Netizens-Digest Saturday, October 11 2003 Volume 01 : Number 526 Netizens Association Discussion List Digest In this issue: Re: [netz] Followup on DNS regulation Re: [netz] Followup on DNS regulation Re: [netz] Followup on DNS regulation [netz] Fwd: VeriSign Capitulates posts from the North American Network Operators Group Re: [netz] Fwd: VeriSign Capitulates posts from the North American Network Operators Group Re: [netz] Fwd: VeriSign Capitulates posts from the North American Network Operators Group ---------------------------------------------------------------------- Date: Fri, 03 Oct 2003 22:19:08 +0200 From: Alexandru Petrescu Subject: Re: [netz] Followup on DNS regulation Howard C. Berkowitz wrote: > Another industry response to Verisign's wildcards is a series of > modification to DNS software (e.g., BIND) that recognizes the > wildcard behavior and treats it as a nonexistent domain. That sounds good, I like this approach. Let ISC do what's needed. > Lots of ISPs are putting in filters to prevent connectivity to > Sitefinder. This one makes me laugh. Good ISP's don't even think about preventing anything, power to the end user, you know. This is even worse than what Verisign did. This is a side effect that would disturb and enrage a netizen. Alex GBU ------------------------------ Date: Fri, 3 Oct 2003 18:31:48 -0400 From: "Howard C. Berkowitz" Subject: Re: [netz] Followup on DNS regulation >Howard C. Berkowitz wrote: >>>Say Howard, do you think ICANN, or any body for that matter, can >>>stop a Verisign action when similar actions of other companies have >>> not been stopped at all by ICANN and no other organization body did? >> >> >>Looking at the outrage on the ISP operational lists, I think >>something will happen here -- it's a survival issue for ICANN. In >>parallel, the regional registries (RIPE NCC, ARIN, APNIC, LACNIC) >>are >> putting together something that could be a replacement and/or >>complement to ICANN, specifically for IP addresses rather than DNS. > >A-ha, good to know. I've been following ICANN's struggle for survival >(if I can say so) and saw how many factors are involved, and difficult >to deal with, when it tries to be as open as the Internet audience would >like it to be. > >So, looking at a new potential effort by the registries. Is this also >oriented towards being as open to as possible to as many people as possible? ARIN, at least, has always been pretty open, holding public meetings. Indeed, they have started holding them at the same site as a NANOG meeting, so network operators can make one trip of it. In Europe, RIPE-NCC is the registry part and RIPE is the more networking operations & research part, so it's one meeting. It is worth making the point that these registries are not dealing with technologies with considerable intellectual property and trademark aspects, such as DNS naming. DNS has occupied a great deal of ICANN's time. They work, instead, in the much more technical areas of IP addresses, autonomous system numbering and routing policy registration. Yes, there are economic considerations, but it's not remotely the sort of thing that draws financial and legal people the way that DNS issues do. I've been a formal representative to ARIN for my company (to be perfectly honest, I may still be -- while money is short, the membership might still be in effect). But the board and advisory members always have been active and accessible members of the Internet technical community, and the staff is easily accessible (although for best communication in the bar, you should be adept at foosball. It's a tradition). They don't encounter the pressure for "stakeholders" that brought so many people without any real Internet background into ARIN. > >>Court actions against Verisign already have started, but not from >>ICANN. The letter from ICANN in the URL that I gave, reading >>between the lines, is a warning shot that ICANN is considering >>revoking Verisign's contract. > >(Revoking? so Verisign will revoke the certificates perviously >assigned by the plaintiff's e-commerce customers :-) > >Good to know. > >The signs that I've seen up to now about Verisign were not that bad at >all. I might not be very well informed, but I had the impression of a >well-intentioned company, this is the first time I see something that >bad about them (well, except the other CA's stories [*]). Actually, there's been considerable criticism of them in the Internet operators' forums. There both have been problems with operations/administration, and, periodically, very aggressive and sometimes marginally deceptive advertising. > >I think they spend lots of time and money to build this level of >credibility, and wondering about what happens if this credibility is >undermined by this action; are there any other potential players >enjoying this level, such as to potentially be given control of the root >servers. > >>If Verisign tries to counter these moves, they will be setting >>themselves up for such things as antitrust action. > >Ok and then look back and see what's happened to the other antitrust >cases. Of