.
-- Michael Loftis
Regards Marshall Eubanks T.M. Eubanks e-mail : marshall.eubanks@telesuite.com http://www.telesuite.com
On Tuesday, February 10, 2004, at 11:24 AM, Michael Loftis wrote:
--On Tuesday, February 10, 2004 08:58 -0700 "Wayne E. Bouchard" <web@typo.org> wrote:
I still maintain that what sitefinder is trying to do is not really wrong but it's the wrong way to go about it. This is functionality that is strictly for web users. Why should every other protocol that relies on domain name service be subject to this garbage?
Precisely! Only web users "benefit" from this "service." And you know what? None of my users did. Caused LOTS of confusion. Does anyone know of a way to get Gartner Group, Nielsen, or some other fairly non-biased large group to do an actual poll/study on this in the next couple of months?
Easy to do if you have $20K+ to pay them.
If they want to partner with someone to include functionality in their browser such that if gethostbyname() returns NX Domain and subsequently redirect to that site, this is fine by me. But I don't want everything else (ssh, ftp, smtp, pop, imap, etc, etc, etc) to have to compensate for the wildcard record. Making everyone else adjust just so that Verisign can earn another penny per share is just wrong.
We've all been saying this all along....Question is how to make it heard? Who has contacts in the media? Who would be willing to submit to interviews? Etc.
It's totally ridiculous, but this is a political issue being allowed to effect the technical system, and as is almost always the case, it's a miserable failure.
-- Michael Loftis
Regards Marshall Eubanks T.M. Eubanks e-mail : marshall.eubanks@telesuite.com http://www.telesuite.com
I am curious what the operational impact would be to network operators if, instead of Verisign using SiteFinder over all com and net, Verisign or their technology partner for SiteFinder began coercing a large number of independent ISPs and network operators to install their form of DNS redirection at the ISP-level, until all or most of the end-users out there were getting redirected. We have been approached by a guy named Mark Lewyn, president Paxfire, Inc., the company he claims created the SiteFinder technology and offerred it to Verisign. Based here in the Washington DC area, he now also wants individual ISPs to implement his technology of redirection to a web page for unknown domains as a means of earning click-through revenue, and will split the take 50/50 "when Paxfire gets paid" As a network operator of a fair-sized regional ISP, as well as operators of arguably the least-expensive nationwide wholesale dial platform for other ISPs to gain nationwide access, we have been approached by Mr. Lewyn on behalf of his company Paxfire Inc. He wants our company to come have meetings at his law firm's offices, consider accepting and implementing his technology at our local DNS server level, and then supposedly share in the rich profits when customers get redirected, possibly to web pages featuring click-through banner ads. He says that this is the exact same techology (more accurately, he said that it was evolved one step further, I think) that he sold or licensed to Verisign and that Verisign refers to as SiteFinder. Until now, the identity of the technology and marketing partner who created SiteFinder has been kept very confidential, so I was surprised to learn that Mr. Lewyn's company Paxfire Inc. was indeed that partner! Further, he claims that Vint Cert himself thinks it is a great idea at the ISP level to do this, and is one of his advisory board supporters. Naturally, with the fracas of last Sept 2003, we are hesitant to give up any negative caching, essential anti-spam techniques, and suffer other disruptions that such a redirection service may generate within our networks whenever a non-existent domain request results in a redirection. Is there concern to be raised by network operators over such schemes if deployed at the individual ISP level, particularly if such technology becomes widespread? Before considering meeting with these guys, we would like to solicit the opinions of this list to be better equipped to say "no" if indeed "no" is the right operational and technological decision for the integrity of our nationwide networks and our interconnection outwards to the rest of the world's networks. Thanks most sincerely, Randall Pigott At 06:11 PM 2/9/2004, you wrote:
From Dave Farber's IP list...
---------------------------
http://www.washingtonpost.com/wp-dyn/articles/A25819-2004Feb9_2.html
VeriSign Reconsiders Search Service
"Site Finder was not controversial with users, 84 percent of whom said they liked it as a helpful navigation service," said Tom Galvin, VeriSign's vice president of government relations. "We continue to look at ways we can offer the service while addressing the concerns that were raised by a segment of the technical community."
Galvin said that the continued opposition stems from "an ideological belief by a narrow section of the technological community who don't believe you should innovate the core infrastructure of the Internet."
Critics also claim that VeriSign must run the domains as a public trust, not a profit-making opportunity. VeriSign is the sole operator of the dot-com and dot-net registries under a contract with ICANN.
"I don't begrudge them their profit, but someone in an effectively regulated monopoly position shouldn't use their power for their own profit, beyond the terms under which the community gave it to them," said Steven Bellovin, co-director of the Internet Engineering Task Force's Security Area.
Paul Rothstein a law professor at Georgetown University and a paid VeriSign consultant, said that the critics have some legitimate objections but others are motivated by the scientific and technology communities' "bias on policy."
Still, he added, it would be tough for VeriSign to win the public relations war because its opponents are highly regarded technologists.
ICANN will reserve judgment until VeriSign decides to relaunch Site Finder, said General Counsel John Jeffrey. VeriSign assured ICANN that it would give 60 to 90 days' warning to resolve any remaining technological problems, Jeffrey said.
In the meantime, ICANN is waiting for a final report on Site Finder from its Security and Stability Advisory Committee. Committee Chairman Steve Crocker said he doubts that Site Finder can be changed enough that it won't threaten the Internet's underlying infrastructure.
"I thought people were relieved that they took it down and it's hard to believe that there would be any quietness if they brought it back," Crocker said.
