http://www.icann.org/correspondence/lewis-to-twomey-21sep03.htm I quote: ] As to your call for us to suspend the service, I would respectfully ] suggest that it would be premature to decide on any course of action ] until we first have had an opportunity to collect and review the ] available data. One would think it would be equally premature to roll out the service without first asking the appropriate people for their opinion first, starting with ICANN. Looks like the lawsuits are going to be the ones to settle this dispute...anyone think there's a chance of ICANN pulling .COM and .NET from Verisign due to breach of contract? I think it's highly unlikely. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
Even better, <start quote> All indications are that users, important members of the internet community we all serve, are benefiting from the improved web navigation offered by Site Finder <end quote> This reminds me of the Iraqi Information minister and his lunatic counterfactual arguments.... All indications indeed! ---Mike At 09:23 PM 22/09/2003, Leo Bicknell wrote:
http://www.icann.org/correspondence/lewis-to-twomey-21sep03.htm
I quote:
] As to your call for us to suspend the service, I would respectfully ] suggest that it would be premature to decide on any course of action ] until we first have had an opportunity to collect and review the ] available data.
One would think it would be equally premature to roll out the service without first asking the appropriate people for their opinion first, starting with ICANN.
Looks like the lawsuits are going to be the ones to settle this dispute...anyone think there's a chance of ICANN pulling .COM and .NET from Verisign due to breach of contract? I think it's highly unlikely.
-- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
<start quote> All indications are that users, important members of the internet community we all serve, are benefiting from the improved web navigation offered by Site Finder <end quote> "The Americans are comitting suicide!" :: american bomb falls in the background :: -hc -- Haesu C. TowardEX Technologies, Inc. Consulting, colocation, web hosting, network design and implementation http://www.towardex.com | haesu@towardex.com Cell: (978)394-2867 | Office: (978)263-3399 Ext. 174 Fax: (978)263-0033 | POC: HAESU-ARIN On Mon, Sep 22, 2003 at 09:36:38PM -0400, Mike Tancsa wrote:
Even better,
This reminds me of the Iraqi Information minister and his lunatic counterfactual arguments.... All indications indeed!
---Mike
At 09:23 PM 22/09/2003, Leo Bicknell wrote:
http://www.icann.org/correspondence/lewis-to-twomey-21sep03.htm
I quote:
] As to your call for us to suspend the service, I would respectfully ] suggest that it would be premature to decide on any course of action ] until we first have had an opportunity to collect and review the ] available data.
One would think it would be equally premature to roll out the service without first asking the appropriate people for their opinion first, starting with ICANN.
Looks like the lawsuits are going to be the ones to settle this dispute...anyone think there's a chance of ICANN pulling .COM and .NET from Verisign due to breach of contract? I think it's highly unlikely.
-- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
] As to your call for us to suspend the service, I would respectfully ] suggest that it would be premature to decide on any course of action ] until we first have had an opportunity to collect and review the ] available data.
One would think it would be equally premature to roll out the service without first asking the appropriate people for their opinion first, starting with ICANN.
Looks like the lawsuits are going to be the ones to settle this dispute...anyone think there's a chance of ICANN pulling .COM and .NET from Verisign due to breach of contract? I think it's highly unlikely.
Oh, I dunno... ICANN has no teeth, so that won't happen. Courts are likely to support the position that Verisign has control of .net and .com and can do pretty much anything they want with it. Of course... Verisign's comments tend to remind one of "There are no Americans in Baghdad!" As I said over the weekend: ICANN has requested that Verisign remove the wildcards in .com and .net. So what you're basically saying here is: that ain't gonna happen. Correct? Then I got flamed... hmmmmm Carnack is ready for the next answer
On Mon, 22 Sep 2003, Dave Stewart wrote:
Courts are likely to support the position that Verisign has control of .net and .com and can do pretty much anything they want with it.
