Verisign Corrupts DNS; Abuses its Trusted Status

Introduction

On September 15 2003, Verisign/Network Solutions started abusing their trusted status as Registry for the DNS system to turn all invalid and mistyped domains into an advertising opportunity for their Registrar. In the process they are disrupting innumerable Internet services.

Specifically, they introduced wildcard records into .com and .net, thus asserting control over all domains that are not registered there. Thus web requests to http://nosuchdomainexists.com, or email to user@makeupyourownfakename.net, and all other protocol requests to expired or unregistered domains, were redirected to their servers, where they have been making advertising pitches, rather than returning the standard NXDOMAIN (No Such Name) error message. Some of the multifold disruptions are explained below.

This is outrageous, both in breaking many applications which use DNS, and in abusing their contracts and defacto-monopoly power over some of the most important virtual real estate there is.

Thankfully, ICANN (the Internet Corporation For Assigned Names and Numbers) told them it was a violation of their contractual agreements, and on October 4, 2003, VeriSign temporarily suspended this change. But subsequently they sued ICANN.

US Postal Service analogy

Imagine if the US Postal Service were to suddenly change the way that misaddressed mail works, without consulting with anyone, in a way that made them money and hurt the competition.

Currently, they return the exact letter you sent, unopened, with an official, standard, easily recognizable message saying "address unknown, returned to sender".

Instead suppose that you sent a letter to "Ptanned Parenthood", and got a response from a mysterious third party named Verisign. It became clear that this "Verisign" company knew about the message you had sent, but didn't actually return it. But they did make a pitch for the company of their choosing, whoever it was that paid them (not you!) for the rights to that misspelling of "Planned Parenthood"....

And imagine that at the same time many other problems arose. When you sent a package via competitors like Federal Express, the USPS would still step in, grab the message and send you their confusing promotional materials, written in a language you didn't understand. And many people threw away the unclear responses and didn't realize that their message had bounced. More junk mail started arriving for obscure reasons.

In this analogy, the "USPS" plays the role of Network Solutions, who has an exclusive contract to run the guts of the .com and .net domains in a way that doesn't discriminate against dozens of other firms who can sell domain names ending in .com and .net.

The analogy clearly breaks down in many ways. A telephone example might work better. But the point is still this - why should a organization like the USPS, entrusted with a monopoly position intended to serve the public good, start reading mail that you send and/or handing it off to someone else, with no restrictions on how they might make money off of it or how much of an advantage it gives them over firms that competete with them in other markets?

References

• ICANN's Information Page: Verisign's Wildcard Service Deployment
• The Internet Architecture Board issued Architectural concerns on the use of DNS wildcards which details how the wildcards are "disastrous for the users", create problems for many applications and services and have led to other hasty, possibly mutually incompatible actions by other operators.
• ICANN's demand that Verisign roll back the changes by 2003-10-04, their Sep 19 Advisory Concerning VeriSign's Deployment of DNS Wildcard Service - calling upon VeriSign to voluntarily suspend the service, and their Security and Stability Advisory Committee Advisory, along with Verisign's response
• .com Registry Agreement of 25 May 2001, and the parallel agreement for .net
• 1999 NSI Registry Agreement

  ...registry agreement under which NSI will operate the registry for the .com, .net, and .org top-level domains according to requirements stated in the agreement and developed in the future through the ICANN consensus-based process. All ICANN-accredited registrars will have equal access to this registry.

• People For Internet Responsibility (PFIR) Statement on VeriSign/NSI "Site Finder" and Domain Abuse
• Jason Garman's detailed explanation of the issue
• Verisign rushes to roll out typo-squatting system on Monday - GNSO Archives
• Stuart Lynn and Paul Hoffman to the IAB on Verisign and IDS and the Response from the IAB documenting many problems and protocol violations with Verisign's deployment of nonstandard software related to Internationalized Domain Names in January of 2003, and describing many of the problems that the current wildcard entries also cause.
• Dan Gillmor's column - VeriSign thumbs its nose at corporate governance
• 3-year ICANN-DoC Agreement
• 2003-09-17 MOU
• A look into Verisign's Anti-Competitive Past

What is Broken?