<SNIP>
_____Related Coverage_____ <http://www.washingtonpost.com/wp-dyn/articles//wp-dyn/articles/A57670-2003Oct7.html> VeriSign Service Spawns More Criticism (washingtonpost.com, Oct 7, 2003)
<http://www.washingtonpost.com/wp-dyn/articles//wp-dyn/articles/A42107-2003Oct3.html> VeriSign Agrees To Shut Down Search Service (The Washington Post, Oct 4, 2003) <http://www.washingtonpost.com/wp-dyn/articles//wp-dyn/articles/A64437-2003Sep25.html> With Site Finder, VeriSign Sparks Internet-wide Criticism (washingtonpost.com, Sep 25, 2003)
_____ICANN Headlines_____
<http://www.washingtonpost.com/wp-dyn/articles//wp-dyn/articles/A13538-2004Feb4.html> Congress Eyes Internet Fraud Crackdown (washingtonpost.com, Feb 4, 2004)
<http://www.washingtonpost.com/wp-dyn/articles//wp-dyn/articles/A23641-2004Jan16.html> XO Owner Again Bids For Telecom (The Washington Post, Jan 17, 2004)
<http://www.washingtonpost.com/wp-dyn/articles//wp-dyn/articles/A47327-2003Dec8.html> U.N. Sets Aside Debate Over Control of Internet (The Washington Post,Dec 9, 2003)
<http://www.washingtonpost.com/wp-dyn/technology/techpolicy> Tech Policy Section
-------------------------------------
Archives at: http://www.interesting-people.org/archives/interesting-people/
------------- End Forwarded Message -------------
------------------------------------------------------------------- Gregory Hicks | Principal Systems Engineer Cadence Design Systems | Direct: 408.576.3609 555 River Oaks Pkwy M/S 6B1 | Fax: 408.894.3400 San Jose, CA 95134 | Internet: ghicks@cadence.com
"The trouble with doing anything right the first time is that nobody appreciates how difficult it was."
When a team of dedicated individuals makes a commitment to act as one... the sky's the limit.
Just because "We've always done it that way" is not necessarily a good reason to continue to do so... Grace Hopper, Rear Admiral, United States Navy
At the ISP level, there's nothing inherently wrong with this, IMO; AOL and MSN do it already, as does Microsoft. If your customers don't like it, they are capable of voting with their checkbooks, particularly with dial service; with cable and DSL, the waters are a bit muddier because a cable ISP or LEC could have a captive audience. Verisign's crime against the internet was forcing SiteFinder upon the ENTIRE internet, like it or not, and in the process abusing a resource that had been placed in their care with the trust that it would not be abused for profit. -C On Mon, Feb 23, 2004 at 10:58:39AM -0500, Randall Pigott wrote:
I am curious what the operational impact would be to network operators if, instead of Verisign using SiteFinder over all com and net, Verisign or their technology partner for SiteFinder began coercing a large number of independent ISPs and network operators to install their form of DNS redirection at the ISP-level, until all or most of the end-users out there were getting redirected.
We have been approached by a guy named Mark Lewyn, president Paxfire, Inc., the company he claims created the SiteFinder technology and offerred it to Verisign. Based here in the Washington DC area, he now also wants individual ISPs to implement his technology of redirection to a web page for unknown domains as a means of earning click-through revenue, and will split the take 50/50 "when Paxfire gets paid"
As a network operator of a fair-sized regional ISP, as well as operators of arguably the least-expensive nationwide wholesale dial platform for other ISPs to gain nationwide access, we have been approached by Mr. Lewyn on behalf of his company Paxfire Inc. He wants our company to come have meetings at his law firm's offices, consider accepting and implementing his technology at our local DNS server level, and then supposedly share in the rich profits when customers get redirected, possibly to web pages featuring click-through banner ads. He says that this is the exact same techology (more accurately, he said that it was evolved one step further, I think) that he sold or licensed to Verisign and that Verisign refers to as SiteFinder.
Until now, the identity of the technology and marketing partner who created SiteFinder has been kept very confidential, so I was surprised to learn that Mr. Lewyn's company Paxfire Inc. was indeed that partner!
Further, he claims that Vint Cert himself thinks it is a great idea at the ISP level to do this, and is one of his advisory board supporters.
Naturally, with the fracas of last Sept 2003, we are hesitant to give up any negative caching, essential anti-spam techniques, and suffer other disruptions that such a redirection service may generate within our networks whenever a non-existent domain request results in a redirection.
Is there concern to be raised by network operators over such schemes if deployed at the individual ISP level, particularly if such technology becomes widespread?
Before considering meeting with these guys, we would like to solicit the opinions of this list to be better equipped to say "no" if indeed "no" is the right operational and technological decision for the integrity of our nationwide networks and our interconnection outwards to the rest of the world's networks.
Thanks most sincerely,
Randall Pigott
At 06:11 PM 2/9/2004, you wrote:
From Dave Farber's IP list...
---------------------------
http://www.washingtonpost.com/wp-dyn/articles/A25819-2004Feb9_2.html
VeriSign Reconsiders Search Service
"Site Finder was not controversial with users, 84 percent of whom said they liked it as a helpful navigation service," said Tom Galvin, VeriSign's vice president of government relations. "We continue to look at ways we can offer the service while addressing the concerns that were raised by a segment of the technical community."
Galvin said that the continued opposition stems from "an ideological belief by a narrow section of the technological community who don't believe you should innovate the core infrastructure of the Internet."
Critics also claim that VeriSign must run the domains as a public trust, not a profit-making opportunity. VeriSign is the sole operator of the dot-com and dot-net registries under a contract with ICANN.
"I don't begrudge them their profit, but someone in an effectively regulated monopoly position shouldn't use their power for their own profit, beyond the terms under which the community gave it to them," said Steven Bellovin, co-director of the Internet Engineering Task Force's Security Area.
Paul Rothstein a law professor at Georgetown University and a paid VeriSign consultant, said that the critics have some legitimate objections but others are motivated by the scientific and technology communities' "bias on policy."
Still, he added, it would be tough for VeriSign to win the public relations war because its opponents are highly regarded technologists.
ICANN will reserve judgment until VeriSign decides to relaunch Site Finder, said General Counsel John Jeffrey. VeriSign assured ICANN that it would give 60 to 90 days' warning to resolve any remaining technological problems, Jeffrey said.
In the meantime, ICANN is waiting for a final report on Site Finder from its Security and Stability Advisory Committee. Committee Chairman Steve Crocker said he doubts that Site Finder can be changed enough that it won't threaten the Internet's underlying infrastructure.
