The Ramifications of VeriSign’s Wildcard Gambit

VeriSign’s recent move to quietly launch an immediate
change to the way mistyped e-mail addresses and Web site queries are handled
on the Internet is creating far-reaching consequences for domain name
policies, Internet denizens say.

Since the plan began to trickle out last week about VeriSign’s inclusion of
DNS “wildcards” in the root server maintaining the .com and
.net domains, privacy advocates have cried foul.

Many say VeriSign is using the DNS wildcard merely as a marketing tool for
the company to drum up more business, a service the company has dubbed

DNS wildcards are used to synthesize, or make up, a domain name that doesn’t
exist, such as when someone misspells an individual’s e-mail address or
types in the wrong URL in a Web browser.

In the past, if such an error occurred, the user would get a notice that
their e-mail bounced or a “Page Not Found” error for Web browsers.

Now e-mail with incorrect information is sent to VeriSign, which sends out
its own bounce message, instead of the user’s ISP. For Web browsers, typing
in the wrong URL now results in either a VeriSign-generated Web search page
(example) or a wait while the Web browser tries to
negotiate the URL through the DNS wildcard policy.

On Monday, registrar Go Daddy Software, which also provides registrar
services, filed a lawsuit against VeriSign over the policy, and is seeing a
temporary restraining order against VeriSign’s new service, called Site

Go Daddy said its lawsuit claims that VeriSign is misusing its position as
the .com and .net domain registry to “gain an unfair competitive advantage
by intercepting (and profiting from) Internet traffic resulting from the
scores of invalid domain names that are typed into users’ browsers on a
daily basis.”

Go Daddy said with VeriSign’s new policy, “when a user types an invalid .com
or .net address, they will instead be directed to a paid-advertising page
supplied by VeriSign,” which Bob Parsons, president of Go Daddy, said is
“hijacking” the wildcard process.

“When the user is sent to VeriSign’s advertising page, VeriSign gets paid by
the advertiser when the user clicks a link to get off the page — to the
tune of $150 million annually, as estimated by VeriSign.”

Another company, Popular Enterprises, filed a $100 million class-action
lawsuit last week, which also claimed that VeriSign was “hijacking”
misspelled domains for its SiteFinder program.

Days after the change, a report by the Internet Architecture Board (IAB) was
released, pointing out the “unintended consequences” of VeriSign’s actions.
The ramifications, they say, have altered the way registrars and ISPs
(define) handle their information.

The danger here, the IAB report says, is that it creates a dangerous single
point of failure. If the server used to bounce the e-mails back or return
the Web search page isn’t robust enough, it could cause days-long delays in
bounced email messages or a perpetual “Connecting to Server” message in Web
browsers. A single target, the author’s mention, make it a tempting target
for crackers .

Also affected by the new VeriSign policy are spam filters — so expect more
spam in the future, the IAB report said. The technique, used by many ISPs
and network administrators to weed out incoming emails to an e-mail server,
confuses the server into thinking the domain it comes from is legitimate.

The unintended consequences of VeriSign’s decision were significant enough
for the Internet Corporation for Assigned Names and Numbers (ICANN) to issue
a statement Friday, asking that VeriSign remove the DNS wildcard until its
Security and Stability Advisory Committee had time to review the case.

According to Mary Hewitt, ICANN spokesperson, the committee is still taking
feedback from the Internet community and will publish its own report with
recommendations by the end of the week.

VeriSign did not return requests for comment on the new program.

However, Russell Lewis, VeriSign’s executive vice president and general manager of
naming and directory services sent an open letter to ICANN President and CEO
Paul Twomey Monday afternoon, saying it had tested its Site Finder program
months before instituting, and adhered to all technical standards.

“All indications are that users, important members of the Internet community
we all serve, are benefiting from the improved web navigation offered by
Site Finder,” Lewis’ letter read. “These results are consistent with the
findings from the extensive research we performed.”

In response to ICANN’s request that VeriSign voluntarily suspend its wildcard
service, Lewis replied it was much too early to do anything that drastic.

“I would respectfully suggest that it would be premature to decide on any
course of action until we first have had an opportunity to collect and
review the available data,” it read. “After completing an assessment of any
operational impact of our wildcard implementation, we will take any
appropriate steps necessary.”

Towards that end, Lewis said company officials have called the Security and
Stability Advisory Committee chairman, Steve Crocker, and Vint Cerf, ICANN
chairman to arrange a meeting. They also plan to implement an independent
study to look into the affair.

In the words of Russ Rader, director of research and innovation at registrar
Tucows, the arbitrary inclusion of the DNS wildcard was “terrible, I don’t
think I can be blunt enough. They might as well have pulled the plug on the
Internet,” he said.

The IAB report finds that, in theory only, DNS wildcards can be used within
your zone, but only after advising everyone involved of the change and with
a complete understanding of the risks.

The report came just short of calling for a ban on DNS wildcards, especially
in zones in control of such a large Internet footprint, like VeriSign’s
control over the dominant .com and .net domains.

“We hesitate to recommend a flat prohibition against wildcards in
“registry”-class zones, but strongly suggest that the burden of proof in
such cases should be on the registry to demonstrate that their intended use
of wildcards will not pose a threat to stable operation of the DNS or
predictable behavior for applications and users,” the report said. “We
recommend that any and all TLDs which use wildcards in a manner inconsistent
with this guideline remove such wildcards at the earliest opportunity.”

Does VeriSign plan to remove the DNS wildcard from its registry? Given the
company’s silence, not to mention the quiet launch, many experts believe it
won’t do it voluntarily.

And there’s really no one to stop them from continuing with the wildcard.
ICANN is ostensibly a technical body with no real enforcement powers outside
its granting of top-level domains to companies.

“That’s the unfortunate part,” Rader said. “Unless ICANN threatens to take
away the .com and .net (domains) from VeriSign, they can’t do anything. This
should certainly factor into ICANN’s decision when .com and .net come up for
bid again in coming years.”

According to editor Michael Froomkin, a professor at the
University of Miami’s School of Law, the real problem here isn’t one of
technology but policy. If there were more top-level domains (TLD
), this problem wouldn’t be so widespread. ICANN governs the
inclusion of new TLDs in the U.S. root server, the most popular root server
in the U.S. and abroad since they house the .com, .net and .org TLDs as well
as several others.

“If we didn’t have this artificial scarcity in TLDs, it wouldn’t be such a
problem,” he said. “I understand ccTLDs do this as a matter
of course, but they are so small I guess no one has dealt with it.

“What this really offends is our sense of choice,” he continued. “If AOL,
MSN or some other ISP tried this, we’d just sign on with a different
provider. But the user doesn’t have a choice; you can change registrars but
there’s only one registry (for .com).”

News Around the Web