Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
On Thu, 18 Sep 2003, Keith Moore wrote: this breaks anything that assumes (quite reasonably) that query to a a nonexistent domain will return NXDOMAIN. That an invalid assumption to make. It was not made quite reasonably, but rather was made quite irrationally. In many or most cases, it was made willfully, knowing and having been warned that such assumptions were invalid. I have little sympathy for the claims that this was somehow disruptive. The people making these assumptions have known about and had been told of the invalidity of those assumptions for many years. They didn't just learn of this on Monday. They were warned well in advance. All that happened on Monday was that the hammer finally fell making those assumptions operationally untenable. this does point out something about our standards - they're written assuming that people want to interoperate and that they're acting in good faith. while they might try to prohibit harmful behavior that might occur by accident, they weren't written to dictate the actions of potentially hostile parties (and I do regard VeriSign as hostile) This is also unreasonable. Verisign is not hostile. --Dean
RE: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
After all two wrongs don't make a right, But two Wrights make an airplane In honour of the 100 year aniversary Bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Hoffman / IMC Sent: Thursday, September 18, 2003 9:22 AM To: [EMAIL PROTECTED] Subject: Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us] At 2:14 PM +0200 9/18/03, Francis Dupont wrote: = IMHO it should reject SMTP connection from the beginning with the 521 greeting described in RFC 1846... People are unhappy about VeriSign breaking the rules. But here you are proposing that they follow an *experimental* RFC whose rules were not accepted into the later revision of SMTP in RFC 2821. How will them breaking the rules twice make it better? --Paul Hoffman, Director --Internet Mail Consortium
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
Yakov Shafranovich writes: Just to follow up on this - I just spoke to an engineer at Verisign and he informed me that the SMTP daemon is being replaced in a few hours with an RFC-compliant one. As for not giving a warning - this came from a higher policy level at Verisign and he is just an engineer. They finally did, and the new version (1.5) of the Snubby Mail Rejector does work better. It handles multiple RCPT TO: commands better - the previous version 1.3 would always reply 550 to the first, but 250 to the next. And the new version even does ESMTP with the PIPELINING extension - this will save quite a few packets globally. [EMAIL PROTECTED],[EMAIL PROTECTED]... Connecting to dafladshflhfldkshflaasdf.com. via esmtp... 220 Snubby Mail Rejector Daemon v1.5 ready EHLO babar.switch.ch 250-snubby 250-PIPELINING 250-SIZE 1024 250-ETRN 250-XVERP 250 8BITMIME MAIL From:[EMAIL PROTECTED] SIZE=570 250 Ok RCPT To:[EMAIL PROTECTED] RCPT To:[EMAIL PROTECTED] DATA 550 unknown[130.59.4.85]: Client host rejected: The domain you are trying to send mail to does not exist. 550 unknown[130.59.4.85]: Client host rejected: The domain you are trying to send mail to does not exist. 554 Error: no valid recipients RSET 421 Error: too many errors QUIT -- Simon.
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
In your previous mail you wrote: People, have you been reading the posts? The stubby SMTP daemon is not an SMTP server, it is simply a program that returns the following set of responses TO ANYTHING THAT IS PASSED TO IT. = IMHO it should reject SMTP connection from the beginning with the 521 greeting described in RFC 1846... Regards [EMAIL PROTECTED]
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
At 2:14 PM +0200 9/18/03, Francis Dupont wrote: = IMHO it should reject SMTP connection from the beginning with the 521 greeting described in RFC 1846... People are unhappy about VeriSign breaking the rules. But here you are proposing that they follow an *experimental* RFC whose rules were not accepted into the later revision of SMTP in RFC 2821. How will them breaking the rules twice make it better? --Paul Hoffman, Director --Internet Mail Consortium
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
On Thu, 18 Sep 2003 09:22:15 -0700 Paul Hoffman / IMC [EMAIL PROTECTED] wrote: At 2:14 PM +0200 9/18/03, Francis Dupont wrote: = IMHO it should reject SMTP connection from the beginning with the 521 greeting described in RFC 1846... People are unhappy about VeriSign breaking the rules. But here you are proposing that they follow an *experimental* RFC whose rules were not accepted into the later revision of SMTP in RFC 2821. How will them breaking the rules twice make it better? it's sort of missing the point anyway. mail and web aren't the only apps affected by this. this breaks anything that assumes (quite reasonably) that query to a a nonexistent domain will return NXDOMAIN. this does point out something about our standards - they're written assuming that people want to interoperate and that they're acting in good faith. while they might try to prohibit harmful behavior that might occur by accident, they weren't written to dictate the actions of potentially hostile parties (and I do regard VeriSign as hostile)
RE: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