ISC has made root-delegation-only the default behaviour in the new bind, how about drafting up an RFC making it an absolute default requirement for all DNS? -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
ISC has made root-delegation-only the default behaviour in the new bind,
actually, though, we havn't, and wouldn't (ever). the feature is present but must be explicitly enabled by a knowledgeable operator to have effect.
how about drafting up an RFC making it an absolute default requirement for all DNS?
this is what the icann secsac recommendation... http://www.icann.org/correspondence/secsac-to-board-22sep03.htm ...says that ietf/iab should look into: We call on the IAB, the IETF, and the operational community to examine the specifications for the domain name system and consider whether additional specifications could improve the stability of the overall system. Most urgently, we ask for definitive recommendations regarding the use and operation of wildcard DNS names in TLDs and the root domain, so that actions and expectations can become universal. With respect to the broader architectural issues, we call on the technical community to clarify the role of error responses and on the separation of architectural layers, particularly and their interaction with security and stability. and it does seem rather urgent that if a wildcard in the root domain or in a top level domain is dangerous and bad, that the ietf say so out loud so that icann has a respected external reference to include in their contracts. -- Paul Vixie
On 23.09 06:07, Paul Vixie wrote:
We call on the IAB, the IETF, and the operational community to examine the specifications for the domain name system and consider whether additional specifications could improve the stability of the overall system. Most urgently, we ask for definitive recommendations regarding the use and operation of wildcard DNS names in TLDs and the root domain, so that actions and expectations can become universal. With respect to the broader architectural issues, we call on the technical community to clarify the role of error responses and on the separation of architectural layers, particularly and their interaction with security and stability.
and it does seem rather urgent that if a wildcard in the root domain or in a top level domain is dangerous and bad, that the ietf say so out loud so that icann has a respected external reference to include in their contracts.
The IAB has done an excellent job with http://www.iab.org/documents/docs/2003-09-20-dns-wildcards.html. I quote: "... Proposed guideline: If you want to use wildcards in your zone and understand the risks, go ahead, but only do so with the informed consent of the entities that are delegated within your zone. Generally, we do not recommend the use of wildcards for record types that affect more than one application protocol. At the present time, the only record types that do not affect more than one application protocol are MX records. For zones that do delegations, we do not recommend even wildcard MX records. If they are used, the owners of zones delegated from that zone must be made aware of that policy and must be given assistance to ensure appropriate behavior for MX names within the delegated zone. In other words, the parent zone operator must not reroute mail destined for the child zone without the child zone's permission. We hesitate to recommend a flat prohibition against wildcards in "registry"-class zones, but strongly suggest that the burden of proof in such cases should be on the registry to demonstrate that their intended use of wildcards will not pose a threat to stable operation of the DNS or predictable behavior for applications and users. We recommend that any and all TLDs which use wildcards in a manner inconsistent with this guideline remove such wildcards at the earliest opportunity." What else does the IETF need to do here? This should be enough of an expert opinion for ICANN and others like the US DoC in the sort term. Verisign have realised that and are talking about an -so far vapour- expert panel to counter that. I wonder about its composition ..... Daniel
On Mon, 22 Sep 2003, Dave Stewart wrote:
Courts are likely to support the position that Verisign has control of .net and .com and can do pretty much anything they want with it.
ISC has made root-delegation-only the default behaviour in the new bind, how about drafting up an RFC making it an absolute default requirement for all DNS?
-Dan
That would be making a fundamental change to the DNS to make wildcards illegal anywhere. Is that what you want? --bill
On Tue, 23 Sep 2003 bmanning@karoshi.com wrote:
On Mon, 22 Sep 2003, Dave Stewart wrote:
Courts are likely to support the position that Verisign has control of .net and .com and can do pretty much anything they want with it. ISC has made root-delegation-only the default behaviour in the new bind, how about drafting up an RFC making it an absolute default requirement for all DNS? That would be making a fundamental change to the DNS to make wildcards illegal anywhere. Is that what you want?
no it wouldnt. it would ust make wildcards illegal in top level domains, not subdomains. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
On Tue, 23 Sep 2003 bmanning@karoshi.com wrote:
On Mon, 22 Sep 2003, Dave Stewart wrote:
Courts are likely to support the position that Verisign has control of .net and .com and can do pretty much anything they want with it. ISC has made root-delegation-only the default behaviour in the new bind, how about drafting up an RFC making it an absolute default requirement for all DNS? That would be making a fundamental change to the DNS to make wildcards illegal anywhere. Is that what you want?
no it wouldnt. it would ust make wildcards illegal in top level domains, not subdomains.
