[Fwd: [IP] VeriSign to revive redirect service]
Ouch. -------- Original Message -------- Subject: [IP] VeriSign to revive redirect service Date: Thu, 16 Oct 2003 02:38:14 -0400 From: Dave Farber <dave@farber.net> Reply-To: dave@farber.net To: ip@v2.listbox.com Delivered-To: dfarber+@ux13.sp.cs.cmu.edu Date: Wed, 15 Oct 2003 23:30:44 -0700 (PDT) From: Joseph Lorenzo Hall <jhall@SIMS.Berkeley.EDU> Subject: VeriSign to revive redirect service To: Dave Farber <dave@farber.net> --- http://news.com.com/2100-1038_3-5092133.html VeriSign to revive redirect service by Declan McCullagh VeriSign will give a 30- to 60-day notice before resuming a controversial and temporarily suspended feature that redirected many .com and .net domains, company representatives said Wednesday. Speaking before an unusual gathering of technical experts in Washington, D.C., VeriSign said its own re-evaluation of its Site Finder redirection service found "no identified security or stability problems." When it was active, Site Finder added a "wild card" for .com and .net domains that snared queries to nonexistent Internet sites and forwarded them to VeriSign's own servers. That confused some antispam filters and other network utilities, a side effect that VeriSign downplayed on Wednesday by arguing that Site Finder's benefits to end users--a search screen instead of a an error message--outweighed the costs to network administrators. "One of the segments of the community that has not been looked at in this whole issue, in my opinion, is the user community," VeriSign Vice President Chuck Gomes said. "They're very relevant." In a presentation, VeriSign said that 35 companies were confidentially briefed about Site Finder before its debut and they reported "no issues" or problems before its launch on Sept. 15. Its own expert group--including the chief technology officers of Brightmail and Morgan Stanley--reviewed Site Finder and decided that most issues were "minor or inconvenient," VeriSign said. Before resuming Site Finder, VeriSign said it would address specific criticisms by adding foreign language support to Site Finder and tweaking the way e-mail to nonexistent domains worked. [...] ----------------------------------------------------------------- Joseph Lorenzo Hall Graduate Student http://pobox.com/~joehall "When life gives you SARS, make sarsaparilla." --Cory Doctorow, http://www.craphound.com/ -------------------------------------
At 02:56 AM 10/16/2003, Suresh Ramasubramanian wrote:
Ouch.
http://news.com.com/2100-1038_3-5092133.html
VeriSign to revive redirect service by Declan McCullagh
VeriSign will give a 30- to 60-day notice before resuming a controversial and temporarily suspended feature that redirected many .com and .net domains, company representatives said Wednesday.
I'm not going to be at NANOG in Chicago next Monday (October 20th), but if I were, I'd be in the foyer Monday morning with a few crates of tomatoes, selling individual tomatoes. If everyone who attends NANOG goes to the 9:15 session on Monday morning <http://www.nanog.org/mtg-0310/dns.html> and takes a single large tomato into the session with them, that this will make a VISIBLE sign to Verisign. It will make for a great photo opportunity, and turn this issue into something that the ordinary press can more easily explain to the non-technical Internet using masses. I also suggest that people wear red shirts on Monday. Enable the press to write about how Network Operators obviously and visibly *demonstrated* their unhappiness with Verisign. Try "Network Operators are seeing Red over Sitefinder" or "Verisign gets pelted with tomatoes over Sitefinder" as a headline. Note: I'm not actually suggesting that people pelt Verisign representatives with the tomatoes, you could just individually walk up to the front of the room and put your tomatoes in a pile where they can be seen. A pile of 500 tomatoes that are brought there individually, each tomato representing the opinion of a NANOG participant, *will* make an impact. jc
I like it. I'm game. Owen --On Thursday, October 16, 2003 9:04 AM -0700 JC Dill <nanog@vo.cnchost.com> wrote:
At 02:56 AM 10/16/2003, Suresh Ramasubramanian wrote:
Ouch.
http://news.com.com/2100-1038_3-5092133.html
VeriSign to revive redirect service by Declan McCullagh
VeriSign will give a 30- to 60-day notice before resuming a controversial and temporarily suspended feature that redirected many .com and .net domains, company representatives said Wednesday.