I've just got to ask... I am seeing news that BIND WILL BE patched with this kind of support in it. Is this a sponsored patch, or is it just a random person posting a patch - that if applied would have this functionality Bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Vixie Sent: Tuesday, September 16, 2003 7:33 PM To: [EMAIL PROTECTED] Subject: Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us] It is worth noting that if we are to pass judgement against Verisign there are at least half-dozen other TLDs that blazed the trail. We just overlooked them because of their size as compared to .NET and .COM. when people started beating on my phone ringer about wildcards yesterday evening, and screaming for patches to bind to somehow make it all better, i asked but other tld's do this, what's the big deal? as near as i can figure it, the problem is one of expectation. if someone signs up for .nu they know there'll be a wildcard there before they sign, and they can take appropriate precautions (like only using it for web or e-mail, and not naming hosts under that tld). the expectations for .com and .net to not have wildcards were all set many years ago, and it's the violation of those expectations that's got people angry enough to publish patchware about it. -- Paul Vixie
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
Hi - http://www.isc.org/products/BIND/delegation-only.html Carl I've just got to ask... I am seeing news that BIND WILL BE patched with this kind of support in it. Is this a sponsored patch, or is it just a random person posting a patch - that if applied would have this functionality Bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Vixie Sent: Tuesday, September 16, 2003 7:33 PM To: [EMAIL PROTECTED] Subject: Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us] It is worth noting that if we are to pass judgement against Verisign there are at least half-dozen other TLDs that blazed the trail. We just overlooked them because of their size as compared to .NET and .COM. when people started beating on my phone ringer about wildcards yesterday evening, and screaming for patches to bind to somehow make it all better, i asked but other tld's do this, what's the big deal? as near as i can figure it, the problem is one of expectation. if someone signs up for .nu they know there'll be a wildcard there before they sign, and they can take appropriate precautions (like only using it for web or e-mail, and not naming hosts under that tld). the expectations for .com and .net to not have wildcards were all set many years ago, and it's the violation of those expectations that's got people angry enough to publish patchware about it. -- Paul Vixie
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
Paul Vixie [EMAIL PROTECTED] writes: By the way, what about .museum? .museum does not delegate all of its subdomains. not all tld's are delegation-only. I know. I have to admit that (as someone who grew up under .de) I would never have thought of the delegation-only approach. 8-)
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
Carl; http://www.isc.org/products/BIND/delegation-only.html As I just post to DNSOP WG ML (detailed discussion should be done there), it is not an effective protection against synthesised (from wildcared NS, in this case) NS and synthesised (from scratch) child zone contents. A protection is to reject NS answers, if it is identical to wildcarded one, though it has several side effects. Masataka Ohta
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
Because noone can stop them doing it, apparently... On Tue, Sep 16, 2003 at 12:43:35AM -0400, Keith Moore wrote: so now verisign is deliberately misrepresenting DNS results. why are these people allowed to live?
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
Today VeriSign is adding a wildcard A record to the .com and .net zones. This is, as already noted, very dangerous. We in the IETF must work to put a stop to this attempt to turn the DNS into a directory service, and quickly. I suggest the following courses of action, to be taken in parallel and immediately: 0. Urgently publish an RFC (Wildcards in GTLDs Considered Harmful, or DNS Is Not A Directory) to provide a clear statement of the problem and to unambiguously prohibit the practice. 1. Via ICANN, instruct Verisign to remove the wildcard. 2. Some of us with sufficiently studly facilities should mirror the COM and NET zones, filtering out the wildcards. Then the root zone can be modified to point at these filtered COM and NET nameservers. 3. Instruct ICANN to seek another organisation to permanently take over COM and NET registry services, in the event that Verisign do not comply with instructions to remove the wildcard. I believe that the direct action I suggest in point 2 is necessary, because we have previously seen the failure of the proper channels in this matter, when Verisign added a wildcard for non-ASCII domain names. Verisign have shown a disregard for the technical requirements of their job, as well as displaying gross technical incompetence (particularly in the wildcard SMTP server). I believe Verisign have forfeit any moral right to a grace period in which to rectify the situation. -zefram -- Andrew Main (Zefram) [EMAIL PROTECTED]
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
Zefram [EMAIL PROTECTED] writes: 1. Via ICANN, instruct Verisign to remove the wildcard. By the way, what about .museum?