-Dan
really? and how would that work? (read be enforced...) --bill
bmanning@karoshi.com wrote:
On Tue, 23 Sep 2003 bmanning@karoshi.com wrote:
On Mon, 22 Sep 2003, Dave Stewart wrote:
Courts are likely to support the position that Verisign has control of .net and .com and can do pretty much anything they want with it. ISC has made root-delegation-only the default behaviour in the new bind, how about drafting up an RFC making it an absolute default requirement for all DNS? That would be making a fundamental change to the DNS to make wildcards illegal anywhere. Is that what you want?
no it wouldnt. it would ust make wildcards illegal in top level domains, not subdomains.
-Dan
really? and how would that work? (read be enforced...)
The same way all RFCs and Standards are enforced, by the IETF Delta Squad Elite Stormtrooper Interdiction Unit Strike Force. -- Crist J. Clark crist.clark@globalstar.com Globalstar Communications (408) 933-4387
On Tue, 23 Sep 2003 bmanning@karoshi.com wrote:
On Tue, 23 Sep 2003 bmanning@karoshi.com wrote:
On Mon, 22 Sep 2003, Dave Stewart wrote:
Courts are likely to support the position that Verisign has control of .net and .com and can do pretty much anything they want with it. ISC has made root-delegation-only the default behaviour in the new bind, how about drafting up an RFC making it an absolute default requirement for all DNS? That would be making a fundamental change to the DNS to make wildcards illegal anywhere. Is that what you want? no it wouldnt. it would ust make wildcards illegal in top level domains, not subdomains. really? and how would that work? (read be enforced...)
Well yes thats part of the problem. It looks like verisign doesnt care what anyone (ICANN, IAB, operators) thinks. But if we can mandate via RFC it for dns software (servers, resolvers) etc. Then we go a ways to removing verisign from the equation. Verisign can do what they like, everyone will just ignore their hijacking. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
On Tue, 23 Sep 2003 bmanning@karoshi.com wrote:
On Tue, 23 Sep 2003 bmanning@karoshi.com wrote:
On Mon, 22 Sep 2003, Dave Stewart wrote:
Courts are likely to support the position that Verisign has control of .net and .com and can do pretty much anything they want with it. ISC has made root-delegation-only the default behaviour in the new bind, how about drafting up an RFC making it an absolute default requirement for all DNS? That would be making a fundamental change to the DNS to make wildcards illegal anywhere. Is that what you want? no it wouldnt. it would ust make wildcards illegal in top level domains, not subdomains. really? and how would that work? (read be enforced...)
Well yes thats part of the problem. It looks like verisign doesnt care what anyone (ICANN, IAB, operators) thinks. But if we can mandate via RFC it for dns software (servers, resolvers) etc. Then we go a ways to removing verisign from the equation. Verisign can do what they like, everyone will just ignore their hijacking.
lets try this again... why should a valid DNS protocol element be made illegal in some parts of the tree and not others? if its bad one place, why is it ok other places? --bill
lets try this again... why should a valid DNS protocol element be made illegal in some parts of the tree and not others? if its bad one place, why is it ok other places?
because some engineers think that all social and business problems can be solved by technical hacks. it's the godess's revenge for the lawyers who think all engineering problems can be solved at layer nine. randy, who will go back to work now
On Tue, 23 Sep 2003, Randy Bush wrote:
some engineers think that all social and business problems can be solved by technical hacks.
Dunno about some engineers, but engineers in general can do a lot to avoid creation of many problems in the first place. This wildcard flop is a perfect example of a bad design decision coming back to bite. I'd say that engineers pay too little attention to the social and business implications of their decisions. --vadim
--On Tuesday, September 23, 2003 11:55:41 -0700 Randy Bush <randy@psg.com> wrote:
because some engineers think that all social and business problems can be solved by technical hacks. it's the godess's revenge for the lawyers who think all engineering problems can be solved at layer nine.
