[wildcard-comments] Impact of VeriSign's wildcard

[Robert Clark <hostmaster@xxxxxxxxxxxx>]

  I work for an ISP which provides domain registration, web and email
hosting and ADSL services.

  The unannounced launch by VeriSign of their Site Finder service has
left us scrambling to perform emergency alterations to the automated
systems we have in place for monitoring the progress of the transfer and
registration of domains. These are still not completed, and we have been
forced to handle many manually in the mean time.

  We have also received many support calls from confused customers.
These calls covered more than simply the unexpected redirection to the
Site Finder web site. They included, for example, situations where they
had entered a hostname incorrectly into an FTP client and, instead of
receiving a "server not found, check the name" type of error, they
received a "server did not respond, contact the server administrator"
type of error.

  For email, our customers have seen a sharp increase in unsolicited
emails using unregistered .com domains as sender addresses. These would
previously have been rejected at the SMTP stage, instead they are
costing us bandwidth, CPU time and disk space and, more importantly,
customer goodwill. We are looking into solutions for this but it will,
again, cost us time and money to work around.

  We have also seen an increase in the number of double-bounced emails
due to customers misspelling their sender address and a corresponding
increase in the number of complaints of "vanishing emails". These emails
would previously have been rejected at the SMTP session giving the
customer immediate feedback and a chance to correct the error.

  After the privacy and security issues became widely known, we joined
other ISPs in blocking traffic to Site Finder. This has increased the
load on our mail servers as mis-addressed emails remain in the queue for
5 days tying up delivery processes.

  Increasingly, it is looking like we will need to apply a patch to our
nameservers to work around the VeriSign wildcard. This is something we
have been reluctant to do since it would mean forking our nameservers
from our vendor and impede our ability to update in case of a security
issue. For a service as critical as DNS, this is not something we take
lightly. However, the cost to us of working around the wildcard in every
application is simply prohibitive.

  In light of all the problems VeriSign's action has caused us, I find
it incredible to read Russell Lewis's letter to ICANN:

    http://icann.org/correspondence/lewis-to-twomey-21sep03.htm

where he says "it would be premature to decide on any course of action
until we first have had an opportunity to collect and review the
available data". Did it not occur to VeriSign that it might have been
"premature" to deploy this without first examining the consequences and
consulting with the technical community?

  Unless VeriSign comply with ICANN's request to remove the wildcard
from the .com and .net zones soon, we will reluctantly add our voice to
the many already calling for custodianship of these zones to be removed
from VeriSign and transferred to a more trustworthy entity. Preferably
one which does not have the profit motive which seems to have lead to
this disastrous experiment with the Internet's fundamental
infrastructure.

        Robert Clark