I'm not going to be at NANOG in Chicago next Monday (October 20th), but if I were, I'd be in the foyer Monday morning with a few crates of tomatoes, selling individual tomatoes.
If everyone who attends NANOG goes to the 9:15 session on Monday morning
<http://www.nanog.org/mtg-0310/dns.html>
and takes a single large tomato into the session with them, that this will make a VISIBLE sign to Verisign. It will make for a great photo opportunity, and turn this issue into something that the ordinary press can more easily explain to the non-technical Internet using masses. I also suggest that people wear red shirts on Monday. Enable the press to write about how Network Operators obviously and visibly *demonstrated* their unhappiness with Verisign. Try "Network Operators are seeing Red over Sitefinder" or "Verisign gets pelted with tomatoes over Sitefinder" as a headline. Note: I'm not actually suggesting that people pelt Verisign representatives with the tomatoes, you could just individually walk up to the front of the room and put your tomatoes in a pile where they can be seen. A pile of 500 tomatoes that are brought there individually, each tomato representing the opinion of a NANOG participant, *will* make an impact.
jc
lots of misconceptions here today. declan, you ought to pay closer attention. verisign didn't say at the meeting yesterday that they were planning to revive the redirect service, in fact they used the term "if or when" when describing their plans in that area. furthermore they did not commit to a notification period, they only pointed out that 60 to 90 days notice seemed reasonable "if or when" the service was reenabled. check the icann site for transcripts. but wait, it gets better:
If everyone who attends NANOG goes to the 9:15 session on Monday morning and takes a single large tomato into the session with them, that this will make a VISIBLE sign to Verisign.
no, it really won't. straton sclavos' statements about "technical zealots" mean that anything nanog en masse might do has been pre-label-engineered. if anything, bringing a pile of tomatos would just make his point for him, helping to convince the press that only fringe-dwelling pinko loonies have any disagreement with the sitefinder redirection effort. my advice: *don't*. wait, wait, don't tell me:
To change this: what else can we do to prevent this? Does the last BIND version truly break sitefinder?
in my last conversation with a verisign executive, i learned that there is a widely held misconception that the last BIND patch truly breaks sitefinder, and now here you go proving it. the last BIND patch adds a feature, whose default is OFF, that can make non-delegation data from specified domains disappear (or in other cases, non-delegation data from non-specified tld's.) let me just emphasize that the default is OFF. BIND doesn't break sitefinder; nameserver adminstrators break sitefinder. be mindful of that difference! hit D now if you're bored, because i'm still not done:
... I have got to ask just one question. Can these people at Verisign really think that they know better than all of the real experts that have worked with/on the DNS over the years. It seems rather silly to assume that a few people have more knowledge than the collective community.
silly or not, they actually do believe it. verisign positions itself, both in high level discussions with government and security and financial agencies, and in its edgar filings, as being the major brain trust for DNS expertise. (otoh, exodus and abovenet both said the same thing about their BGP expertise so perhaps this is just how things go for publically traded companies.) just one more thing:
While I agree that handling of NXDOMAIN needs to improve, such handling must be done by the application. Popular browsers have already started ...
i think i agree with where this was going, but it would be a fine thing if we all stop calling this NXDOMAIN. the proper term is RCODE 3. when you say NXDOMAIN you sound like you've only read the BIND sources and not the RFC's. NXDOMAIN is a BINDism, whereas RCODE 3 refers to the actual protocol element. -- Paul Vixie
On 16 Oct 2003, Paul Vixie wrote: Good writeup Paul. <SNIP>
To change this: what else can we do to prevent this? Does the last BIND version truly break sitefinder?
in my last conversation with a verisign executive, i learned that there is a widely held misconception that the last BIND patch truly breaks sitefinder, and now here you go proving it. the last BIND patch adds a feature, whose default is OFF, that can make non-delegation data from specified domains disappear (or in other cases, non-delegation data from non-specified tld's.) let me just emphasize that the default is OFF. BIND doesn't break sitefinder; nameserver adminstrators break sitefinder. be mindful of that difference!