Bingo! -- Måns Nilsson Systems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE We're sysadmins. To us, data is a protocol-overhead.
On Tue, 23 Sep 2003 bmanning@karoshi.com wrote:
On Tue, 23 Sep 2003 bmanning@karoshi.com wrote:
On Tue, 23 Sep 2003 bmanning@karoshi.com wrote:
On Mon, 22 Sep 2003, Dave Stewart wrote: > Courts are likely to support the position that Verisign has control of .net > and .com and can do pretty much anything they want with it. ISC has made root-delegation-only the default behaviour in the new bind, how about drafting up an RFC making it an absolute default requirement for all DNS? That would be making a fundamental change to the DNS to make wildcards illegal anywhere. Is that what you want? no it wouldnt. it would ust make wildcards illegal in top level domains, not subdomains. really? and how would that work? (read be enforced...)
Well yes thats part of the problem. It looks like verisign doesnt care what anyone (ICANN, IAB, operators) thinks. But if we can mandate via RFC it for dns software (servers, resolvers) etc. Then we go a ways to removing verisign from the equation. Verisign can do what they like, everyone will just ignore their hijacking.
lets try this again... why should a valid DNS protocol element be made illegal in some parts of the tree and not others? if its bad one place, why is it ok other places?
Well one point is from http://www.icann.org/tlds/ only domains classed as 'sponsored' previously had wildcards. Domains that are unsponsored including .net and .com are supposed to operate under policy established from the global community thro ICANN. Also this is a specific case, .net/.com have legacy implications and no one including Verisign is naive enough to believe that this would have been ok. This is why they have done it in the way they have without consultation. A number of people claim they are acting in breach of their charter with ICANN, sure (Randy) this is a social argument, but theres technical ones as well but they dont stand up so well in the courtroom.. Steve
At 11:47 AM -0700 9/23/03, bmanning@karoshi.com wrote:
lets try this again... why should a valid DNS protocol element be made illegal in some parts of the tree and not others? if its bad one place, why is it ok other places?
There's a simple answer and a not so simple. The simple answer is because in one part of the tree it was expected by all players up front, and in the other it wasn't. However in general I tend to agree. The things that Verisign broke (and which have cost my company several thousand dollars in lost time and unplanned programming tasks, never mind the increase in spam) are also broken by other TLDs that use wildcards. The issues weren't clear because the impact was small. Now that they are clear, those decisions should also be revisited. -- Kee Hinckley http://www.messagefire.com/ Next Generation Spam Defense http://commons.somewhere.com/buzz/ Writings on Technology and Society I'm not sure which upsets me more: that people are so unwilling to accept responsibility for their own actions, or that they are so eager to regulate everyone else's.
On Tue, 23 Sep 2003 bmanning@karoshi.com wrote:
On Tue, 23 Sep 2003 bmanning@karoshi.com wrote:
On Tue, 23 Sep 2003 bmanning@karoshi.com wrote:
On Mon, 22 Sep 2003, Dave Stewart wrote: > Courts are likely to support the position that Verisign has control of .net > and .com and can do pretty much anything they want with it. ISC has made root-delegation-only the default behaviour in the new bind, how about drafting up an RFC making it an absolute default requirement for all DNS? That would be making a fundamental change to the DNS to make wildcards illegal anywhere. Is that what you want? no it wouldnt. it would ust make wildcards illegal in top level domains, not subdomains. really? and how would that work? (read be enforced...)
Well yes thats part of the problem. It looks like verisign doesnt care what anyone (ICANN, IAB, operators) thinks. But if we can mandate via RFC it for dns software (servers, resolvers) etc. Then we go a ways to removing verisign from the equation. Verisign can do what they like, everyone will just ignore their hijacking.
lets try this again... why should a valid DNS protocol element be made illegal in some parts of the tree and not others? if its bad one place, why is it ok other places?