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
On Tue, 16 Sep 2003, Zefram wrote: ... I suggest the following courses of action, to be taken in parallel and immediately: 1. Via ICANN, instruct Verisign to remove the wildcard. It isn't clear that this power is vested in ICANN. There is a complicated arrangement of Cooperative Agreements, MOUs, CRADAs, and Purchase Orders that exist between various agencies of the US Department of Commerce (including NTIA, NIST, and others) and ICANN and Verisign/NSI. This web of agreements is sufficiently complicated that often really isn't exactly clear who can compel Verisign/NSI on any particular point. In fact it may well be that the power may not exist. Or it may take a lot of legal dollars and time to press the issue. To make the situation even less clear, there is, I believe, no statement in the relevant Internet Standards docucuments that clearly rules out this kind of wildcarding. (Yes, I think we can all agree that this particular use of wildcarding *is* a bad thing, I'm simply pointing out that to those who are not technically grounded in DNS matters, that without a clear prohibition in the Internet Standards, the matter isn't so obvious.) By-the-way, Neulevel (.us and .biz) did an experiment along these lines back in May of this year. It was short lived. At the time I thought it was a bad thing, and I still do. And at the time I wrote and sent to the ICANN board an evaluation of the risks of that experiment. --karl--
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
On dinsdag, sep 16, 2003, at 12:25 Europe/Amsterdam, Karl Auerbach wrote: 1. Via ICANN, instruct Verisign to remove the wildcard. It isn't clear that this power is vested in ICANN. There is a complicated arrangement of Cooperative Agreements, MOUs, CRADAs, and Purchase Orders that exist between various agencies of the US Department of Commerce (including NTIA, NIST, and others) and ICANN and Verisign/NSI. This web of agreements is sufficiently complicated that often really isn't exactly clear who can compel Verisign/NSI on any particular point. In fact it may well be that the power may not exist. Or it may take a lot of legal dollars and time to press the issue. I think the ICANN has no choice and has to show its teeth here, or just roll over and die because there no longer is a reason for its existence. On a related note: so far I have never bothered to move my domains to a competing registrar before, but now seems a good time to do it. Can anyone recommend a procedure for select a good quality registrar? (Off-list if this is more appropriate.)
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
By-the-way, Neulevel (.us and .biz) did an experiment along these lines back in May of this year. It was short lived. At the time I thought it was a bad thing, and I still do. And at the time I wrote and sent to the ICANN board an evaluation of the risks of that experiment. .nu have been doing this for a long time AFAIK. - kurtis -
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
Is it any worse than IE taking you to msn search when a domain doesn't resolve? Or worse than Mozilla taking you to Netscape, duplicating a Google search, and opening a sidebar (and a netscape search) you didn't want? I think it isn't. And people shouldn't be using Reverse DNS for spam checks, either. This has been hashed out on both DNSOP and Namedroppers. People have known not to do this for a long time, but some still insist on it. For that reason alone, this is a good idea. --Dean On Tue, 16 Sep 2003, Keith Moore wrote: so now verisign is deliberately misrepresenting DNS results. why are these people allowed to live?
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
Dean Anderson wrote: Is it any worse than IE taking you to msn search when a domain doesn't resolve? Or worse than Mozilla taking you to Netscape, duplicating a Google search, and opening a sidebar (and a netscape search) you didn't want? Yes, it is worse. Much worse. There is a fundamental difference between this defaulting happening in the DNS and happening in a client program. It is necessary that the wire protocols distinguish between existence and non-existence of resources in a standard manner (NXDOMAIN in this case) in order to give the client the choice of how to handle non-existence. If IE wishes to default to doing a web search under those circumstances, that is silly but harms no one else. What Verisign has done pre-empts that choice for everyone. -zefram -- Andrew Main (Zefram) [EMAIL PROTECTED]
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
Is it any worse than IE taking you to msn search when a domain doesn't resolve? yes. if an app that interfaces to humans masks the difference between an invalid domain and a valid one, it only affects people who use that particluar app. however for other apps the difference between an invalid domain and a valid one is significant. verisign is masking the difference between a valid domain and NXDOMAIN for all protocols, all users, and all software.
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
I agree with Zefram here, for at least a couple of reasons: - there's a difference between doing this in infrastructure and doing this in a client program - there's a difference between doing this in a scenario where there probably really IS a human in the loop (IE) and a scenario where there's no reason to think that a human is involved (trivially, an FTP running from cron on a Unix box) - there's a difference between doing this in a component that can be replaced (IE) and one that is very difficult to replace in a meaningful way (DNS) Not that I think IE's redirection is a GREAT example of the Internet at its finest... Spencer - Original Message - From: Zefram [EMAIL PROTECTED] To: Dean Anderson [EMAIL PROTECTED] Cc: Keith Moore [EMAIL PROTECTED]; Yakov Shafranovich [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, September 16, 2003 8:18 AM Subject: Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us] Dean Anderson wrote: Is it any worse than IE taking you to msn search when a domain doesn't resolve? Or worse than Mozilla taking you to Netscape, duplicating a Google search, and opening a sidebar (and a netscape search) you didn't want? Yes, it is worse. Much worse. There is a fundamental difference between this defaulting happening in the DNS and happening in a client program. It is necessary that the wire protocols distinguish between existence and non-existence of resources in a standard manner (NXDOMAIN in this case) in order to give the client the choice of how to handle non-existence. If IE wishes to default to doing a web search under those circumstances, that is silly but harms no one else. What Verisign has done pre-empts that choice for everyone. -zefram -- Andrew Main (Zefram) [EMAIL PROTECTED] ___ This message was passed through [EMAIL PROTECTED], which is a sublist of [EMAIL PROTECTED] Not all messages are passed. Decisions on what to pass are made solely by Raffaele D'Albenzio.
