VeriSign-ICANN Proposed Settlement discussed in Vancouver

Unfortunately I cannot be in Vancouver for the conference. I write this from Cape Town, venue of last years fall ICANN.

I want to disclose a couple of things upfront. Those who know me will know I am nothing if not strongly independent in my views. However disclosure helps those of a more suspicious mind know my associations and if they choose to, take them into account in interpreting my opinions.

1. I sit on the board of SnapNames. I can’t think of any conflict this gives rise to, but in the highly charged atmosphere surrounding this discussion I felt it worth saying.

2. I have, on occasion, consulted for VeriSign as an external product strategist. Most recently I ended such a job in May of 2005. Again I feel no conflict as a result of this but I think it is worth disclosing.

So, here goes. I am somewhat disappointed by the reaction to the proposed settlement. I feel that most of the discussion fails to take into account the actual conditions under which the settlement has been negotiated. Blatant self interest is masquerading as informed comment, most obviously from the Registrar community. Most amazing of all is the failure to grasp the enormity of what the ICANN board and staff has achieved with this proposed settlement, the ramifications of which will be positive for all ICANN constituencies for many years ahead.

Here are the top ten points I think are pertinent to an understanding of the settlement and its context :

1. ICANN has succeeded in changing the competitive landscape by introduction of more TLDs

There are now many more TLDs than when ICANN was formed. The concept of a monopoly in the contract to operate a single TLD makes absolutely no sense. There is no monopoly any longer.

2. Growth of ccTLDs has made this even more so

Today, one in every two new domain names is a ccTLD second or third level domain. This is a phenomenon that has been growing over the last several years. This process also makes the concept of a single TLD contract giving it’s owner monopoly rights rather moot. Ask CNNIC if it feels VeriSign has a strong market position in China. Same in the UK, Germany, Taiwan, Japan, Korea, indeed any country with a strong ccTLD operation.

3. Sale of NSI registrar has the same effect

At ICANN’s formation VeriSign (then NSI) ran the sole TLD’s and had the largest Registrar. Today, .com represents a far smaller proportion of the worlds domain names and VeriSign owns no registrar. Clearly VeriSign is a diminished animal as a result of the three new developments above.

4. Therefore ICANN’s role in aiding competition has been accomplished.

Insofar as ICANN’s remit included the job of introducing competition into the domain name industry, it’s goals have been more than fully achieved. Today, as never before, consumers have plenty of choice in deciding which domains to purchase and whom to purchase them through.

5. ICANN was never, and is not now a regulator. It is a coordinating body.

ICANN was never intended to be a regulator along the lines of an FTC or an FCC. It is a coordinating body responsible for policy matters covering the security and stability of the Internet, and even then, only in relation to Names and Numbers. It’s remit of allowing competition to flourish was a single exception to that, and could even be interpreted as being part of guaranteeing stability and security. Now that this goal has been achieved, the regulatory aspects of the Registry agreements should be removed.

6. The market should now be allowed to determine business related things like pricing and product development (so long as stability and security are not compromised).

Price controls, product controls and similar instruments should be passed over to the market to regulate. Any registry, even the ,com and ,net registries, will have to take market realities into account before introducing new products/services or changing prices. And as the industry is 100% channel based, they will also have to take into account the views of the Channel (registrars and resellers). ICANN should not seek to play the role of the market. It should protect security and stability.

7. The ICANN-VeriSign agreement should be seen as the first in a whole series of steps to clarify ICANN’s role as a coordinator and not a regulator. Allowing the market to determine demand for TLDs and pricing for them is key here.

Now that ICANN has begun to focus on policy developments that will allow the market to determine key aspects of registry pricing and product development we should expect to see more innovation. For example it seems logical that TLD’s should be able to come into existence simply because a party capable of running one desires to bring it into being. The market and the ability to run a TLD should e the only obstacles. ICANN’s cumbersome and lengthy process of filtering really should be reduced to a role of determining ability to run a registry and any other stability and security issues. New products from Registries should be treated in the same way. Registrars should be encouraged to use their market power either individually or collectively to encourage their suppliers (Registries) to take into account their needs. Turning to Daddy (ICANN) to regulate should be strongly discouraged.