course, it was good to watch. As you say, fireworks. > >>My own feeling is that Verisign reached for far too much this time, >>and the industry is gunning for them. > >My own impression is that this makes so much noise only because it is so >easily visible, anyone with a browser gets to see the thing and get a >feeling of the problem. I wonder why they did it only for .com and .net >domains, it does not work for .org, .info and country-level domains. Other organizations operate the roots for those other top-level domains. To be honest, I'd have to look up who some of them are, but, IIRC, an educational association runs, for example, .edu. > >As long as people look mainly at .com things most of the time then this >might look like a problem, indeed. But there are also many people >looking mainly at country-level or org or edu domains and they don't see >nothing. > >If there were to be legal actions and such (as you say "anti-trust >cases") I think professional lawyers would have no problem defending a >useful cause for the majority of users, just as Microsoft did. > >Say, what would a netizen do in this entire context? > >Is a netizen hurt by a potentially helpful service? > >Is a US netizen hurt by a potentially helpful service? > >Is a netizen outraged by the side-effects of the commercialization of >the Internet in that private interests (and not public interests) lead >to destabilizing the overall working of the Internet? A netizen would >need to provide a palpable counter-argument of how this endangers, and >make it as visible as the advantage. This can be done, instead of >crying "wolf". > >Alex >GBU > >[*] speaking of CA stories. Many people complain about their security >service not being that good, and claiming more trust than what they >actually offer; at the same time I see them as the only CA that does >implement a good feature (OCSP) that I really like, and that is an IETF >standard, built and specified in the IETF style. I went to two other >large CA's and asked the same thing, they said 'wait'. ------------------------------ Date: Fri, 3 Oct 2003 18:46:18 -0400 From: "Howard C. Berkowitz" Subject: Re: [netz] Followup on DNS regulation >Howard C. Berkowitz wrote: >>Another industry response to Verisign's wildcards is a series of >>modification to DNS software (e.g., BIND) that recognizes the >>wildcard behavior and treats it as a nonexistent domain. > >That sounds good, I like this approach. Let ISC do what's needed. > >>Lots of ISPs are putting in filters to prevent connectivity to Sitefinder. > >This one makes me laugh. Good ISP's don't even think about preventing >anything, power to the end user, you know. This is even worse than what >Verisign did. This is a side effect that would disturb and enrage a >netizen. Let me clarify technically, for I may have been misleading. No, this is a very good thing for an ISP to do, in the specific context of defaulting to Sitefinder if a domain is undefined and hits the Verisign wildcard. On the other hand, no ISP of which I know would block you browsing to sitefinder.com; the end user is perfectly empowered to go deliberately to sitefinder. Strong arguments can be made that adding the wildcard to .com and .net breaks the operational and even protocol aspects of DNS. A great many network security tools, especially spam filters, depend on checking if domains are undefined. There is a specific DNS protocol message for undefined domain, which the wildcard defeats. Beyond security, the wildcards have an indirect effect of potentially slowing electronic mail or causing it to be dropped. One thing that Verisign seemed not to consider is that the Internet is more than the Web, and mail agent redirection to Sitefinder provides absolutely no value to the mail-using Netizen. Here's the problem. Let's say I misaddress a piece of mail to foo.com, which I shall assume is a nonexistent domain. When an ISP first tries to deliver it without the DNS wildcards, when it discovers there is no such domain, it will treat that as an error, usually returning the mail to sender with an appropriate error message. With wildcards, however, an unmodified SMTP agent will get back an address (Sitefinder) and try to set up a SMTP session with it. At best, it will discover that Sitefinder does not support mail exchange and treat the message as undeliverable, again returning it. It's more likely, however, that the SMTP software will decide that since it can find foo.com (with sitefinder's address), a temporary error is interfering with delivery. It will requeue the message for retry. Typically, mail agents try to redeliver for several days, and may or may not return intermediate warning messages. We now have the effects: --ANY mail to an incorrectly spelled name gets added to the outgoing mail queue for retry, increaasing queue length. Doing so: -- slows down mail delivery due to the need for repeatedly processing mail that will never be delivered -- consumes queue storage resources and increases ISP costs, which may be passed on to the Netizen --Inconveniencing the user, who, if they received