"I thought people were relieved that they took it down and it's hard to believe that there would be any quietness if they brought it back," Crocker said.
<SNIP>
_____Related Coverage_____ ? <http://www.washingtonpost.com/wp-dyn/articles//wp-dyn/articles/A57670-2003Oct7.html> VeriSign Service Spawns More Criticism (washingtonpost.com, Oct 7, 2003)
<http://www.washingtonpost.com/wp-dyn/articles//wp-dyn/articles/A42107-2003Oct3.html> VeriSign Agrees To Shut Down Search Service (The Washington Post, Oct 4, 2003) ? <http://www.washingtonpost.com/wp-dyn/articles//wp-dyn/articles/A64437-2003Sep25.html> With Site Finder, VeriSign Sparks Internet-wide Criticism (washingtonpost.com, Sep 25, 2003)
_____ICANN Headlines_____
<http://www.washingtonpost.com/wp-dyn/articles//wp-dyn/articles/A13538-2004Feb4.html> Congress Eyes Internet Fraud Crackdown (washingtonpost.com, Feb 4, 2004)
<http://www.washingtonpost.com/wp-dyn/articles//wp-dyn/articles/A23641-2004Jan16.html> XO Owner Again Bids For Telecom (The Washington Post, Jan 17, 2004)
<http://www.washingtonpost.com/wp-dyn/articles//wp-dyn/articles/A47327-2003Dec8.html> U.N. Sets Aside Debate Over Control of Internet (The Washington Post,Dec 9, 2003)
<http://www.washingtonpost.com/wp-dyn/technology/techpolicy> Tech Policy Section
-------------------------------------
Archives at: http://www.interesting-people.org/archives/interesting-people/
------------- End Forwarded Message -------------
------------------------------------------------------------------- Gregory Hicks | Principal Systems Engineer Cadence Design Systems | Direct: 408.576.3609 555 River Oaks Pkwy M/S 6B1 | Fax: 408.894.3400 San Jose, CA 95134 | Internet: ghicks@cadence.com
"The trouble with doing anything right the first time is that nobody appreciates how difficult it was."
When a team of dedicated individuals makes a commitment to act as one... the sky's the limit.
Just because "We've always done it that way" is not necessarily a good reason to continue to do so... Grace Hopper, Rear Admiral, United States Navy
On Mon, 23 Feb 2004 10:58:39 EST, Randall Pigott said:
Is there concern to be raised by network operators over such schemes if deployed at the individual ISP level, particularly if such technology becomes widespread?
They're your customers. This week, anyhow. That's the big difference between the ISP doing it and Verisign doing it - the ISP has a built-in feedback on the idea, since they're doing it to people they have a business relationship with. Verisign did it to people they *didnt* have a direct relationship with....
That's not the point. A failed DNS lookup actually needs to fail, not get redirected. Curtis On Mon, 23 Feb 2004, Randall Pigott wrote:
I am curious what the operational impact would be to network operators if, instead of Verisign using SiteFinder over all com and net, Verisign or their technology partner for SiteFinder began coercing a large number of independent ISPs and network operators to install their form of DNS redirection at the ISP-level, until all or most of the end-users out there were getting redirected.
We have been approached by a guy named Mark Lewyn, president Paxfire, Inc., the company he claims created the SiteFinder technology and offerred it to Verisign. Based here in the Washington DC area, he now also wants individual ISPs to implement his technology of redirection to a web page for unknown domains as a means of earning click-through revenue, and will split the take 50/50 "when Paxfire gets paid"
As a network operator of a fair-sized regional ISP, as well as operators of arguably the least-expensive nationwide wholesale dial platform for other ISPs to gain nationwide access, we have been approached by Mr. Lewyn on behalf of his company Paxfire Inc. He wants our company to come have meetings at his law firm's offices, consider accepting and implementing his technology at our local DNS server level, and then supposedly share in the rich profits when customers get redirected, possibly to web pages featuring click-through banner ads. He says that this is the exact same techology (more accurately, he said that it was evolved one step further, I think) that he sold or licensed to Verisign and that Verisign refers to as SiteFinder.
Until now, the identity of the technology and marketing partner who created SiteFinder has been kept very confidential, so I was surprised to learn that Mr. Lewyn's company Paxfire Inc. was indeed that partner!
Further, he claims that Vint Cert himself thinks it is a great idea at the ISP level to do this, and is one of his advisory board supporters.
Naturally, with the fracas of last Sept 2003, we are hesitant to give up any negative caching, essential anti-spam techniques, and suffer other disruptions that such a redirection service may generate within our networks whenever a non-existent domain request results in a redirection.
Is there concern to be raised by network operators over such schemes if deployed at the individual ISP level, particularly if such technology becomes widespread?
Before considering meeting with these guys, we would like to solicit the opinions of this list to be better equipped to say "no" if indeed "no" is the right operational and technological decision for the integrity of our nationwide networks and our interconnection outwards to the rest of the world's networks.
Thanks most sincerely,
Randall Pigott
At 06:11 PM 2/9/2004, you wrote:
From Dave Farber's IP list...
---------------------------
http://www.washingtonpost.com/wp-dyn/articles/A25819-2004Feb9_2.html
VeriSign Reconsiders Search Service
"Site Finder was not controversial with users, 84 percent of whom said they liked it as a helpful navigation service," said Tom Galvin, VeriSign's vice president of government relations. "We continue to look at ways we can offer the service while addressing the concerns that were raised by a segment of the technical community."
Galvin said that the continued opposition stems from "an ideological belief by a narrow section of the technological community who don't believe you should innovate the core infrastructure of the Internet."
Critics also claim that VeriSign must run the domains as a public trust, not a profit-making opportunity. VeriSign is the sole operator of the dot-com and dot-net registries under a contract with ICANN.
"I don't begrudge them their profit, but someone in an effectively regulated monopoly position shouldn't use their power for their own profit, beyond the terms under which the community gave it to them," said Steven Bellovin, co-director of the Internet Engineering Task Force's Security Area.
