VeriSign says its Site Finder service, which it “temporarily” closed over the weekend, did not “in any manner compromise” the stability, security or performance of the Internet. Launched on Sept. 15, Site Finder directed Internet users who mistyped domain names to a VeriSign managed search site instead of the traditional error response.
The Site Finder page quickly became one of the more heavily traveled sites on the Web because of the redirection and prompted a firestorm of criticism from the Internet Corporation for Assigned Names and Numbers (ICANN), the chief governing body of the Internet, and the Internet Architecture Board (IAB), a technical advisory group of the Internet Society that oversees the Internet standards process.
VeriSign, which has a contract with ICANN to be the registrar for the .com and .net domain names, implemented the Site Finder service through changes to the .com and .net core domain name system (DNS).
On Sept. 23, the IAB issued a commentary entitled “Architectural Concerns on the use of DNS Wildcards.” The commentary describes various implications of the implementation of DNS wildcards in a zone, paying particular attention to VeriSign’s deployment of a “wildcard A record” in the .com and .net zones of the Internet.
ICANN also claims the wildcard VeriSign deployed has “adversely affected anti-spam software, e-mail deliveries, and core DNS operations, as well as raised privacy concerns.”
On Oct. 3, ICANN demanded VeriSign discontinue the service. While denying all the allegations, the Mountain View, Calif.-based registrar agreed to shut down Site Finder over the weekend in order to obtain a “fair hearing” before ICANN, which meets in Washington on Tuesday to discuss the issue.
“We must emphasize that, technically, this was a legitimate use of wildcard records that did not in any way violate the DNS specifications themselves,” VeriSign said in a statement issued Tuesday. “It is worth noting that the addition of the wildcard A record to the .com and .net zones has not in any manner compromised the stability, security or performance of the .com/.net name server system. As was the case before the addition of the wildcard, VeriSign is resolving more than 10 billion DNS queries per day, at a rate of over 140,000 queries per second, with 100 percent availability.”
The IAB commentary expressed concern that e-mail sent to a nonexistent hostname for top level domains (TLDs) that have deployed a wildcard A record now flows to a “bounce server” that rejects such messages, increasing the loads for mail transfer agents (MTSs). In addition, the IAB said, the SMTP bounce server does not return the proper SMTP response.
The IAB also states that the implementation of wildcards has degraded the effectiveness of using a DNS lookup to verify the existence of the sender’s domain as a type of spam filter.
In addition, the IAB says that, prior to a wildcard A record in the .com and .net zones, web browsers displayed “page not found” in the local language of the user but now return an English language web page, raising concerns that the prior user experience of receiving a technical error response in a user’s native language may be more useful than a navigation aid web page in English.
VeriSign said Tuesday it is not aware of any empirical data supporting the IAB’s e-mail claims.
“As a basic matter, e-mail behavior has not changed for correctly configured existing domains. The failure of mail applications noted by the IAB commentary results from a misconfiguration of the MX records associated with a domain name on the user’s part,” VeriSign sated. “In fact, the presence of a wildcard A record and the SMTP bounce server’s current behavior actively helps identify an unrecognized incorrect configuration in the user’s zones. The problem is easily corrected by the user.”
As for spam problems created by the VeriSign wildcard, the company said it “has investigated whether the major service providers or software vendors providing spam solutions use this type of filter. Based on feedback from these providers, it does not appear to be a widely implemented mechanism for spam identification and discovery.”
VeriSign also gave little weight to the IAB’s concerns about Site Finder being in English.
“In general, it is questionable as to whether a user finds a technical error page more helpful than a web page in English that assists in navigation, particularly given that 68 percent of all web pages are in English,” VeriSign said in its statement.