• Web browsers all over the world stopped displaying "page not found" in the local language and character set of the users when given incorrect URLs rooted under these TLDs. Instead, these browsers now display an English language search page from a web server run by the zone operator.
• One of the main known weaknesses and dangers of wildcard records is that they interact poorly with any use of the DNS which depends on "no such name" responses. The list of such uses turns out to be quite large.
• Since Verisign's HTTP wildcard servers accept POST, and GET with query strings, this seems like a violation of the Electronic Communications Privacy Act (ECPA), especially in the period between registration of a domain and the actual appearance of the domain in the DNS.
• Other potential legal issues when Verisign responds to domains that aren't in the DNS, but may in fact be registered (as with dorkslayers.com, as noted below), or expired: trademark violations, domain hijacking, etc.
• When you try to talk to another port, you get connection refused, so instead of getting the error that corresponds to "no such host" you'll probably think it is a temporary error (say, the server is down) and try again later.
• It's broken the ability to detect misspelled domains for every application and every protocol, for every name under .COM or .NET.
• There is now a new DNS attack: nodes on the Internet can create vast numbers of random DNS look up requests, thus clearing the DNS caches of all the DNS servers they access.
• an incorrect MX record which refers to a non-existant domain will/may no longer properly fail over to an alternate lower priority MX entry.
• Before the change if I emailed user@bogushost.com, the email tool would tell me immedatally that no such host exists. Now, it unconditionally sends the email, then later bounces. This affects diagnostic tools, help desks, end users, etc.
• Sites that reject spam based on it being from a site that doesn't exist in the DNS, are letting more spam in because all domains now "exist".
• rejecting legitimate mail because some long dead DNS-based blacklists are suddenly resolving.
• Because VeriSign will become a central destination for mistyped e-mail and Web traffic, its move also raises serious privacy questions
• HTTP spiders will fetch Verisign's robots.txt a lot as they find bogus domains (e.g. typos in HREFs) resolving.
• HTTP users see a stalled screen instead of an error message as their browsers wait for Verisign's overloaded HTTP server to deliver its advertising.
• If every single request for a domain produces an address, existent or not, it takes up more continuing resources than a request that produces an error.
• When you try to download a web page that doesn't exist, you don't get a "host does not exist" error, you get a redirect to a web page.
• When you try to verify that a domain is valid, you don't get NXDOMAIN, you get an A record.

Technical remediation

• New BIND release supports delegation-only zones - 9.2.3rc2:
• tinydns patches
• BGP null route
• More Verisign Countermeasures

Legal Remediation

• Verisign Socked With $100 Million Suit Over Re-Directs by Netster
• Go Daddy sues Verisign and explains why

Feedback from Internet communities

• ICANN At-Large Advisory Committee (ALAC)

  See their ALAC statement on resolution of non-existing domain names [2003-09-16] and earlier ALAC Discussion of Redirection of non-existing domain names

• Discussion list threads about Verisign's actions.

  By the North American Network Operators' Group (NANOG): What *are* they smoking, and Change to .com/.net behavior, and Verisign's legal woes, and ICANN - Formal Complaint re Verisign, and others

• At ICANN's Non-Commercial Domain Name Holders Constituency and their discussion
• At the IETF: Verisign: All Your Misspelling Are Belong To Us
• Slashdot discussion
• Petitions Online

Where to send Feedback

• ICANN comments to comments@icann.org
• US Department of Commerce, National Telecommunications and Information Administration

     Michael D. Gallagher
     Acting Assistant Secretary for Communications and Information
     Office of the Assistant Secretary  202/501-0536
  

• Federal Trade Commission

More quotes from ICANN and US Dept of Commerce agreements

(ii) NSI shall comply, in its operation of the registry, with all
 Consensus Policies insofar as they:

 (a) are adopted by ICANN in compliance with Section 4 below,

 (b) relate to one or more of the following: (1) issues for which
 uniform or coordinated resolution is reasonably necessary to
 facilitate interoperability, technical reliability and/or stable
 operation of the Internet or domain-name system, (2) registry
 policies reasonably necessary to implement Consensus Policies
 relating to registrars, or (3) resolution of disputes regarding the
 registration of domain names (as opposed to the use of such domain
 names), and

 (c) do not unreasonably restrain competition.

 ...
 (i) principles for allocation of SLD names (e.g.,
 first-come/first-served, timely renewal, holding period after
 expiration);

Other notes

>Date: Tue, 16 Sep 2003 00:39:14 -0400 
>From: Patrick Muldoon <...> 
>To: nanog.... 
>Subject: Verisign's New Change and Outdate RBL's 
> 
> 
>Was playing with a test box here at home. Installed SpamAssassian 
>from a newely cvsup'd ports tree on a FreeBSD box, and was surprised 
>to see messages getting marked as received in blacklists that no 
>longer exist.  Most noteably ORBS.  Since this was a fresh Install I 
>hadn't gone through and removed the dead RBL's from 20_head_tests.cf 
>yet.  Since dorkslayers doesn't exist. any queries for it are 
>returning that infamous sitefinder address. 
> 
>[...]$ host  34.131.246.64.orbs.dorkslayers.com 
>34.131.246.64.orbs.dorkslayers.com has address 64.94.110.11 

Is whois an alternative to DNS?

To quote Verisign, among others:

TERMS OF USE: You are not authorized to access or query our Whois database through the use of electronic processes that are high-volume and automated except as reasonably necessary to register domain names or modify existing registrations; the Data in VeriSign Global Registry