Paul Rothstein a law professor at Georgetown University and a paid VeriSign consultant, said that the critics have some legitimate objections but others are motivated by the scientific and technology communities' "bias on policy."
Still, he added, it would be tough for VeriSign to win the public relations war because its opponents are highly regarded technologists.
ICANN will reserve judgment until VeriSign decides to relaunch Site Finder, said General Counsel John Jeffrey. VeriSign assured ICANN that it would give 60 to 90 days' warning to resolve any remaining technological problems, Jeffrey said.
In the meantime, ICANN is waiting for a final report on Site Finder from its Security and Stability Advisory Committee. Committee Chairman Steve Crocker said he doubts that Site Finder can be changed enough that it won't threaten the Internet's underlying infrastructure.
"I thought people were relieved that they took it down and it's hard to believe that there would be any quietness if they brought it back," Crocker said.
<SNIP>
_____Related Coverage_____ <http://www.washingtonpost.com/wp-dyn/articles//wp-dyn/articles/A57670-2003Oct7.html> VeriSign Service Spawns More Criticism (washingtonpost.com, Oct 7, 2003)
<http://www.washingtonpost.com/wp-dyn/articles//wp-dyn/articles/A42107-2003Oct3.html> VeriSign Agrees To Shut Down Search Service (The Washington Post, Oct 4, 2003) <http://www.washingtonpost.com/wp-dyn/articles//wp-dyn/articles/A64437-2003Sep25.html> With Site Finder, VeriSign Sparks Internet-wide Criticism (washingtonpost.com, Sep 25, 2003)
_____ICANN Headlines_____
<http://www.washingtonpost.com/wp-dyn/articles//wp-dyn/articles/A13538-2004Feb4.html> Congress Eyes Internet Fraud Crackdown (washingtonpost.com, Feb 4, 2004)
<http://www.washingtonpost.com/wp-dyn/articles//wp-dyn/articles/A23641-2004Jan16.html> XO Owner Again Bids For Telecom (The Washington Post, Jan 17, 2004)
<http://www.washingtonpost.com/wp-dyn/articles//wp-dyn/articles/A47327-2003Dec8.html> U.N. Sets Aside Debate Over Control of Internet (The Washington Post,Dec 9, 2003)
<http://www.washingtonpost.com/wp-dyn/technology/techpolicy> Tech Policy Section
-------------------------------------
Archives at: http://www.interesting-people.org/archives/interesting-people/
------------- End Forwarded Message -------------
------------------------------------------------------------------- Gregory Hicks | Principal Systems Engineer Cadence Design Systems | Direct: 408.576.3609 555 River Oaks Pkwy M/S 6B1 | Fax: 408.894.3400 San Jose, CA 95134 | Internet: ghicks@cadence.com
"The trouble with doing anything right the first time is that nobody appreciates how difficult it was."
When a team of dedicated individuals makes a commitment to act as one... the sky's the limit.
Just because "We've always done it that way" is not necessarily a good reason to continue to do so... Grace Hopper, Rear Admiral, United States Navy
-- -- Curtis Maurand mailto:curtis@maurand.com http://www.maurand.com
<quote who="Curtis Maurand">
That's not the point. A failed DNS lookup actually needs to fail, not get redirected.
Perhaps you need to change your definition of failed? The lookup has not failed if the rcode in the reply is set to a non-failing value. -davidu ---------------------------------------------------- David A. Ulevitch - Founder, EveryDNS.Net Washington University in St. Louis http://david.ulevitch.com -- http://everydns.net ----------------------------------------------------
|Is there concern to be raised by network operators over such schemes if |deployed at the individual ISP level, particularly if such technology |becomes widespread? Yes: the DNS structure is a scalable way to locate IP addresses for names, but it needs trust as people can bypass it and go directly to root servers, gtld servers, cctld servers. The more non-standard hacks the structure get, the more distrust it will have; if it becomes widespread, off-the-shelf operating systems with internal recursive DNS will also become widespread. Revenue from DNS redirection will go towards zero, and load at the central servers will go to the sky and never come down ever again. Rubens
rubens@email.com ("Rubens Kuhl Jr.") writes:
... the DNS structure is a scalable way to locate IP addresses for names, but it needs trust as people can bypass it and go directly to root servers, gtld servers, cctld servers. The more non-standard hacks the structure get, the more distrust it will have; if it becomes widespread, off-the-shelf operating systems with internal recursive DNS will also become widespread. Revenue from DNS redirection will go towards zero, and load at the central servers will go to the sky and never come down ever again.
Um. That happened years ago, mostly by mistake. However I agree with the premise -- as middlemen continue to try to monetize other people's transactions, the endpoints will continue to try to work around the middlemen. So it is with carpet sales, home electronics, online auctions, and now DNS. DNSSEC, now in its eleventh year of preproduction, is supposed to make this kind of middletweaking more detectable, but not more preventable. I suspect that Rodney's idea for doing DNS over IP tunnels is even more desireable than he thinks, for reasons he may not have yet considered. -- Paul Vixie
Paul Vixie wrote:
DNSSEC, now in its eleventh year of preproduction, is supposed to make this kind of middletweaking more detectable, but not more preventable. I suspect that Rodney's idea for doing DNS over IP tunnels is even more desireable than he thinks, for reasons he may not have yet considered.
Windows users get more Yes / No / Cancel dialogs to better educate them on clicking Yes without spending too much time thinking about it? Pete
nanog@riva.net (Randall Pigott) writes:
I am curious what the operational impact would be to network operators if, instead of Verisign using SiteFinder over all com and net, Verisign or their technology partner for SiteFinder began coercing a large number of independent ISPs and network operators to install their form of DNS redirection at the ISP-level, until all or most of the end-users out there were getting redirected.