--bill
Because of who is affected by the element. At the TLD level, many are affected, at the domain level, then its a much smaller subset. Ultimately, as Randy has already said, it is a business and social problem. From a business standpoint, why should an organization be forced to use its own resources to work around Verisign's plan to put more money in its own packet.
From a social aspect, since Verisign has grown to be one of the most hated (a decidedly non-business adjective) and distrusted organizations existing. It pisses people off that they have found an unfair advantage to use resources in bad faith, to generate revenue from people's typos and ignorance. It smacks of being unethical, underhanded, illegal, and generally the opposite of generating revenue by providing a quality service to your loyal customers.
The technical hacks are a testament to our culture and provide instance gratification while the slower moving social and business issues are worked it. They help to gratify the emotional need to generally do the right thing. andy -- PGP Key Available at http://www.tigerteam.net/andy/pgp
Folks, bkc> lets try this again... why should a valid DNS protocol element bkc> be made illegal in some parts of the tree and not others? bkc> if its bad one place, why is it ok other places? There very much _is_ an operational issue here, but it needs to be characterized very carefully. To that end, the IAB note is nicely careful and, I think, exactly right in classifying a core "coordination" problem that comes with wildcarding. Standards are, after all, about coordinating details among independent participants. The problem with wildcarding a gTLD is not that the construct should be made illegal but that it requires a degree of coordination that was not attempted. In this regard, the sponsored TLDs are not a problem specifically because they are run in a more heterogeneous manner. The IAB note captures this quite with: In particular, we recommend that DNS wildcards should not be used in a zone unless the zone operator has a clear understanding of the risks, and that they should not be used without the informed consent of those entities which have been delegated below the zone. d/ -- Dave Crocker <dcrocker-at-brandenburg-dot-com> Brandenburg InternetWorking <www.brandenburg.com> Sunnyvale, CA USA <tel:+1.408.246.8253>
it would ust make wildcards illegal in top level domains, not subdomains.
there are tlds with top level wildcards that are needed and in legitimate use. verisign has not done anything strictly against spec. this is a social and business issue. all this noise and bluster is depressing. it indicates that we are in a very quickly maturing industry because a lot of probably-soon-to-be-ex engineers have too much time on their hands. randy
Randy Bush wrote:
it would ust make wildcards illegal in top level domains, not subdomains.
there are tlds with top level wildcards that are needed and in legitimate use.
verisign has not done anything strictly against spec. this is a social and business issue.
And this in itself indicates a possible failure in our model. When someone can do something that causes so much outrage, and we the community have no recourse, something is wrong. Maybe we're in the realm of politics, but our implementations reflect our values. Do you feel the same today about the GPG/PGP v. X.509 as you did before Verisign decided to become an unauthorized interloper? Might we have a standards problem with SSL, because people cannot simply NOT trust Verisign certs? After all, how many certificates can you get out of SSL for a server or a client?
all this noise and bluster is depressing. it indicates that we are in a very quickly maturing industry because a lot of probably-soon-to-be-ex engineers have too much time on their hands.
I take a different view. If people who are upset with Verisign's change DON'T say anything, then there's no reason for Verisign to change. I suspect that the better forum may be one's Congress person... Eliot
Folks, EL> And this in itself indicates a possible failure in our model. When EL> someone can do something that causes so much outrage, and we the EL> community have no recourse, something is wrong. Maybe we're in the EL> realm of politics, but our implementations reflect our values. Verisign effectively disabled an error response. The response would not exist in the protocol if it were not to be used. Hence, Versign changed the protocol. That's a technical violation of the standard, not a social or business one. Folks are free to negotiate their own version of protocols. However, when a provider imposes a change by fiat, they have rendered the work technically proprietary. The IAB and the ICANN advisory panel reports characterise the technical issues carefully and thoroughly. They make clear that the technical and operational ramifications of this change are massive. /d -- Dave Crocker <dcrocker-at-brandenburg-dot-com> Brandenburg InternetWorking <www.brandenburg.com> Sunnyvale, CA USA <tel:+1.408.246.8253>
On Tue 23 Sep 2003 (12:18 -0700), Eliot Lear wrote:
Randy Bush wrote:
all this noise and bluster is depressing. it indicates that we are in a very quickly maturing industry because a lot of probably-soon-to-be-ex engineers have too much time on their hands.
