ICANN ICANN Email List Archives

[At-Large Advisory Committee]


<<< Chronological Index >>>    <<< Thread Index >>>

Re: [alac] Redirection of non-existing domain names, again

  • To: Vittorio Bertola <vb@xxxxxxxxxxxxxx>, Esther Dyson <edyson@xxxxxxxxxxxxx>
  • Subject: Re: [alac] Redirection of non-existing domain names, again
  • From: Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>
  • Date: Tue, 16 Sep 2003 12:54:17 +0200

Here's an update.  I'm wondering if we should also mention the
general uproar about this.  But probably comments@xxxxxxxxx is
already feeling that.

Just reading the slashdot thread; this actually turns up some
technical consequences I hadn't been thinking about before, like
secondary MXs that point nowhere (these are bound to break some day,
but break en masse now), and problems in diagnosing lame
delegations.

Anyway, here we go:

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

The At-Large Advisory Committee would like to bring to the board's
attention concerns about Verisign's surprising roll-out of the
"SiteFinder" service for .com and .net.  

SiteFinder works by re-directing queries for non-existing domain
names to the IP address of a search service that is being run by
Verisign.

This practice raises grave technical concerns, as it de facto
removes error diagnostics from the DNS protocol, and replaces them
by an error handling method that is tailored for HTTP, which is just
one of the many Internet protocols that make use of the DNS. We will
leave it for others to explain the details of these concerns, but
note that returning resource records in a way which is countrary to
the very design of the DNS certainly does not promote the stability
of the Internet.

These concerns are not mitigated by Verisign's efforts to work
around the consequences of breaking the Internet's design on a
service-by-service basis: These workarounds make specific
assumptions on the conclusions that Internet software would be
drawing from nonexisting domain names; it is not clear that these
assumptions are always appropriate.

The work work-arounds deployed depend on the global reachability of
Verisign's redirection infrastructure; no caching of results is
available any more.  Unreachability of at least part of the
infrastructure has already been observed few hours after the service
was initially deployed, confronting Internet users with misleading
network timeout error messages instead of quickly-delivered and
accurate "no such domain name" errors.

When working as intended, the service centralizes error handling
decisions at the registry that are rightly made in application
software run on users' computers.  Users are deprived of the
opportunity to chose those error handling strategies best suited for
their needs, by chosing appropriate products available on a
competitive marketplace. Software makers are deprived of the
opportunity to compete by developing innovative tools that best
match the user's needs.

We urge the board to take whatever steps are necessary to stop this
service.

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

On 2003-09-16 05:36:51 -0400, Esther Dyson wrote:

> FWIW, I think our job is to register our concerns in public, as
> we are doing, and send Roberto to the board... the issue is
> things that are actually going on (and some kind of notion of the
> public interest needs to be surfaced quickly).

By the way, I'd expect that the GNSO council will also take this up
at its next meeting.

> I would add at the end: ...stop this service and consider its 
> implications."  or something.

That's too close to "study it for years, then stop it" for my taste.
I'd rather leave it as a single action item.

-- 
Thomas Roessler  <roessler@xxxxxxxxxxxxxxxxxx>
At-Large Advisory Committee: http://alac.info/



<<< Chronological Index >>>    <<< Thread Index >>>