It would be no worse than NEW.NET or any other form of DNS pollution/piracy (like the alternate root whackos), as long as it was clearly labelled. As an occasional operator of infrastructure, I wouldn't like the complaint load I'd see if the customers of such ISP's thought that *I* was inserting the garbage they were seeing. So I guess my hope is, it'll be "opt-in" with an explicitly held permission for every affected IP address (perhaps using some kind of service discount or enhancement as the carrot.) -- Paul Vixie
Paul, you have no problem support the corrupt ICANN monopoly. The colonists and minutemen were called their day's name for "whackos" as well. You have the right to speak without being shot for your opinion because those "whackos" fought and died to make it so. Just remember that the next time you fling that word around. ICANN is a threat to freedom on the internet. There is no technical reason why there cannot be 1,000's of TLDs out there, except that it foils someone's monopoly stranglehold on one of the few chokepoints of the internet. The biggest threat is from WIPO which is trying to control the namespace and use it as a fulcrum to enforce their narrow intellectual property interests. WIPO has no place in the namespace and its UDRP is just a method for rich and powerful interests to steal domains from poor people, especially those in less-than-well-to-do countries. I will never stop fighting against that kind of thing, nor will others in this struggle. There are many people who have been working against this unacceptable state of affairs for many years, myself included and I will not let you mis-characterize our struggle. John Palmer ----- Original Message ----- From: "Paul Vixie" <vixie@vix.com> To: <nanog@merit.edu> Sent: Monday, February 23, 2004 12:22 Subject: Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls
nanog@riva.net (Randall Pigott) writes:
I am curious what the operational impact would be to network operators if, instead of Verisign using SiteFinder over all com and net, Verisign or their technology partner for SiteFinder began coercing a large number of independent ISPs and network operators to install their form of DNS redirection at the ISP-level, until all or most of the end-users out there were getting redirected.
It would be no worse than NEW.NET or any other form of DNS pollution/piracy (like the alternate root whackos), as long as it was clearly labelled. As an occasional operator of infrastructure, I wouldn't like the complaint load I'd see if the customers of such ISP's thought that *I* was inserting the garbage they were seeing. So I guess my hope is, it'll be "opt-in" with an explicitly held permission for every affected IP address (perhaps using some kind of service discount or enhancement as the carrot.) -- Paul Vixie
On Mon, 23 Feb 2004 12:43:40 CST, John Palmer said:
ICANN is a threat to freedom on the internet. There is no
Very true.
technical reason why there cannot be 1,000's of TLDs out there, except that it foils someone's monopoly stranglehold on one of the few chokepoints of the internet.
Also true. Unfortunately, Paul is still correct in calling anybody who doesn't understand why RFC2826 matters a "whacko". Read it *carefully*, and note that nowhere does it say ICANN has to run the root, only that if there is other than exactly one consistent view of the root, things go pear-shaped quickly.
Whackos.. ! Where..?! Can't see no pesky whackos, nope sir, all normal people here.
Paul, you have no problem support the corrupt ICANN monopoly. The colonists and minutemen were called their day's name for "whackos" as well. You have the right to speak without being shot for your opinion because those "whackos" fought and died to make it so. Just remember that the next time you fling that word around.
ICANN is a threat to freedom on the internet. There is no technical reason why there cannot be 1,000's of TLDs out there, except that it foils someone's monopoly stranglehold on one of the few chokepoints of the internet. The biggest threat is from WIPO which is trying to control the namespace and use it as a fulcrum to enforce their narrow intellectual property interests. WIPO has no place in the namespace and its UDRP is just a method for rich and powerful interests to steal domains from poor people, especially those in less-than-well-to-do countries. I will never stop fighting against that kind of thing, nor will others in this struggle.
There are many people who have been working against this unacceptable state of affairs for many years, myself included and I will not let you mis-characterize our struggle.
John Palmer
----- Original Message ----- From: "Paul Vixie" <vixie@vix.com> To: <nanog@merit.edu> Sent: Monday, February 23, 2004 12:22 Subject: Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls
nanog@riva.net (Randall Pigott) writes:
I am curious what the operational impact would be to network operators if, instead of Verisign using SiteFinder over all com and net, Verisign or their technology partner for SiteFinder began coercing a large number of independent ISPs and network operators to install their form of DNS redirection at the ISP-level, until all or most of the end-users out there were getting redirected.
It would be no worse than NEW.NET or any other form of DNS pollution/piracy (like the alternate root whackos), as long as it was clearly labelled. As an occasional operator of infrastructure, I wouldn't like the complaint load I'd see if the customers of such ISP's thought that *I* was inserting the garbage they were seeing. So I guess my hope is, it'll be "opt-in" with an explicitly held permission for every affected IP address (perhaps using some kind of service discount or enhancement as the carrot.) -- Paul Vixie
--On Monday, February 23, 2004 12:43:40 -0600 John Palmer <nanog@adns.net> wrote: <snip> :0 nanog@adns.net /dev/null funny thing, all those wackos are always posting using From: addresses in TLDs approved by the system they detest. wonder why they aren't using their own wonderful, free domains. -- Måns Nilsson Systems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE
Måns Nilsson KTHNOC wrote:
--On Monday, February 23, 2004 12:43:40 -0600 John Palmer <nanog@adns.net> wrote:
funny thing, all those wackos are always posting using From: addresses in TLDs approved by the system they detest. wonder why they aren't using their own wonderful, free domains.
Because they are busy pedaling their calendars to keep them up to date? -- Requiescas in pace o email
Excuse me, but WATCH what you do when you are quoting people. I did not post the remarks that you attribute to me in the message below, in fact I cannot even find them in any message to which I replied. ----- Original Message ----- From: "Laurence F. Sheldon, Jr." <LarrySheldon@cox.net> To: <nanog@merit.edu> Sent: Tuesday, March 09, 2004 13:16 Subject: Re: [IP] VeriSign prepares to relaunch "Site Finder" -- calls
Måns Nilsson KTHNOC wrote:
--On Monday, February 23, 2004 12:43:40 -0600 John Palmer <nanog@adns.net> wrote:
funny thing, all those wackos are always posting using From: addresses in TLDs approved by the system they detest. wonder why they aren't using their own wonderful, free domains.
Because they are busy pedaling their calendars to keep them up to date?
-- Requiescas in pace o email
John Palmer wrote:
Excuse me, but WATCH what you do when you are quoting people. I did not post the remarks that you attribute to me in the message below, in fact I cannot even find them in any message to which I replied.