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
On Tue, 16 Sep 2003 09:24:27 EDT, Keith Moore said: verisign is masking the difference between a valid domain and NXDOMAIN for all protocols, all users, and all software. Out of curiosity, where did Verisign get the right to have the advertising monopoly for all the eyeballs they'll attract with this? pgp0.pgp Description: PGP signature
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
Valdis writes: Out of curiosity, where did Verisign get the right to have the advertising monopoly for all the eyeballs they'll attract with this? They didn't. And there's even a way for individuals to stop it: Type an incorrect spelling for a famous trademark. When Verisign puts up its own page for the nonexistent domain, copy it and send it to the trademark owner, asking if he intends to defend his trademark, or if he is releasing it to the public domain. In the former case, he'll have to take action against Verisign. The latter case is unlikely unless he truly doesn't want the trademark, because undefended trademarks are easily diluted and slip rapidly into the public domain. After Verisign has a few thousand lawsuits on its hands, it will change its policy.
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
From: [EMAIL PROTECTED] Out of curiosity, where did Verisign get the right to have the advertising monopoly for all the eyeballs they'll attract with this? What eyeballs? I doubt I'm among the first 1,000,000 people to adjust junk pop-op or other defenses to treat sitefinder.verisign.com and 64.94.110.0/24 like any other noxious web site. If AOL and a lot of other outfits haven't adjusted their proxies within a few hours, I'll be surprised. If AOL and Microsoft don't immediately make releases of IE and Netscape that treat 64.94.110.11 the same as they treated an NXDOMAIN (and included an update mechanism), it will only be because Verisign has given up or they're gettting piece of Verisign's action. Vernon Schryver[EMAIL PROTECTED]
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
On Tue, 16 Sep 2003, Keith Moore wrote: their mistake is in assuming that they can respond appropriately for all ports - particularly when the association of applications with known ports is only advisory, and many ports are open for arbitrary use. Agreed but this is overstating the issue since interoperability demands we know which port is doing what and when. What we needed was time to either stop this before it happened or to deal with the implications. in fact, a 550 response in SMTP is a different condition from NXDOMAIN, and sometimes the difference is important - as the spam filter folks have discovered. Yes and this could be fixed with a new well-defined error code, which brings us back to needing time to make an adjustment (or to have stopped it from ever happening). Would have been nice to get some advance notice even if there are other TLDs that have been doing this for some time. nice is not a word that seems to apply to forcing the entire net to have to patch its applications and libraries just because verisign decided to make inappropriate assertions about unregistered domains. that's like calling a mugger nice because he talks to you politely while he takes your wallet at gunpoint. Agreed but let's be fair. Verisign was not first. In fact, they are almost 10th in the process. Someone earlier (just today, sorry for not looking back for the name) asked about .museum, which I've seen references elsewhere to suggest it has in its contract with ICANN to have this wildcard. I have not confirmed this but undoubtedly someone out there will know and provide a reference. And there is the matter of the other TLDs that are already doing this and have been doing it for some time. None of this makes it right but let's focus on the issue not Verisign. And the issue is with ICANN and convincing it that this is bad behavior for all registries. Verisign just made us all notice. It is worth noting that if we are to pass judgement against Verisign there are at least half-dozen other TLDs that blazed the trail. We just overlooked them because of their size as compared to .NET and .COM. not only their size, but their scope also. What's the difference? Their scope matters because of their size, or vice versa. Jim
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
On Tue, 16 Sep 2003, Bill Sommerfeld wrote: IMHO it was irresponsible of them to do this without several months advance notice to allow authors of automated systems which depended on NXDOMAIN queries to notice this and without a stable documented way to reconstitute the NXDOMAIN they're suppressing. Agreed although some might argue we had several months notice, albeit quietly. Verisign was far from being first at this. It's just that their size/scope made us all notice. Jim
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
James M Galvin wrote: On Tue, 16 Sep 2003, Keith Moore wrote: verisign is masking the difference between a valid domain and NXDOMAIN for all protocols, all users, and all software. If you read the Verisign documentation (which is quite excellent by the way) on what they did and what they recommend you will see that they thought about this. In fact, the purpose of the Stubby SMTP daemon is to return a 550 for non-existent recipient domains. It is left as an exercise to the reader as to which is more efficient: DNS NXDOMAIN or SMTP 550. People, have you been reading the posts? The stubby SMTP daemon is not an SMTP server, it is simply a program that returns the following set of responses TO ANYTHING THAT IS PASSED TO IT. --snip- 220 snubby2-wceast Snubby Mail Rejector Daemon v1.3 ready blah 250 OK blah 250 OK blah 550 User domain does not exist. blh 250 OK blah 221 snubby2-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel --snip- That means that if the SMTP sender issues a RSET command after HELO, they will not get a 550 error code for the RCPT TO command, but rather for the MAIL FROM command as follows: --snip- 220 snubby4-wceast Snubby Mail Rejector Daemon v1.3 ready EHLO someone.com 250 OK RSET 250 OK MAIL FROM:[EMAIL PROTECTED] 550 User domain does not exist. RCPT TO:[EMAIL PROTECTED] 250 OK DATA 221 snubby4-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel --snip-
