RealTime IT News

The Ramifications of VeriSign's Wildcard Gambit

VeriSign's recent move to quietly launch an immediate change to the way mistyped e-mail addresses and Web site queries are handled on the Internet is creating far-reaching consequences for domain name policies, Internet denizens say.

Since the plan began to trickle out last week about VeriSign's inclusion of DNS "wildcards" in the root server maintaining the .com and .net domains, privacy advocates have cried foul.

Many say VeriSign is using the DNS wildcard merely as a marketing tool for the company to drum up more business, a service the company has dubbed SiteFinder.

DNS wildcards are used to synthesize, or make up, a domain name that doesn't exist, such as when someone misspells an individual's e-mail address or types in the wrong URL in a Web browser.

In the past, if such an error occurred, the user would get a notice that their e-mail bounced or a "Page Not Found" error for Web browsers.

Now e-mail with incorrect information is sent to VeriSign, which sends out its own bounce message, instead of the user's ISP. For Web browsers, typing in the wrong URL now results in either a VeriSign-generated Web search page (example) or a wait while the Web browser tries to negotiate the URL through the DNS wildcard policy.

On Monday, registrar Go Daddy Software, which also provides registrar services, filed a lawsuit against VeriSign over the policy, and is seeing a temporary restraining order against VeriSign's new service, called Site Finder.

Go Daddy said its lawsuit claims that VeriSign is misusing its position as the .com and .net domain registry to "gain an unfair competitive advantage by intercepting (and profiting from) Internet traffic resulting from the scores of invalid domain names that are typed into users' browsers on a daily basis."

Go Daddy said with VeriSign's new policy, "when a user types an invalid .com or .net address, they will instead be directed to a paid-advertising page supplied by VeriSign," which Bob Parsons, president of Go Daddy, said is "hijacking" the wildcard process.

"When the user is sent to VeriSign's advertising page, VeriSign gets paid by the advertiser when the user clicks a link to get off the page -- to the tune of $150 million annually, as estimated by VeriSign."

Another company, Popular Enterprises, filed a $100 million class-action lawsuit last week, which also claimed that VeriSign was "hijacking" misspelled domains for its SiteFinder program.

Days after the change, a report by the Internet Architecture Board (IAB) was released, pointing out the "unintended consequences" of VeriSign's actions. The ramifications, they say, have altered the way registrars and ISPs (define) handle their information.

The danger here, the IAB report says, is that it creates a dangerous single point of failure. If the server used to bounce the e-mails back or return the Web search page isn't robust enough, it could cause days-long delays in bounced email messages or a perpetual "Connecting to Server" message in Web browsers. A single target, the author's mention, make it a tempting target for crackers .

Also affected by the new VeriSign policy are spam filters -- so expect more spam in the future, the IAB report said. The technique, used by many ISPs and network administrators to weed out incoming emails to an e-mail server, confuses the server into thinking the domain it comes from is legitimate.

The unintended consequences of VeriSign's decision were significant enough for the Internet Corporation for Assigned Names and Numbers (ICANN) to issue a statement Friday, asking that VeriSign remove the DNS wildcard until its Security and Stability Advisory Committee had time to review the case.

According to Mary Hewitt, ICANN spokesperson, the committee is still taking feedback from the Internet community and will publish its own report with recommendations by the end of the week.

VeriSign did not return requests for comment on the new program.

However, Russell Lewis, VeriSign's executive vice president and general manager of naming and directory services sent an open letter to ICANN President and CEO Paul Twomey Monday afternoon, saying it had tested its Site Finder program months before instituting, and adhered to all technical standards.

"All indications are that users, important members of the Internet community we all serve, are benefiting from the improved web navigation offered by Site Finder," Lewis' letter read. "These results are consistent with the findings from the extensive research we performed."

In response to ICANN's request that VeriSign voluntarily suspend its wildcard service, Lewis replied it was much too early to do anything that drastic.

"I would respectfully suggest that it would be premature to decide on any course of action until we first have had an opportunity to collect and review the available data," it read. "After completing an assessment of any operational impact of our wildcard implementation, we will take any appropriate steps necessary."

Towards that end, Lewis said company officials have called the Security and Stability Advisory Committee chairman, Steve Crocker, and Vint Cerf, ICANN chairman to arrange a meeting. They also plan to implement an independent study to look into the affair.

In the words of Russ Rader, director of research and innovation at registrar Tucows, the arbitrary inclusion of the DNS wildcard was "terrible, I don't think I can be blunt enough. They might as well have pulled the plug on the Internet," he said.

The IAB report finds that, in theory only, DNS wildcards can be used within your zone, but only after advising everyone involved of the change and with a complete understanding of the risks.

The report came just short of calling for a ban on DNS wildcards, especially in zones in control of such a large Internet footprint, like VeriSign's control over the dominant .com and .net domains.

"We hesitate to recommend a flat prohibition against wildcards in "registry"-class zones, but strongly suggest that the burden of proof in such cases should be on the registry to demonstrate that their intended use of wildcards will not pose a threat to stable operation of the DNS or predictable behavior for applications and users," the report said. "We recommend that any and all TLDs which use wildcards in a manner inconsistent with this guideline remove such wildcards at the earliest opportunity."

Does VeriSign plan to remove the DNS wildcard from its registry? Given the company's silence, not to mention the quiet launch, many experts believe it won't do it voluntarily.

And there's really no one to stop them from continuing with the wildcard. ICANN is ostensibly a technical body with no real enforcement powers outside its granting of top-level domains to companies.

"That's the unfortunate part," Rader said. "Unless ICANN threatens to take away the .com and .net (domains) from VeriSign, they can't do anything. This should certainly factor into ICANN's decision when .com and .net come up for bid again in coming years."

According to ICANNWatch.org editor Michael Froomkin, a professor at the University of Miami's School of Law, the real problem here isn't one of technology but policy. If there were more top-level domains (TLD ), this problem wouldn't be so widespread. ICANN governs the inclusion of new TLDs in the U.S. root server, the most popular root server in the U.S. and abroad since they house the .com, .net and .org TLDs as well as several others.

"If we didn't have this artificial scarcity in TLDs, it wouldn't be such a problem," he said. "I understand ccTLDs do this as a matter of course, but they are so small I guess no one has dealt with it.

"What this really offends is our sense of choice," he continued. "If AOL, MSN or some other ISP tried this, we'd just sign on with a different provider. But the user doesn't have a choice; you can change registrars but there's only one registry (for .com)."