Point taken. As near as I can tell, Nilsson "quoted" and deleted everything you Palmer said. I quoted and commented on what Nilsson said and did not notice because of the way messages are presented to me that the empty Palmer line should have been deleted. But, I'll claim some slack. I _do_ prune some quoted stuff, if clumsily some times. And I do send messages to the list, or to people (which will probably stop as the result of rude behaviour), but not both. -- Requiescas in pace o email
nanog@riva.net (Randall Pigott) writes:
I am curious what the operational impact would be to network operators if, instead of Verisign using SiteFinder over all com and net, Verisign or their technology partner for SiteFinder began coercing a large number of independent ISPs and network operators to install their form of DNS redirection at the ISP-level, until all or most of the end-users out there were getting redirected.
It would be no worse than NEW.NET or any other form of DNS pollution/piracy (like the alternate root whackos), as long as it was clearly labelled. As an occasional operator of infrastructure, I wouldn't like the complaint load I'd see if the customers of such ISP's thought that *I* was inserting the garbage they were seeing. So I guess my hope is, it'll be "opt-in" with an explicitly held permission for every affected IP address (perhaps using some kind of service discount or enhancement as the carrot.)
Yup. This is the form I saw in the PRC, both with the CNNIC provisioned means for resolving names using Big5 and/or GB encodings, and the Microsoft and RealNames provisioned means for resolving names not in ASCII (with the added benefit of a bug in MS's IE navagator's handling of Unicode). There was a visible operational impact of the second service -- ever n2a for n not in (ASCII or Big5 or GB) resulted in overseas b/w use, first to Redmond, then to Redwood City, and finally to Reston. My hosts complained of the cost of every browser in the PRC generating trans-pacific packet streams. North Americans on fat pipes may not care, but where the meter is running, and ASCII is awkward, there will be operational measureables. Eric
I am curious what the operational impact would be to network operators if, instead of Verisign using SiteFinder over all com and net, Verisign or their technology partner for SiteFinder began coercing a large number of independent ISPs and network operators to install their form of DNS redirection at the ISP-level, until all or most of the end-users out there were getting redirected.
It would be no worse than NEW.NET or any other form of DNS pollution/piracy (like the alternate root whackos), as long as it was clearly labelled. As
Sorry my threading is screwed, something to do with the headers so I missed half the replies. Anyway I just sent an email, I dont think this is the same as the new.net thing, in that case you have an unstable situation of competing roots arising which as it grows or collides the operator community is left to pick up the pieces and complaints. With a local redirection you get to choose that you want it, you dont impose it on other parts of the Internet and given enough clue level your customers can run their own DNS if they object. So with that in mind this is no worse that http caching/smtp redirection or other local forms of subversion.. Steve
an occasional operator of infrastructure, I wouldn't like the complaint load I'd see if the customers of such ISP's thought that *I* was inserting the garbage they were seeing. So I guess my hope is, it'll be "opt-in" with an explicitly held permission for every affected IP address (perhaps using some kind of service discount or enhancement as the carrot.)
steve@telecomplete.co.uk ("Stephen J. Wilcox") writes:
... It would be no worse than NEW.NET or any other form of DNS pollution/piracy (like the alternate root whackos), as long as it was clearly labelled. ...
With a local redirection you get to choose that you want it, you dont impose it on other parts of the Internet and given enough clue level your customers can run their own DNS if they object.
So with that in mind this is no worse that http caching/smtp redirection or other local forms of subversion..
I guess I should have put some :-)'s into my earlier post on this thread. Anyone using MSIE already has sitefinder-like functionality. And there are adware companies who offer plugins for MSIE, Safari/Konquerer, Netscape/Mozilla, and probably other browsers as well, to map "no such url" to an adware/search site. Therefore anyone who wants to opt into this can already do so. Therefore the likelihood of an ISP offering this on an "opt in" basis is low. I apologize for having to explain that I was joking. I'll try to do better. -- Paul Vixie
FWIW, We had PAXFIRE in over here last week and heard their dog and pony on the product, basically they make money by using your customer base and diverting them to a search page that they developed with their "partners". Of course they only divert them on failed www lookups. It's a module plug-in into bind and if you prefer to try and do this in a opt-in basis they have a client program that you download and it gets hooked into the users browser. They claim that the embedded MSN search page that you get diverted to by IE is making MSN millions and millions of dollars and they want the ISP's to get some of that revenue share. Jason Nealis RCN INTERNET On Mon, Feb 23, 2004 at 04:54:51PM -0500, Stephen J. Wilcox stated
I am curious what the operational impact would be to network operators if, instead of Verisign using SiteFinder over all com and net, Verisign or their technology partner for SiteFinder began coercing a large number of independent ISPs and network operators to install their form of DNS redirection at the ISP-level, until all or most of the end-users out there were getting redirected.
It would be no worse than NEW.NET or any other form of DNS pollution/piracy (like the alternate root whackos), as long as it was clearly labelled. As
Sorry my threading is screwed, something to do with the headers so I missed half the replies.
Anyway I just sent an email, I dont think this is the same as the new.net thing, in that case you have an unstable situation of competing roots arising which as it grows or collides the operator community is left to pick up the pieces and complaints.
With a local redirection you get to choose that you want it, you dont impose it on other parts of the Internet and given enough clue level your customers can run their own DNS if they object.
So with that in mind this is no worse that http caching/smtp redirection or other local forms of subversion..
Steve
an occasional operator of infrastructure, I wouldn't like the complaint load I'd see if the customers of such ISP's thought that *I* was inserting the garbage they were seeing. So I guess my hope is, it'll be "opt-in" with an explicitly held permission for every affected IP address (perhaps using some kind of service discount or enhancement as the carrot.)
On Tue, 24 Feb 2004 09:01:05 EST, Jason Nealis said:
They claim that the embedded MSN search page that you get diverted to by IE is making MSN millions and millions of dollars and they want the ISP's to get some of that revenue share.