a prompt error notification, might discover they spelled an address incorrectly and simply need to correct the message and resend it. With the wildcards, days may elapse before the sender even knows there is a problem. ------------------------------ Date: Fri, 3 Oct 2003 20:31:36 -0400 From: "Howard C. Berkowitz" Subject: [netz] Fwd: VeriSign Capitulates posts from the North American Network Operators Group Believe me, this is a considerably trimmed list. The fact of this discussion, however, I think is evidence that the ISP operator community is quite open, with the caveat that posters to the NANOG list are expected to have significant technical understanding of the issues. > >Date: Fri, 3 Oct 2003 15:44:26 -0400 (EDT) >From: Tim Wilde >X-X-Sender: twilde@manganese.bos.dyndns.org >To: nanog@merit.edu >Subject: VeriSign Capitulates > > > >http://www.washingtonpost.com/wp-dyn/articles/A40241-2003Oct3.html > >And they act like they're the victims. Amazing. > >"Without so much as a hearing, ICANN today formally asked us to shut down >the Site Finder service," said VeriSign spokesman Tom Galvin. "We will >accede to their request while we explore all of our options." > >How about a public outcry? Did you miss that part? You don't deserve a >hearing. > >Of course, they haven't removed the wildcard yet: > >dig is-it-gone-yet.com. @a.gtld-servers.net. +short >64.94.110.11 [HCB] In my opinion, Sean Donelan is the top authority on Internet reliability (nice guy as well): At 3:56 PM -0400 10/3/03, Sean Donelan wrote: > > >Yep, I told you so :-) I said that before this was over, Verisign would >claim they were the victims and a bunch of hooligans on the West Coast >"attacked" their honest and decent plans to help Internet users. > > >> "Without so much as a hearing, ICANN today formally asked us to shut down >> the Site Finder service," said VeriSign spokesman Tom Galvin. "We will >> accede to their request while we explore all of our options." > >Uhm, was that the same hearing Verisign didn't have prior to instigating >their actions? At 3:57 PM -0400 10/3/03, Nathan J. Mehl wrote: >What's that bit about the definiton of `chutzpah?' The parricide who >throws himself on the court's mercy as an orphan? > >Oddly enough, ICANN gave them exactly as much of a hearing as they >gave ICANN, the IETF and pretty much everyone else in the world before >they foisted this abomination on us. My heart bleeds for them, >really. At 9:59 AM -1000 10/3/03, Scott Weeks wrote: >The public are just critics: > "Critics say that VeriSign abused its monopoly power over the > registries" > > >And we're a "close-knit group" who're spouting overblown claims. Yeah, >right... ;-) > > VeriSign also angered the close-knit group of engineers and scientists > who are familiar with the technology underpinning the Internet. They > say that Site Finder undermines the worldwide Domain Name System, > causing e-mail systems, spam-blocking technology and other applications > to malfunction. > > VeriSign said the claims are overblown. > > "There is no data to indicate the core operation of the domain name > system or the stability of the Internet has been adversely affected," > VeriSign's Galvin said. Now, I _do_ know lots of people on NANOG. But... At 3:43 PM -0500 10/3/03, Allen McRay wrote: >Outside of one other person on this list, I know no one else personally, so >where do they come up with the "close-knit" stuff? I thought that most of >the traffic I have monitored, re: this topic, has come from a very diverse >and rather large group of people from all around the world who have been >trying to say is that what VeriSign has done has caused problems in their >area of expertise, in their businesses, and for the public in general. Also >seen a lot of proof posted along with the comments..... > >I might also mention, I understand the technology "underpinning" the >internet.... it's the attempted abuse of power by individuals and >organizations like VeriSign that I can't go along with.... At 5:03 PM -0400 10/3/03, Kevin Loch wrote: >"... in an attempt to assert a dubious right to regulate >non-registry services." > >This explains everything. They don't believe the stability of >com and net are in any way related to their registry duties. > >That quote alone should be sufficient to deny them custody of >com and net. At 2:15 PM -0700 10/3/03, Wayne E. Bouchard wrote: >It also imtimates that they do not believe that ICANN has any right >under current legislation to monitor what actually goes into the zone >file; only the way verisign behaves as a registry. The fact of the >matter is that yes, there is a seperation between those two items but >ICANN most deffinitely has a say in how the technical aspects can be >managed. Also, once verisign made a change to the root file for it's >own commercial benefit, they themselves crossed the line between >registry and maintainer. At 2:47 PM -0700 10/3/03, Owen DeLong wrote: >Verisign press releases have never been about the facts. Instead it's >about trying to manipulate public perception to their side. Verisign has >never