September 17th, 2003

“Oops, I did it again” – Verisign


A couple of days ago, New York Times reported that Verisign is going to modify its DNS infrastructure to redirect non-existence .com & .net to its search engine.

Acutally, Verisign introduced limited DNS wildcard to do Internationalized Domain Names earlier this year and unfortunately, ICANN has not make any strong stand against it.

So it is not surprisingly that they got bolder and take the next step to add DNS wildcard to both .com and .net with no advance notice *sigh*. (To their credit, they did prepare a whitepaper about their implementation.)

So whats the problem about DNS wildcard for .com & .net?(1) I wrote in IDN-RIC few months ago that “Contining to allow wildcard in DNS have many unpredicable consequences that will likely destroy the integrity of the DNS and the only naming infrastructure we have (e.g. Imaging you made a typo in your receipent address, instead of getting an error, it quietly went to another machine).”

Stephane Bortzmeyer also wrote “The wildcarding of .com/.net does not impact only the Web. Since the mail servers try the A record if they get an empty reply when asking a MX record (this is what happens today in .com/.net), the mail server attempts to deliver any mail with a typo to Verisign. Currently, the Verisign server rejects it. What will happen in the future?”

(2) John Berryhill noted that “Tata & Sons paid to have cancelled in a UDRP, and then filed an interminable lawsuit in India to make sure it never rose from the grave, but stayed on perpetual hold.

Verisign has now neatly undone everything they paid thousands of dollars for:”

(3) George Kirokos noted that Verisign is “squattering” not just on all unregistered domain names, but also any PENDING DELETE (e.g. or even ACTIVE domain names with no name servers (

(4) Karl Auerbach noted that “Well, if queries for unregistered domains are returning records, those records have TTL (time to live) values.And if someone comes along and registers that name, the usability of that name is contaminated for at least the duration of that TTL, usually longer.

This is sort of like buying a new car and discovering that the dealer had been using the car before the sale and that the dealer then defers delivery for a few days and uses those days to put on a few hundred additional miles.”

Additionally, George William Herbert noted that “By all reasonable interpretations, Verisign is now operating in violation of the .com and .net Registry Agreements. Specifically, Sect 24 of the main agreement for .com and Sect 3.5.3, 3.5.5, and 3.6, 3.8 of the main agreement for .net, and the rather blank Appendix X.”

The community reacted by patching their DNS (BIND, djbDNS, etc) such that any answer which contains (Verisign sitefinder IP address) will return NXDOMAIN.

Comments are closed.