Of course, if all the ISPs do it, that will dry up MSN's millions and millions of dollars. A quick analogy here: Microsoft is to revenue stream as mother bear is to cubs... To misquote Randy, I encourage my competitors to step between either pair. ;)
On Tue, 24 Feb 2004, Jason Nealis wrote:
FWIW, We had PAXFIRE in over here last week and heard their dog and pony on the product, basically they make money by using your customer base and diverting them to a search page that they developed with their "partners". Of course they only divert them on failed www lookups.
Okay, they are lying here. There is no way for them to tell if something is a "web lookup" or some other type of lookup at this point. Unless of course they only divert www.*, and even then other types of services may be provided by a host with a name of www.*. So they really can't make this work without breaking sometihng. bye, ken emery
It's a module plug-in into bind and if you prefer to try and do this in a opt-in basis they have a client program that you download and it gets hooked into the users browser.
They claim that the embedded MSN search page that you get diverted to by IE is making MSN millions and millions of dollars and they want the ISP's to get some of that revenue share.
Jason Nealis RCN INTERNET
On Mon, Feb 23, 2004 at 04:54:51PM -0500, Stephen J. Wilcox stated
I am curious what the operational impact would be to network operators if, instead of Verisign using SiteFinder over all com and net, Verisign or their technology partner for SiteFinder began coercing a large number of independent ISPs and network operators to install their form of DNS redirection at the ISP-level, until all or most of the end-users out there were getting redirected.
It would be no worse than NEW.NET or any other form of DNS pollution/piracy (like the alternate root whackos), as long as it was clearly labelled. As
Sorry my threading is screwed, something to do with the headers so I missed half the replies.
Anyway I just sent an email, I dont think this is the same as the new.net thing, in that case you have an unstable situation of competing roots arising which as it grows or collides the operator community is left to pick up the pieces and complaints.
With a local redirection you get to choose that you want it, you dont impose it on other parts of the Internet and given enough clue level your customers can run their own DNS if they object.
So with that in mind this is no worse that http caching/smtp redirection or other local forms of subversion..
Steve
an occasional operator of infrastructure, I wouldn't like the complaint load I'd see if the customers of such ISP's thought that *I* was inserting the garbage they were seeing. So I guess my hope is, it'll be "opt-in" with an explicitly held permission for every affected IP address (perhaps using some kind of service discount or enhancement as the carrot.)
On Tue, 24 Feb 2004, Jason Nealis wrote:
It's a module plug-in into bind and if you prefer to try and do this in a opt-in basis they have a client program that you download and it gets hooked into the users browser.
This is the right way to do it, end user opt in, and browser only. Unlaterally forcing it upon everyone and breaking non www based apps is the wrong way to do it. -Dan
On Tuesday, February 24, 2004 3:09 PM [EST], Dan Hollis <goemon@anime.net> wrote:
On Tue, 24 Feb 2004, Jason Nealis wrote:
It's a module plug-in into bind and if you prefer to try and do this in a opt-in basis they have a client program that you download and it gets hooked into the users browser.
This is the right way to do it, end user opt in, and browser only.
Unlaterally forcing it upon everyone and breaking non www based apps is the wrong way to do it.
-Dan
Also means less profit. We already know for a fact that Verisign/Netsol could give a damn about whats right and wrong, and whats a good way to do something and whats a bad way to do something. Anything that cuts into their profit they will kick and scream bloody murder until they get their way. Remember what happened when they were forced to allow other registars access to their database? I remember specifically service quality go horribly through the floor, requests getting screwed up, almost on purpose, billing messups that never happened before, etc. And this suddenly happened right around the same time that their monopoly was forcefully taken away. I dont even want to ponder what kind of outages and other issues we will have if they don't get their way. I have a feeling that I'm going to get whacked for violating the AUP of the list, but oh well. Truth hurts. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
One other item is that some ISP's like us can't do the browser plug in option because of the "dial-up accelerator" products already embedded to the browser , installing paxfires technology on top of our accelerator plug in would just chew IE and its tcp stack. Also they state they only proxy A record lookups thus no mx lookups. Either way, it seems scary to me. But I do agree this is a revenue stream that Mickeysoft is probably making a ton off of. ------ Jason Nealis RCN (NASDAQ) RCNC ~ ~ On Tue, Feb 24, 2004 at 12:09:56PM -0800, Dan Hollis stated
On Tue, 24 Feb 2004, Jason Nealis wrote:
It's a module plug-in into bind and if you prefer to try and do this in a opt-in basis they have a client program that you download and it gets hooked into the users browser.
This is the right way to do it, end user opt in, and browser only.
Unlaterally forcing it upon everyone and breaking non www based apps is the wrong way to do it.
-Dan
--
I'm probably on my own here but I dont think its that bad an idea.. seems like a decent way to earn some money, of course you may create some bad press and upset some customers but doesnt everything. At least we the operators are left in control, and even end sites always have the option of running their own dns servers in order to bypass their provider, this isnt possible with wildcards in the verisign root. I also did a comparison in my head but this is also not comparable to fragmentation of the root so nothing broken there either. Steve On Mon, 23 Feb 2004, Randall Pigott wrote:
I am curious what the operational impact would be to network operators if, instead of Verisign using SiteFinder over all com and net, Verisign or their technology partner for SiteFinder began coercing a large number of independent ISPs and network operators to install their form of DNS redirection at the ISP-level, until all or most of the end-users out there were getting redirected.
We have been approached by a guy named Mark Lewyn, president Paxfire, Inc., the company he claims created the SiteFinder technology and offerred it to Verisign. Based here in the Washington DC area, he now also wants individual ISPs to implement his technology of redirection to a web page for unknown domains as a means of earning click-through revenue, and will split the take 50/50 "when Paxfire gets paid"
As a network operator of a fair-sized regional ISP, as well as operators of arguably the least-expensive nationwide wholesale dial platform for other ISPs to gain nationwide access, we have been approached by Mr. Lewyn on behalf of his company Paxfire Inc. He wants our company to come have meetings at his law firm's offices, consider accepting and implementing his technology at our local DNS server level, and then supposedly share in the rich profits when customers get redirected, possibly to web pages featuring click-through banner ads. He says that this is the exact same techology (more accurately, he said that it was evolved one step further, I think) that he sold or licensed to Verisign and that Verisign refers to as SiteFinder.
