Verisign Corrupts DNS; Abuses its Trusted Status


On September 15 2003, Verisign/Network Solutions started abusing their trusted status as Registry for the DNS system to turn all invalid and mistyped domains into an advertising opportunity for their Registrar. In the process they are disrupting innumerable Internet services.

Specifically, they introduced wildcard records into .com and .net, thus asserting control over all domains that are not registered there. Thus web requests to, or email to, and all other protocol requests to expired or unregistered domains, were redirected to their servers, where they have been making advertising pitches, rather than returning the standard NXDOMAIN (No Such Name) error message. Some of the multifold disruptions are explained below.

This is outrageous, both in breaking many applications which use DNS, and in abusing their contracts and defacto-monopoly power over some of the most important virtual real estate there is.

Thankfully, ICANN (the Internet Corporation For Assigned Names and Numbers) told them it was a violation of their contractual agreements, and on October 4, 2003, VeriSign temporarily suspended this change. But subsequently they sued ICANN.

US Postal Service analogy

Imagine if the US Postal Service were to suddenly change the way that misaddressed mail works, without consulting with anyone, in a way that made them money and hurt the competition.

Currently, they return the exact letter you sent, unopened, with an official, standard, easily recognizable message saying "address unknown, returned to sender".

Instead suppose that you sent a letter to "Ptanned Parenthood", and got a response from a mysterious third party named Verisign. It became clear that this "Verisign" company knew about the message you had sent, but didn't actually return it. But they did make a pitch for the company of their choosing, whoever it was that paid them (not you!) for the rights to that misspelling of "Planned Parenthood"....

And imagine that at the same time many other problems arose. When you sent a package via competitors like Federal Express, the USPS would still step in, grab the message and send you their confusing promotional materials, written in a language you didn't understand. And many people threw away the unclear responses and didn't realize that their message had bounced. More junk mail started arriving for obscure reasons.

In this analogy, the "USPS" plays the role of Network Solutions, who has an exclusive contract to run the guts of the .com and .net domains in a way that doesn't discriminate against dozens of other firms who can sell domain names ending in .com and .net.

The analogy clearly breaks down in many ways. A telephone example might work better. But the point is still this - why should a organization like the USPS, entrusted with a monopoly position intended to serve the public good, start reading mail that you send and/or handing it off to someone else, with no restrictions on how they might make money off of it or how much of an advantage it gives them over firms that competete with them in other markets?


What is Broken?

Besides the contractual and antitrust issues with abusing control of the registries for the benefit of its own registrar, this sudden change, with no prior discussion, affects many Internet applications, clients and servers. Thanks to Vernon Schryver, Keith Moore, David Morris,

Technical remediation

Legal Remediation

Feedback from Internet communities

Where to send Feedback

More quotes from ICANN and US Dept of Commerce agreements

(ii) NSI shall comply, in its operation of the registry, with all
 Consensus Policies insofar as they:

 (a) are adopted by ICANN in compliance with Section 4 below,

 (b) relate to one or more of the following: (1) issues for which
 uniform or coordinated resolution is reasonably necessary to
 facilitate interoperability, technical reliability and/or stable
 operation of the Internet or domain-name system, (2) registry
 policies reasonably necessary to implement Consensus Policies
 relating to registrars, or (3) resolution of disputes regarding the
 registration of domain names (as opposed to the use of such domain
 names), and

 (c) do not unreasonably restrain competition.

 (i) principles for allocation of SLD names (e.g.,
 first-come/first-served, timely renewal, holding period after

Other notes

Early in this saga, was a valid paid-for active domain name with no nameservers. Verisign's actions effectively hijacked it:
>Date: Tue, 16 Sep 2003 00:39:14 -0400 
>From: Patrick Muldoon <...> 
>To: nanog.... 
>Subject: Verisign's New Change and Outdate RBL's 
>Was playing with a test box here at home. Installed SpamAssassian 
>from a newely cvsup'd ports tree on a FreeBSD box, and was surprised 
>to see messages getting marked as received in blacklists that no 
>longer exist.  Most noteably ORBS.  Since this was a fresh Install I 
>hadn't gone through and removed the dead RBL's from 
>yet.  Since dorkslayers doesn't exist. any queries for it are 
>returning that infamous sitefinder address. 
>[...]$ host 
> has address 
Note that while the dorkslayers problem has been resolved, since the owners have assigned some nameservers to it and put up a web page, this sort of problem is inevitable the way verisign is handling the situation.

Is whois an alternative to DNS?

To quote Verisign, among others:

TERMS OF USE: You are not authorized to access or query our Whois database through the use of electronic processes that are high-volume and automated except as reasonably necessary to register domain names or modify existing registrations; the Data in VeriSign Global Registry

Neal McBurnett
Last modified: Thu Apr 22 21:14:40 MDT 2004