Verisign DNS Redirection Change Sparks IT Community Uproar
September 24, 2003
Charles Oriez discusses the recent modifications made by Verisign to point unresolved URLs into their own web directory.
Verisign, the company tasked with managing the Internet's root servers,
recently rolled out an unannounced and untested change. They added wild
cards to their DNS servers for the net and com top level domains. Any
mistyped domain name is now reported by Verisign to be a valid domain.
The Internet Architecture Board (IAB), a committee of the Internet
Corporation for Assigned Names and Numbers (ICANN), studied the change and
found serious problems. "One of the main known weaknesses and dangers of
wildcard records is that they interact poorly with any use of the DNS which
depends on 'no such name' responses". Web browsers around the world
stopped presenting 'page not found' messages in the local language and
character set. Domains with misconfigured, but workable, MX records (used
to route mail), no longer work properly. Mail now incorrectly goes to a
Verisign mail server, where it sometimes bounces, and sometimes does
not. Application GUIs that try to ensure that users enter valid domain
names now accept anything as valid. Spam filters that reject traffic from
invalid domains do not function properly. Cellular phones whose page not
found message had been one packet in size now present pages that are 17kb
in size. The cellular companies are happy about the higher user charges
for this traffic, of course. Others have reported problems with print
servers on local networks. IAB concluded that the change should be
reversed pending significant additional discussion and study.
The Associated Press has reported that ICANN chairman Vint Cerf demanded that
Verisign back out its change pending review. Meanwhile, the Internet
Software Consortium, authors of BIND, distributed a patch that neutralizes
the Verisign change. BIND is the software used on many servers to
translate domain names into IP addresses.
The AITP legislative committee has passed a resolution that called on ICANN
to either instruct Verisign to stop giving incorrect answers to DNS queries
or terminate the Verisign contract to provide DNS service. The full AITP
resolution and additional information can be found on the AITP legislative
site at http://denveraitp.org/legislative/.
Companies and ISPs running their own servers should install the BIND
patch. Users wanting an accurate error message for invalid domain names
can point the domain sitefinder.verisign.com to IPA 127.0.0.1 in the hosts
file on their desktop machine. Users of Windows 2000 and Linux desktop
machines will find that file preconfigured in their /etc directory, and
need merely to add a single line in the obvious place and format. Users of
Windows 98 should make a copy of the file hosts.sam with the extention
omitted, in the same directory, and edit that copy. Windows 98 machines
need to be rebooted for the change to take effect. This change will
significantly speed up browser responses when an invalid domain is entered
on the location bar.
Other links to information about this issue
VeriSign hints at backdown over redirection of error pages
Charles Oriez currently serves on the Editorial Advisory Board of the AITP Information Executive and he also chairs the AITP National Legislative Affairs Committee. Charles has a unique and important insight into spam, virus, security, and legislative issues.
Copyright © 2003, Charles Oriez, All Rights Reserved.
Charles Oriez's HomepagePlease share your thoughts and comments regarding this feature. You can do so by posting to our Hot Topics Forum.