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
their mistake is in assuming that they can respond appropriately for all ports - particularly when the association of applications with known ports is only advisory, and many ports are open for arbitrary use. Agreed but this is overstating the issue since interoperability demands we know which port is doing what and when. only the app (not the entire network) needs to know which port to use, and this doesn't require that every port be assigned to a specific app. What we needed was time to either stop this before it happened or to deal with the implications. what we need is a way to punish people who abuse the Internet. personally I think drawing and quartering would be appropriate... in fact, a 550 response in SMTP is a different condition from NXDOMAIN, and sometimes the difference is important - as the spam filter folks have discovered. Yes and this could be fixed with a new well-defined error code NO Jim. VERISIGN DOES NOT HAVE THE RIGHT TO IMPOSE DISRUPTIVE CHANGE ON THE INTERNET, not even with advance notice. None of this makes it right but let's focus on the issue not Verisign. Yes, let's focus on the issue. But let's not ignore who is doing it either. What's wrong for VeriSign is wrong for the other TLD operators also. But Verisign causes much more harm by screwing COM and NET than the operators of ccTLDs do.
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
Just to follow up on this - I just spoke to an engineer at Verisign and he informed me that the SMTP daemon is being replaced in a few hours with an RFC-compliant one. As for not giving a warning - this came from a higher policy level at Verisign and he is just an engineer. Yakov Yakov Shafranovich wrote: James M Galvin wrote: On Tue, 16 Sep 2003, Keith Moore wrote: verisign is masking the difference between a valid domain and NXDOMAIN for all protocols, all users, and all software. If you read the Verisign documentation (which is quite excellent by the way) on what they did and what they recommend you will see that they thought about this. In fact, the purpose of the Stubby SMTP daemon is to return a 550 for non-existent recipient domains. It is left as an exercise to the reader as to which is more efficient: DNS NXDOMAIN or SMTP 550. People, have you been reading the posts? The stubby SMTP daemon is not an SMTP server, it is simply a program that returns the following set of responses TO ANYTHING THAT IS PASSED TO IT. --snip- 220 snubby2-wceast Snubby Mail Rejector Daemon v1.3 ready blah 250 OK blah 250 OK blah 550 User domain does not exist. blh 250 OK blah 221 snubby2-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel --snip- That means that if the SMTP sender issues a RSET command after HELO, they will not get a 550 error code for the RCPT TO command, but rather for the MAIL FROM command as follows: --snip- 220 snubby4-wceast Snubby Mail Rejector Daemon v1.3 ready EHLO someone.com 250 OK RSET 250 OK MAIL FROM:[EMAIL PROTECTED] 550 User domain does not exist. RCPT TO:[EMAIL PROTECTED] 250 OK DATA 221 snubby4-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel --snip-
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
On Tue, 16 Sep 2003, Keith Moore wrote: their mistake is in assuming that they can respond appropriately for all ports - particularly when the association of applications with known ports is only advisory, and many ports are open for arbitrary use. Agreed but this is overstating the issue since interoperability demands we know which port is doing what and when. only the app (not the entire network) needs to know which port to use, and this doesn't require that every port be assigned to a specific app. You can't have it both ways. Either the app is so widespread that the port in use is at least a de facto standard or it is a de jure standard. Either way it is possible to respond appropriately. And there aren't that many apps that fall into this category. But I do agree that in the general case there are a lot of ports to worry about. I just don't think the general case is a practical concern. So perhaps we just disagree? in fact, a 550 response in SMTP is a different condition from NXDOMAIN, and sometimes the difference is important - as the spam filter folks have discovered. Yes and this could be fixed with a new well-defined error code NO Jim. VERISIGN DOES NOT HAVE THE RIGHT TO IMPOSE DISRUPTIVE CHANGE ON THE INTERNET, not even with advance notice. I'm not so sure. Others on this list and other lists, some more qualified than I, have been asserting there are no rules -- technical or otherwise -- to prevent Verisign and others from doing what they've done. Oh we can certainly debate philosophical positions like do not harm, but what exactly is the disruption here? Correct me if I'm wrong, the principle disruption -- and I want to emphasize disruption here -- I've seen is that a particular spam indicator no longer works as expected. Is there more to this than that? Okay, yes, there may be technical DNS issues but it is still not disruptive to the Internet infrastructure in general as far as I can tell. There seems to be no shortage of reasons to dislike the behavior but what exactly has been disrupted? None of this makes it right but let's focus on the issue not Verisign. Yes, let's focus on the issue. But let's not ignore who is doing it either. Ignore, no. But let's not start Verisign bashing either. What's wrong for VeriSign is wrong for the other TLD operators also. But Verisign causes much more harm by screwing COM and NET than the operators of ccTLDs do. But what exactly is the screw here? Jim