expressed any actual concern or even care about how much damage >their actions do to the internet. Any expectation that this would change >in this circumstance is an act of optimism or stupidity. > >I only hope that the press in question will be made aware of the truth >of these matters and publish that information. Otherwise, you may be >faced with a situation where the DOC asks ICANN why they caved to such >a small special interest group's pressure. **** FROM Verisign ITSELF ***** At 5:50 PM -0400 10/3/03, Matt Larson wrote: > >VeriSign was directed by ICANN to suspend the Site Finder service by >0100 UTC on Sunday, October 5. We requested an extension from ICANN >to give more notice to the community but were denied. We will be >removing the wildcard A records from the .com and .net zones beginning >at 2300 UTC on Saturday, October 4. The former behavior for these >zones (returning Name Error/RCODE=3 in response to queries for >nonexistent domain names) will be in place by 0100 UTC on Sunday, At 6:18 PM -0400 10/3/03, Adam Kujawski wrote: >Since when does Verisign argue that the community should be given advanced >notice of drastic changes to the .com/.net zones? > >Would anybody from Verisign like to explain how extended notice of >the wildcard >removal would benefit the Internet community? I'm all ears. > ------------------------------ Date: Fri, 3 Oct 2003 21:20:31 -0400 From: lindeman@bard.edu Subject: Re: [netz] Fwd: VeriSign Capitulates posts from the North American Network Operators Group Howard, Thanks, this was a hoot. I greedily read all the way to the end and was rewarded by: > **** FROM Verisign ITSELF ***** > > At 5:50 PM -0400 10/3/03, Matt Larson wrote: > > > >VeriSign was directed by ICANN to suspend the Site Finder service by > >0100 UTC on Sunday, October 5. We requested an extension from ICANN > >to give more notice to the community but were denied. We will be > >removing the wildcard A records from the .com and .net zones beginning > >at 2300 UTC on Saturday, October 4. The former behavior for these > >zones (returning Name Error/RCODE=3 in response to queries for > >nonexistent domain names) will be in place by 0100 UTC on Sunday, > > > At 6:18 PM -0400 10/3/03, Adam Kujawski wrote: > >Since when does Verisign argue that the community should be given advanced > >notice of drastic changes to the .com/.net zones? > > > >Would anybody from Verisign like to explain how extended notice of > >the wildcard > >removal would benefit the Internet community? I'm all ears. Academic norms frown on rhetorical questions that are quite so ruthless, but oh how I love them. Mark Lindeman ------------------------------ Date: Sat, 4 Oct 2003 15:49:34 -0400 From: "Howard C. Berkowitz" Subject: Re: [netz] Fwd: VeriSign Capitulates posts from the North American Network Operators Group >Howard, > >Thanks, this was a hoot. I greedily read all the way to the end and >was rewarded >by: > >> **** FROM Verisign ITSELF ***** >> >> At 5:50 PM -0400 10/3/03, Matt Larson wrote: >> > >> >VeriSign was directed by ICANN to suspend the Site Finder service by >> >0100 UTC on Sunday, October 5. We requested an extension from ICANN >> >to give more notice to the community but were denied. We will be >> >removing the wildcard A records from the .com and .net zones beginning >> >at 2300 UTC on Saturday, October 4. The former behavior for these >> >zones (returning Name Error/RCODE=3 in response to queries for >> >nonexistent domain names) will be in place by 0100 UTC on Sunday, >> >> >> At 6:18 PM -0400 10/3/03, Adam Kujawski wrote: >> >Since when does Verisign argue that the community should be given advanced >> >notice of drastic changes to the .com/.net zones? >> > >> >Would anybody from Verisign like to explain how extended notice of >> >the wildcard >> >removal would benefit the Internet community? I'm all ears. > >Academic norms frown on rhetorical questions that are quite so >ruthless, but oh >how I love them. > >Mark Lindeman Mark, We don't yet know the long-term effects of this on Internet governance. Will Verisign or its clones tread more carefully? Will ICANN gain credibility? Will parallel structures, run by experienced people, develop for some or all ICANN responsibilities? Nevertheless, at least in the short term, I feel good that the system self-corrected rather quickly. Many of the discussions on this list have focused on what is wrong. It's been quiet for a long time. Is it possible, as I hope, that the list might focus on lessons learned from something that had positive aspects, and see how they might be improved and/or used more widely? I would note that while the general news media picked up on this issue, relatively few covered it well. The grass-roots industry response, as well as ICANN's work, often seemed to be treated as one corporation spinning another (i.e., Verisign). Some media covered it better than others, but I haven't seen anything that really expressed the widespread outrage seen on NANOG and elsewhere. Howard ------------------------------ End of Netizens-Digest V1 #526 ******************************