Paul, you've just bought into the Verisign propaganda here. The BIND modification does NOTHING to break Sitefinder. One can still go to http://sitefinder.verisign.com/ and use the web page without any interference from BIND. What the latest release does is to break the redirection of RCODE 3 to http://sitefinder.verisign.com/. It is just semantics, but there is a HUGE difference. Verisign can get people to start using the Sitefinder web site in any number of ways which don't affect other applications. These methods have been noted here and elsewhere (web browser plugins, advertising of the site, make it better than anything else and they will come, ...). Verisign's Sitefinder is NOT a TLD web site but they are trying to make it one. bye, ken emery p.s. I just went to sitefinder.verisign.com and it took forever to load. I assume that loads are down on this service so I can't understand why it would take so long to load the page. If this is the type of service Verisign is going to offer they will surely be inviting workarounds solely becuase things suck.
i just got done reading http://news.com.com/2008-7347_3-5092590.html, so now at least i know why my phone was ringing so much earlier today. anyway, ken@cnet.com (ken emery) quotes me as saying...
let me just emphasize that the default is OFF. BIND doesn't break sitefinder; nameserver adminstrators break sitefinder. be mindful of that difference!
and then adds:
Paul, you've just bought into the Verisign propaganda here.
The BIND modification does NOTHING to break Sitefinder. One can still go to http://sitefinder.verisign.com/ and use the web page without any interference from BIND. What the latest release does is to break the redirection of RCODE 3 to http://sitefinder.verisign.com/. It is just semantics, but there is a HUGE difference.
ken is right and i apologize for the confusion. most of the early patches to bind8 and djbdns that i saw were dependent on the sitefinder address, and as such, would have enabled nameserver administrators to break _sitefinder_. isc's patches for bind9 enable nameserver administrators to break only the _redirection_ to sitefinder. -- Paul Vixie
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Paul Vixie Sent: October 16, 2003 7:36 PM To: nanog@merit.edu Subject: Re: [Fwd: [IP] VeriSign to revive redirect service]
ken is right and i apologize for the confusion. most of the early patches to bind8 and djbdns that i saw were dependent on the sitefinder address, and as such, would have enabled nameserver administrators to break _sitefinder_. isc's patches for bind9 enable nameserver administrators to break only the _redirection_ to sitefinder.
But aren't we back at the same argument we had a few weeks ago about what is SiteFinder? Some people argue SiteFinder is the thing at sitefinder.verisign.com and, hence, is different from the wildcard that points to it. So your patch breaks the redirection (and personally, I shudder at calling an A record redirection, but perhaps that's a bias from years in the DNS business with customers who throw that word around in all kinds of inappropriate contexts) Others, like myself, would argue that SiteFinder is VeriSign marketing's brand name for the wildcard record and the thing it points to. With that definition, the ISC patch does break SiteFinder... Vivien -- Vivien M. vivienm@dyndns.org Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
Paul Vixie wrote:
While I agree that handling of NXDOMAIN needs to improve, such handling must be done by the application. Popular browsers have already started ...
i think i agree with where this was going, but it would be a fine thing if we all stop calling this NXDOMAIN. the proper term is RCODE 3. when you say NXDOMAIN you sound like you've only read the BIND sources and not the RFC's. NXDOMAIN is a BINDism, whereas RCODE 3 refers to the actual protocol element.
Sorry, Paul. I have gotten too used to seeing the BINDism on-list. You will find that most of my speach matches that of those I'm talking to. It cuts down on miscommunication and confusion. Please see fit to report me to RFC-ignorant for not using the proper RFC terminology. :) -Jack
On Thursday 16 October 2003, at 22 h 52, Paul Vixie <vixie@vix.com> wrote:
i think i agree with where this was going, but it would be a fine thing if we all stop calling this NXDOMAIN. the proper term is RCODE 3. when you say NXDOMAIN you sound like you've only read the BIND sources and not the RFC's. NXDOMAIN is a BINDism, whereas RCODE 3 refers to the actual protocol element.
NXDOMAIN *was* a BINDism (you do not find it in RFC 1035) but it is now, not only a very common way to describe RCODE 3, but also a word you can find in RFC. Check 1536, 2136, 2308 and 2535.
participants (8)
-
Jack Bates
-
JC Dill
-
ken emery
-
Owen DeLong
-
Paul Vixie
-
Stephane Bortzmeyer
-
Suresh Ramasubramanian
-
Vivien M.