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
From: James M Galvin [EMAIL PROTECTED] ... Correct me if I'm wrong, the principle disruption -- and I want to emphasize disruption here -- I've seen is that a particular spam indicator no longer works as expected. Is there more to this than that? ... The list I've seen is: - failing to reject spam based on NXDOMAIN for the envelope sender. (What you term the principle disruption) - rejecting legitimate mail because some long dead DNS-based blacklists are suddenly resolving - HTTP spiders will fetch Verisign's robots.txt a lot as they find bogus domains (e.g. typos in HREFs) resolving. - HTTP users see a stalled screen instead of an error message as their browsers wait for Verisign's overloaded HTTP server to deliver its advertising. Vernon Schryver[EMAIL PROTECTED]
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
On Tue, 16 Sep 2003 15:19:47 EDT, James M Galvin said: But what exactly is the screw here? Verisign was (as far as I knew) given *stewardship* of the .com and .net zones as a public trust. I don't see anywhere they were given the right to use their stewardship to try to make money selling typo eyeballs. (And note that unless you do something *really* ugly like round-robin the wildcards, only one organization can do this per TLD - so they're essentially abusing their monopoly). So the question boils down to: Are they owners of .com, or merely caretakers? pgp0.pgp Description: PGP signature
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
Jim writes: Correct me if I'm wrong, the principle disruption -- and I want to emphasize disruption here -- I've seen is that a particular spam indicator no longer works as expected. Is there more to this than that? You could make many random DNS requests of a DNS server and flush the cache, producing a partial denial of service (or at least a drop in performance). If every single request for a domain produces an address, existent or not, it takes up more continuing resources than a request that produces an error. No?
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
only the app (not the entire network) needs to know which port to use, and this doesn't require that every port be assigned to a specific app. You can't have it both ways. Either the app is so widespread that the port in use is at least a de facto standard or it is a de jure standard. False. Many ports have neither a de factor nor a de jure assignment. Either way it is possible to respond appropriately. False. As I pointed out earlier, there is no SMTP respose which is equivalent to this domain does not exist. Furthermore there are failure modes associated with the wildcard MX record that do not exist if the server returns NXDOMAIN. For instance, if their SMTP server is down or unreachable (as it might be from time to time), the sender will keep retrying to send the message when it should have failed immediately with NXDOMAIN. Frankly, your apologies for Verisign's abuse aren't very credible. The only appropriate response to this situation is to punish Verisign. But I do agree that in the general case there are a lot of ports to worry about. I just don't think the general case is a practical concern. So perhaps we just disagree? Perhaps. I actually care about preserving the Internet's ability to support a wide variety of applications. So arguments of the form it works for the web and email, therefore the practical concerns are taken care of don't wash. Particularly when it doesn't even do the right thing for either the web or email. Hint: just because the protocol is HTTP doesn't mean that the client has a human typing URLs in and looking at the output. in fact, a 550 response in SMTP is a different condition from NXDOMAIN, and sometimes the difference is important - as the spam filter folks have discovered. Yes and this could be fixed with a new well-defined error code NO Jim. VERISIGN DOES NOT HAVE THE RIGHT TO IMPOSE DISRUPTIVE CHANGE ON THE INTERNET, not even with advance notice. I'm not so sure. Others on this list and other lists, some more qualified than I, have been asserting there are no rules -- technical or otherwise -- to prevent Verisign and others from doing what they've done. Nothing gives VeriSign the right to misrepresent the contents of the registry. If it's wrong for businesses to register individual misspelled domain names in the hopes of getting misspelled queries redirected to their sites, it is surely wrong for VeriSign to do the same thing for ALL unregistered domains within COM and NET. Oh we can certainly debate philosophical positions like do not harm, but what exactly is the disruption here? Have you not been paying attention? When you try to download a web page that doesn't exist, you don't get a host does not exist error, you get a redirect to a web page. That's fraud. When you try to verify that a domain is valid, you don't get NXDOMAIN, you get an A record. That's also fraud. When you try to talk to another port, you get connection refused, so instead of getting the error that corresponds to no such host you'll probably think it is a temporary error (say, the server is down) and try again later. It is a gross protocol violation to take an explicit error indication that has a very specific meaning and instead map it to what in some cases looks like valid output, and in other cases looks like a very different kind of error. Correct me if I'm wrong, the principle disruption -- and I want to emphasize disruption here -- I've seen is that a particular spam indicator no longer works as expected. You are wrong. Okay, yes, there may be technical DNS issues but it is still not disruptive to the Internet infrastructure in general as far as I can tell. It's broken the ability to detect misspelled domains for every application and every protocol, for every name under .COM or .NET. Yes, let's focus on the issue. But let's not ignore who is doing it either. Ignore, no. But let's not start Verisign bashing either. It's not bashing them to speak the truth about what they are doing. Keith
