[wildcard-comments] Submission from the London Internet Exchange to SecSAC on Verisign wildcards

["Malcolm Hutty" <malcolm@xxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The London Internet Exchange (LINX) is Europe's largest Internet
exchange point. Owned mutually by nearly 140 member Internet Service
Providers and Content Services Providers, LINX members carry the
overwhelming majority of Internet traffic within the United Kingdom.
Most of the Internet traffic exchanged between ISPs within the UK by
public peering is passed across the LINX.

LINX is concerned about Verisign's insertion of wildcard records into
the .com and .net zones, and about the use of these wildcards to
direct traffic that would otherwise have resulted in a "no domain"
response to Verisign's own hosts.

LINX views the DNS tree as extremely important to the smooth
operation of Internet services: anything that damaged confidence in
the integrity and unified nature of the DNS tree would be very
unfortunate.

LINX is concerned that Verisign's actions may undermine confidence in
the DNS. In particular, LINX fears that individual networks may
implement workarounds to avoid the effect that Verisign is seeking to
create, and that this could result in reduced confidence in the DNS
system continuing as a single coherent tree. 

Once the prospect of DNS resolvers choosing not to honour the DNS
tree appears we have to consider the possibility of further
fragmentation of the DNS through individual networks suborning the
Domain Name System in order to pursue other commercial or policy
interests. 

Another avenue of concern lies in the area of respecting end user
privacy. While
we take note of and welcome Verisign's assurances that they are not
logging traffic
to its mail servers, end users around the world are forced to rely on
the promise
offered by a commercial entity operating in a single national
jurisdiction. The
United States does not share the same data protection laws offered in
some other countries, and most end users would have no practical or
legal recourse if Versign were to fail to adhere to its policy,
either for its own purposes or for those of the relevent legal
authorities. There is therefore a powerful argument that end users
should not have to take the promise not to retain private data on
trust.

In contrast to these concerns, there is Verisign's own interest in
preserving its freedom of action and ability to pursue its commercial
success. We are not persuaded that in this case Verisign's private
interests outweigh the considerable public concerns that have been
expressed by LINX and others on behalf of the wider Internet
community.

The longer term implications of such DNS fragmentation are directly
relevent to the stability of Internet service, and thus to the work
of ICANN's Security and Stability Advisory Committee. We believe that
these implications would be quite regretable, and that it is
appropriate to take steps to ensure that this does not occur.

LINX endorses the statement of the Internet Architecture Board and
recommends that Verisign is asked to remove the wildcard records it
has inserted in the .com and .net zones.

Statement prepared by
Mike Hughes, Chief Technology Officer
Malcolm Hutty, Regulation Officer
and issued on behalf of the London Internet Exchange.

- -- 
            Malcolm Hutty | tel: +44 20 7645 3523 | malcolm@xxxxxxxx
       Regulation Officer | fax: +44 20 7645 3529 | www.linx.net
 London Internet Exchange |                       |       

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBP4GdNfHiNVXXhqetEQL8KQCePvxQSpKC3+riHyHmmYxEl1Kcu9QAnA7j
tgnRUoqE62YiBFqL5IYEFoyQ
=royI
-----END PGP SIGNATURE-----