I take a different view. If people who are upset with Verisign's change DON'T say anything, then there's no reason for Verisign to change. I suspect that the better forum may be one's Congress person...
And the usual US-centric view... Which congress person does Demon Netherlands, T-dialin, Wanadoo France, Tiscali etc. go to? -- Jim Segrave jes@nl.demon.net
Jim Segrave wrote:
And the usual US-centric view...
Which congress person does Demon Netherlands, T-dialin, Wanadoo France, Tiscali etc. go to?
I recognize it sounds U.S.-centric, but quite frankly since the U.S. Department of Commerce claims ownership here, I don't have a any grand more politically correct answer for you. Eliot
Dan Hollis wrote:
On Tue, 23 Sep 2003 bmanning@karoshi.com wrote:
On Mon, 22 Sep 2003, Dave Stewart wrote:
Courts are likely to support the position that Verisign has control of .net and .com and can do pretty much anything they want with it.
ISC has made root-delegation-only the default behaviour in the new bind, how about drafting up an RFC making it an absolute default requirement for all DNS?
That would be making a fundamental change to the DNS to make wildcards illegal anywhere. Is that what you want?
no it wouldnt. it would ust make wildcards illegal in top level domains, not subdomains.
Actually, it's worst than that. root-delegation-only does not just change the wildcard behavior. RRs which are in the tld itself instead of being delegated (like some of the ccTLDs) break if forced into root-delegation-only. This is one of the points in the IAB opinion concerning remedies causing other problems. The issue itself is political, but it does have technical ramifications. It's still to be seen if ISC's cure is worse than the disease; as instead of detecting and stoping wildcard sets, it looks for delegation. It is also configurable to a degree that inexperienced operators will break their DNS implementations out of ignorance (like ignoring the ISC recomendation and root-delegating .de). One should consider sponsored TLDs like .museum the exception. If you have filtering rules (like smtp) that are bypassed as a result of the wildcard, then those rules themselves should be changed. The sponsored TLDs and even a lot of the ccTLDs have a rather small subdomain base, allowing for unified agreement on changes made to the zone. The legacy TLD's should be rather static to ensure stability in DNS architecture overall. The subdomain base is massive, making communication and agreement on changes difficult. If I'm not mistaken, this is one of the duties of ICANN. -Jack
It's still to be seen if ISC's cure is worse than the disease; as instead of detecting and stoping wildcard sets, it looks for delegation.
that's because wildcard ("synthesized") responses do not look different on the wire, and looking for a specific A RR that can be changed every day or even loadbalanced through four /16's that may have real hosts in them seems like the wrong way forward. -- Paul Vixie
Paul Vixie wrote:
It's still to be seen if ISC's cure is worse than the disease; as instead of detecting and stoping wildcard sets, it looks for delegation.
that's because wildcard ("synthesized") responses do not look different on the wire, and looking for a specific A RR that can be changed every day or even loadbalanced through four /16's that may have real hosts in them seems like the wrong way forward.
See the NANOG archives for my post reguarding wildcard caching and set comparison with additional resolver functionality for requesting if the resolver wishes to receive wildcards or NXDOMAIN. -Jack
participants (20)
-
Andy Walden
-
bmanning@karoshi.com
-
Crist Clark
-
Dan Hollis
-
Daniel Karrenberg
-
Dave Crocker
-
Dave Stewart
-
Eliot Lear
-
Haesu
-
Jack Bates
-
Jim Segrave
-
Kee Hinckley
-
Kevin Loch
-
Leo Bicknell
-
Mike Tancsa
-
Måns Nilsson
-
Paul Vixie
-
Randy Bush
-
Stephen J. Wilcox
-
Vadim Antonov