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
By the way, what about .museum? .museum does not delegate all of its subdomains. not all tld's are delegation-only. -- Paul Vixie
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
On Tue, 16 Sep 2003 [EMAIL PROTECTED] wrote: But what exactly is the screw here? Verisign was (as far as I knew) given *stewardship* of the .com and .net zones as a public trust. I don't see anywhere they were given the right to use their stewardship to try to make money selling typo eyeballs. (And note that unless you do something *really* ugly like round-robin the wildcards, only one organization can do this per TLD - so they're essentially abusing their monopoly). So the question boils down to: Are they owners of .com, or merely caretakers? An excellent question! But that is a discussion that belongs with ICANN, not the IETF. Jim
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
On Tue, 16 Sep 2003, Vernon Schryver wrote: From: James M Galvin [EMAIL PROTECTED] ... Correct me if I'm wrong, the principle disruption -- and I want to emphasize disruption here -- I've seen is that a particular spam indicator no longer works as expected. Is there more to this than that? ... The list I've seen is: One more I've seen mentioned today ... an incorrect MX record which refers to a non-existant domain will/may no longer properly fail over to an alternate lower priority MX entry. - failing to reject spam based on NXDOMAIN for the envelope sender. (What you term the principle disruption) - rejecting legitimate mail because some long dead DNS-based blacklists are suddenly resolving - HTTP spiders will fetch Verisign's robots.txt a lot as they find bogus domains (e.g. typos in HREFs) resolving. - HTTP users see a stalled screen instead of an error message as their browsers wait for Verisign's overloaded HTTP server to deliver its advertising.
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
An excellent question! But that is a discussion that belongs with ICANN, not the IETF. Jim Jim, that would be true if the ICANN were functioning and this event is just proof that the ICANN does not function. the mission of ICANN (my paraphrase) is Technical Administration of Internet ?N?ames and Numbers It is ovious to anyone today, that there is no technical oversite of the DNS today. -rick
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
So the question boils down to: Are they owners of .com, or merely caretakers? An excellent question! But that is a discussion that belongs with ICANN, not the IETF. Nearly my reaction as well. Note, using the concept of ownership has/will get quite some lawyers debating. Some (rhetoric) questions: If there is a caretaker, who is the owner of what is taken care of? Under which law system? jaap
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
interesting point. if we created a new gTLD and announced that it would be wildcarded from day one, it wouldn't be used in the same way as the other gTLDs. then again, do we really want different ways of reporting errors for different zones in the DNS? would apps then want to special-case certain zones to interpret their results differently than the others? Keith when people started beating on my phone ringer about wildcards yesterday evening, and screaming for patches to bind to somehow make it all better, i asked but other tld's do this, what's the big deal? as near as i can figure it, the problem is one of expectation. if someone signs up for .nu they know there'll be a wildcard there before they sign, and they can take appropriate precautions (like only using it for web or e-mail, and not naming hosts under that tld). the expectations for .com and .net to not have wildcards were all set many years ago, and it's the violation of those expectations that's got people angry enough to publish patchware about it.
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
% Blech. % % If it's Tuesday, this must be .belgium? % % A non-starter. *MAYBE* if it were a different RR with different semantics. This may be exactly what we get w/ a patch from ISC. If BIND is offically tweeked so that some zone cuts are allowed to exercise legal protocol options while others are not... changes based on mob rule... not good. as bill must surely know, we would never do that. BIND begins to lose its reputation as a reference implementation of open standards. i certainly hope not.
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
% On Wed, 17 Sep 2003 00:00:14 EDT, Keith Moore said: % % then again, do we really want different ways of reporting errors for % different zones in the DNS? would apps then want to special-case % certain zones to interpret their results differently than the others? % % Blech. % % If it's Tuesday, this must be .belgium? % % A non-starter. *MAYBE* if it were a different RR with different semantics. % This may be exactly what we get w/ a patch from ISC. If BIND is offically tweeked so that some zone cuts are allowed to exercise legal protocol options while others are not... changes based on mob rule... not good. BIND begins to lose its reputation as a reference implementation of open standards. Ick. --bill Opinions expressed may not even be mine by the time you read them, and certainly don't reflect those of any other entity (legal or otherwise).
[Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
I am forwarding this message from the ASRG list. If you haven't heard it yet, Verisign has activated their typos DNS service for .COM and .NET. Original Message Subject: [Asrg] Verisign: All Your Misspelling Are Belong To Us Date: Tue, 16 Sep 2003 03:10:52 +0200 From: Brad Knowles [EMAIL PROTECTED] To: IRTF ASRG [EMAIL PROTECTED] Folks, This was just posted to the NANOG mailing list. There are already people who are working on hacking BIND to return NXDOMAIN for wildcard records in TLD zones, or perhaps for any reference to the specific IP address(es) they are using (so far, we only know about 64.94.110.11). Meanwhile, many are already null-routing this IP address. This affects us, because now anyone can send spam with an address like [EMAIL PROTECTED], and yet still have that pass standard anti-spam checks like Does this domain really exist in the DNS? Another one for the service provider BCP, I think. Anyway, the full message announcing this enhancement is: Date: Mon, 15 Sep 2003 19:24:29 -0400 From: Matt Larson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Change to .com/.net behavior Today VeriSign is adding a wildcard A record to the .com and .net zones. The wildcard record in the .net zone was activated from 10:45AM EDT to 13:30PM EDT. The wildcard record in the .com zone is being added now. We have prepared a white paper describing VeriSign's wildcard implementation, which is available here: http://www.verisign.com/resources/gd/sitefinder/implementation.pdf By way of background, over the course of last year, VeriSign has been engaged in various aspects of web navigation work and study. These activities were prompted by analysis of the IAB's recommendations regarding IDN navigation and discussions within the Council of European National Top-Level Domain Registries (CENTR) prompted by DNS wildcard testing in the .biz and .us top-level domains. Understanding that some registries have already implemented wildcards and that others may in the future, we believe that it would be helpful to have a set of guidelines for registries and would like to make them publicly available for that purpose. Accordingly, we drafted a white paper describing guidelines for the use of DNS wildcards in top-level domain zones. This document, which may be of interest to the NANOG community, is available here: http://www.verisign.com/resources/gd/sitefinder/bestpractices.pdf Matt -- Matt Larson [EMAIL PROTECTED] VeriSign Naming and Directory Services
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
This is outrageous, both in breaking DNS, and in abusing monopoly power. Other references: http://gnso.icann.org/mailing-lists/archives/ga/msg00311.html http://www.icann.org/correspondence/lynn-message-to-iab-06jan03.htm http://www.merit.edu/mail.archives/nanog/2003-01/msg00050.html What can be done besides complaining to ICANN? [EMAIL PROTECTED] Neal McBurnett http://bcn.boulder.co.us/~neal/ Signed and/or sealed mail encouraged. GPG/PGP Keyid: 2C9EBA60 On Tue, Sep 16, 2003 at 12:01:12AM -0400, Yakov Shafranovich wrote: I am forwarding this message from the ASRG list. If you haven't heard it yet, Verisign has activated their typos DNS service for .COM and .NET. Original Message Subject: [Asrg] Verisign: All Your Misspelling Are Belong To Us Date: Tue, 16 Sep 2003 03:10:52 +0200 From: Brad Knowles [EMAIL PROTECTED] To: IRTF ASRG [EMAIL PROTECTED] Folks, This was just posted to the NANOG mailing list. There are already people who are working on hacking BIND to return NXDOMAIN for wildcard records in TLD zones, or perhaps for any reference to the specific IP address(es) they are using (so far, we only know about 64.94.110.11). Meanwhile, many are already null-routing this IP address. This affects us, because now anyone can send spam with an address like [EMAIL PROTECTED], and yet still have that pass standard anti-spam checks like Does this domain really exist in the DNS? Another one for the service provider BCP, I think. Anyway, the full message announcing this enhancement is: Date: Mon, 15 Sep 2003 19:24:29 -0400 From: Matt Larson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Change to .com/.net behavior Today VeriSign is adding a wildcard A record to the .com and .net zones. The wildcard record in the .net zone was activated from 10:45AM EDT to 13:30PM EDT. The wildcard record in the .com zone is being added now. We have prepared a white paper describing VeriSign's wildcard implementation, which is available here: http://www.verisign.com/resources/gd/sitefinder/implementation.pdf By way of background, over the course of last year, VeriSign has been engaged in various aspects of web navigation work and study. These activities were prompted by analysis of the IAB's recommendations regarding IDN navigation and discussions within the Council of European National Top-Level Domain Registries (CENTR) prompted by DNS wildcard testing in the .biz and .us top-level domains. Understanding that some registries have already implemented wildcards and that others may in the future, we believe that it would be helpful to have a set of guidelines for registries and would like to make them publicly available for that purpose. Accordingly, we drafted a white paper describing guidelines for the use of DNS wildcards in top-level domain zones. This document, which may be of interest to the NANOG community, is available here: http://www.verisign.com/resources/gd/sitefinder/bestpractices.pdf Matt -- Matt Larson [EMAIL PROTECTED] VeriSign Naming and Directory Services
Re: [Fwd: [Asrg] Verisign: All Your Misspelling Are Belong To Us]
so now verisign is deliberately misrepresenting DNS results. why are these people allowed to live?