Until now, the identity of the technology and marketing partner who created SiteFinder has been kept very confidential, so I was surprised to learn that Mr. Lewyn's company Paxfire Inc. was indeed that partner!
Further, he claims that Vint Cert himself thinks it is a great idea at the ISP level to do this, and is one of his advisory board supporters.
Naturally, with the fracas of last Sept 2003, we are hesitant to give up any negative caching, essential anti-spam techniques, and suffer other disruptions that such a redirection service may generate within our networks whenever a non-existent domain request results in a redirection.
Is there concern to be raised by network operators over such schemes if deployed at the individual ISP level, particularly if such technology becomes widespread?
Before considering meeting with these guys, we would like to solicit the opinions of this list to be better equipped to say "no" if indeed "no" is the right operational and technological decision for the integrity of our nationwide networks and our interconnection outwards to the rest of the world's networks.
Thanks most sincerely,
Randall Pigott
At 06:11 PM 2/9/2004, you wrote:
From Dave Farber's IP list...
---------------------------
http://www.washingtonpost.com/wp-dyn/articles/A25819-2004Feb9_2.html
VeriSign Reconsiders Search Service
"Site Finder was not controversial with users, 84 percent of whom said they liked it as a helpful navigation service," said Tom Galvin, VeriSign's vice president of government relations. "We continue to look at ways we can offer the service while addressing the concerns that were raised by a segment of the technical community."
Galvin said that the continued opposition stems from "an ideological belief by a narrow section of the technological community who don't believe you should innovate the core infrastructure of the Internet."
Critics also claim that VeriSign must run the domains as a public trust, not a profit-making opportunity. VeriSign is the sole operator of the dot-com and dot-net registries under a contract with ICANN.
"I don't begrudge them their profit, but someone in an effectively regulated monopoly position shouldn't use their power for their own profit, beyond the terms under which the community gave it to them," said Steven Bellovin, co-director of the Internet Engineering Task Force's Security Area.
Paul Rothstein a law professor at Georgetown University and a paid VeriSign consultant, said that the critics have some legitimate objections but others are motivated by the scientific and technology communities' "bias on policy."
Still, he added, it would be tough for VeriSign to win the public relations war because its opponents are highly regarded technologists.
ICANN will reserve judgment until VeriSign decides to relaunch Site Finder, said General Counsel John Jeffrey. VeriSign assured ICANN that it would give 60 to 90 days' warning to resolve any remaining technological problems, Jeffrey said.
In the meantime, ICANN is waiting for a final report on Site Finder from its Security and Stability Advisory Committee. Committee Chairman Steve Crocker said he doubts that Site Finder can be changed enough that it won't threaten the Internet's underlying infrastructure.
"I thought people were relieved that they took it down and it's hard to believe that there would be any quietness if they brought it back," Crocker said.
<SNIP>
_____Related Coverage_____ <http://www.washingtonpost.com/wp-dyn/articles//wp-dyn/articles/A57670-2003Oct7.html> VeriSign Service Spawns More Criticism (washingtonpost.com, Oct 7, 2003)
<http://www.washingtonpost.com/wp-dyn/articles//wp-dyn/articles/A42107-2003Oct3.html> VeriSign Agrees To Shut Down Search Service (The Washington Post, Oct 4, 2003) <http://www.washingtonpost.com/wp-dyn/articles//wp-dyn/articles/A64437-2003Sep25.html> With Site Finder, VeriSign Sparks Internet-wide Criticism (washingtonpost.com, Sep 25, 2003)
_____ICANN Headlines_____
<http://www.washingtonpost.com/wp-dyn/articles//wp-dyn/articles/A13538-2004Feb4.html> Congress Eyes Internet Fraud Crackdown (washingtonpost.com, Feb 4, 2004)
<http://www.washingtonpost.com/wp-dyn/articles//wp-dyn/articles/A23641-2004Jan16.html> XO Owner Again Bids For Telecom (The Washington Post, Jan 17, 2004)
<http://www.washingtonpost.com/wp-dyn/articles//wp-dyn/articles/A47327-2003Dec8.html> U.N. Sets Aside Debate Over Control of Internet (The Washington Post,Dec 9, 2003)
<http://www.washingtonpost.com/wp-dyn/technology/techpolicy> Tech Policy Section
-------------------------------------
Archives at: http://www.interesting-people.org/archives/interesting-people/
------------- End Forwarded Message -------------
------------------------------------------------------------------- Gregory Hicks | Principal Systems Engineer Cadence Design Systems | Direct: 408.576.3609 555 River Oaks Pkwy M/S 6B1 | Fax: 408.894.3400 San Jose, CA 95134 | Internet: ghicks@cadence.com
"The trouble with doing anything right the first time is that nobody appreciates how difficult it was."
When a team of dedicated individuals makes a commitment to act as one... the sky's the limit.
Just because "We've always done it that way" is not necessarily a good reason to continue to do so... Grace Hopper, Rear Admiral, United States Navy
participants (35)
-
Alex Kamantauskas -
Brian Bruns -
Chris Woodfield -
Chris Yarnell -
Curtis Maurand -
Dan Hollis -
David A. Ulevitch -
David Lesher -
David Luyer -
Eric Brunner-Williams in Portland Maine -
Gregory Hicks -
Guy Coslado (GC0111) -
Jason Nealis -
JC Dill -
John Palmer -
Joshua Coombs -
ken emery -
Laurence F. Sheldon, Jr. -
Marshall Eubanks -
Michael Loftis -
Måns Nilsson KTHNOC -
Paul Vixie -
Paul Wouters -
Petri Helenius -
Randall Pigott -
Rubens Kuhl Jr. -
Scott Savage -
Stephane Bortzmeyer -
Stephen J. Wilcox -
Suresh Ramasubramanian -
suresh@outblaze.com
-
Valdis.Kletnieks@vt.edu -
Wayne E. Bouchard -
William Allen Simpson -
william<at>elan.net