Attn sysadmins: Verisign claims all unused COM and NET TLDs (1 Viewer)

[Ryan Spaight]

Sometime yesterday, Verisign added a wildcard A record to the COM and NET root nameservers, which resolves to 64.94.110.11, or sitefinder.verisign.com -- a big fat Verisign page. *Any* invalid hostname ending in COM or NET will now return this address. (Try it with nslookup. Scary.)

This is similar to what Microsoft did in IE, where a bad hostname would take you to MSN search. The difference is that while you can turn that behavior off in IE, what Verisign has done affects the whole damn Internet, and there's no way to disable it.

This has the effect of breaking spam filters and making many basic troubleshooting operations much more difficult. More discussion here:

http://slashdot.org/articles/03/09/1...&tid=98&tid=99

I don't think it's an overstatement to say this is the single biggest change in how the Internet DNS system works ever, and entirely for the worse. Whoever at Verisign thought this up should be shot.

Ryan

 

[Josh Lowe]

Some blown dry marketing fuck, no doubt.

 

[DonRoeber]

Yeah, this really sucks. However, the argument for spam filtering isn't very good. Instead of checking to see if a domain is valid by if it resolves or not, now we just need to see if it resolves to sitefinder.verisign.com. It doesn't cost any more in system resources, you're still doing a DNS lookup.

It's just a big pain in the ass for end users, who will now be more confused than ever. Although I posted something regarding this on Slashdot when it was still in the discussion phase at Verisign. In a few years, I'm betting that the Address Bar in your browser will be replaced by a Google powered search bar. Have you watched the average computer user's behavior recently? If you set their home page to Google, your browser will usually shift keyboard focus to the search box when it loads the page. So just type in what you want, at hit enter. Google gets you the page that you want, and then you click on it to go to that site. Yeah, it's one more click than just typing something in the address bar (unless you count changing the cursor focus to the address bar, then it's even), but you get reliable information from Google. Never have to worry about mistyping the website address again.

Seriously, watch non-computer-savvy user behavior. It's fascinating, but I really think that in a few years, everything will be bookmarks and Google (or whatever search engine is ruling the world then). Who really wants to remember URLs anyway?

 

[JamesHl]

Well, they're abusing their authority. I don't imagine this is going to last.

 

[Tony-B]

That is just stupid. Major to Verisign!

 

[JamesHl]

I knew it wouldn't take long for someone to do something about this.

http://www.wired.com/news/technology...,60473,00.html

 

[DonRoeber]

Wow. And that's a pretty big 'someone' too.

 

[Ryan Spaight]

Yeah, this really sucks. However, the argument for spam filtering isn't very good. Instead of checking to see if a domain is valid by if it resolves or not, now we just need to see if it resolves to sitefinder.verisign.com. It doesn't cost any more in system resources, you're still doing a DNS lookup.

Yeah, but that's a Mickey Mouse band-aid that shouldn't be necessary if the DNS system worked the way it was supposed to instead of the way Verisign's marketing team thinks it should.

Here's a more challenging problem: Say you've got two MX records (primary and backup) with appropriate priority settings, that go to two different domains for redundancy purposes. Your accounting dept forgets to pay the renewal on the primary domain, so the registration lapses. (Precisely the sort of problem your carefully designed backup scheme was created to mitigate.)

Prior to the change, the DNS lookup would have failed on the first MX record, the second MX record would have been used and the mail would have been delivered.

Now, though, the domain name remains valid, *and* there's something (a mail rejecter called "Snubby") responding on port 25 of Verisign's sitefinder server. It's rejecting everything that comes in, of course. The end result, though, is instead of your backup mail server being used (as per the design of the system), the mail is simply bounced off "Snubby."

Adding insult to injury, the server at 64.94.110.11 (the address all unresolvable COM and NET DNS requests are currently being pointed to) is unresponsive more often than not. So *any* misdirected email, instead of being promptly bounced back to the sender with an error, is now sitting in queues waiting to be "delivered" to a non-existent mail server, clogging up mail queues and bandwidth with multiple, unsuccessful, completely unnecessary attempts. The sender has no idea the mail was not delivered, and won't until several hours later when their mail server finally reports problems with delivery. Insane.

Of less practical consequence but still annoying, any mistyped HTTP URLs, instead of a quick error response, now result in a very long timeout waiting for the unresponsive 64.94.110.11 server to answer. This is unexpected and confusing behavior that would lead someone passingly familiar with IP networking who didn't know about this change to assume the site was down, rather than a mistyped URL. ("Well, it resolved to an IP and tried to go there, so the domain name I tried must be good. Must be a problem on their end.")

The NXDOMAIN response is valuable, expected and assumed. Unilaterally removing it with no RFC process or other warning is simply inexcusable.

ISC's patch is welcome, but putting DNS back the way it's supposed to be would be even better.

Ryan

 

[Joshua Clinard]

I agree, this is a horrible practice. They should never have done this. It just shows you how they will do ANYTHING to get ahead. They also sent non-Verisign domain owners unsolicited mail trying to get them to switch last year. Anyone who owns a domain through them should switch to DirectNic or some other cheaper alternative. A search company has submitted a lawsuit against them, and I hope they win!

 

[JamesHl]

Now ICANN and IAB have asked them to cut it out as well, though not for reasons I would have preferred.

 

[Francois Caron]

There is a way to work around this problem on your own machine. Do note that this fix will probably work only at the Web browser level. E-mail delivery is usually handled by your ISP, not by your machine.

Find a file called "hosts" located in the "c:windowssystem32driversetc" directory. Open the file with a text editor such as Notepad. You should see the following line at the end of the file.

127.0.0.1 localhost

Add the following line after it.

127.0.0.1 sitefinder.verisign.com

Now save the file.

Before your computer asks your ISP's name server to locate the Website you requested, it first checks the "Hosts" file to see if there's already a local TCP/IP address set up for the site. But now, when you're redirected to the Verisign Web site, your computer will be misled into believing the site is located on your own machine! Since you don't have that site set up on your computer, your browser will instead display the traditional 404 error message.

There may be more Verisign sites that need to be included in the Hosts file. Verisign collects information on the misspelled Web sites including some of your personal information and what you might have been looking for. Verisign is most likely selling this information to the highest bidder.

 

[Wayne Bundrick]

Verisign should be forced to give up control of the .com and .net directories to another company who can act more responsibly.

 

[Wayne Bundrick]

Today ICANN issued a stern ultimatum to Verisign to shut down Sitefinder by 6pm PDT, and Verisign has said they will comply. I think they already have. Check your favorite news source for details.

 

[JamesHl]

Nope, they still haven't.

 

[Wayne Bundrick]

Either you were a victim of DNS caching or my ISP had already patched their DNS to return a proper "domain does not exist" error instead of Sitefinder, because we tried several nonexistent domain names and got the proper error at the time I made the post.

 

[Kimmo Jaskari]

Verisign still has no clue why this was such a boneheaded idea, though, as evidenced by this little article over at news.com:

http://news.com.com/2010-1071-508676...tag=nefd_acpro