8. Registrars will also benefit from this by market growth (a bigger pie).

With these developments the market for the domain name industry should grow larger (primary domain name sales, secondary market names, new products and services) will all be introduced to meet market demand. As the pie grows all layers of the industry will benefit.

9. Users will not suffer if pricing and product development flow from market requirements and competition. Prices can only rise above a customers willingness to pay if users have no choice. This patently isn’t so.

Users will not suffer if the industry focuses on products and services that meet an identified need. Choice will grow and users will benefit. If prices rise it will be because the value of the product justifies it’s price.


10. Paul Twomey and Vint Cerf plus their colleagues deserve much credit for initiating this process of creating ICANN’s next stage of development.

I believe that the ICANN staff, led by Paul Twomey and the board, led by Vint Cerf, have done an amazing job of recognizing the need for ICANN to enter a new era or market driven growth in the domain name industry. Despite the heat there is primarily light in the proposed settlement. The industry should congratulate them and now move on to execute their individual strategies based on this new reality. There are many innovations to come and those who focus on the past are likely to be it’s victim. Post-settlement the future looks bright for those who grasp it’s potential

TUCOWS auction service

TUCOWS launched [ http://www.byte.org/blog/_archives/2004/9/7/136578.html ] an expiring names auction service today. The most interesting part of Ross’s post is this:

Today we announced Tucows expiring names auction service, a local implementation of the Perfect Information proposal (PIP?). What I mean is that it only realizes the efficiencies described in “Perfect Information” on a very local basis – i.e. it only works for names registered with Tucows. Because it is a “local” solution, it also lacks a few features that we set forth in “Perfect Information”. For instance, it doesn’t solve 100% of the problems faced by the registry and it doesn’t properly acknowledge the competitive ESP market.

These are very important aspects of the Perfect Information proposal that will only come about if *all* registrars can operate under a reasonably standard set of rules in a unified marketplace.We don’t have this today, but hopefully we will over time. In the meantime, Tucows auction service is our attempt to capitalize on some of the dynamics we recognize in the space while we work with the rest of the community on trying to sorting out the various moving parts that have to come into place before a global solution is realized.

I would say that this market is about to change very quickly into a more organized and rational one. For that to happen the registries and registrars need to come to agreement on a single solution. I do believe that will most likely occur now.

Auctions for deleting domain names

Steven Forrest’s Free2Innovate speculates [ http://free2innovate.net/archives/000399.html ] on the reasons for SnapNames move to an auction based model for the sale of deleting domain names. He points out that I am a director of SnapNames and as such may be able to throw some light on things.

A couple of points. As a director I really can’t talk publicly without Board and Management agreement. So sorry, no insight on this from me.

However, I guess it’s OK to talk about the general area. Ross Raider and Elliot Noss from Tucows – http://byte.org – posted an article [ http://www.byte.org/blog/_archives/2004/9/3/135064.html ] on this area late last week. Their point is that the market is still evolving and that ultimately the registrant will need to be part of the bargain when a deleting name is sold, wehther by auction or some other method.

There is a great deal of change in the market for deleting names. This change is generally market driven and generally good. I believe that there is more to come. I do not think that WLS is nullified by these changes. However, I do believe that the business model for WLS [by which I mean, generically, a registry level delivered service through which the deleting names can be offered for resale by registrars] will have to evolve as a result of what the market has taught everybody.

The rapidity of the change is also a strong element in understanding why ICANN should really stay out of business model issues. WLS really should just be an agreement to create a market for deleting names. the specific models should be a market decision forged by all those in the space.

A centralized system still makes a lot of sense. The business model that was implied in WLS is probably revealed as outdated by the efforts of Pool, Dotster, eNom and now SnapNames. But a coherent, TLD wide solution for the resale of deleting names is still logical.

The only real challenge is economics. How to structure such a system in a manner that all players [registrants, registrars, registies] are fairly rewarded for thier role in the process. This is a matter for negotiation between the three entities. I believe the registry is best placed to start this dialogue and Ross and Elliot have, in a way, opened the way for that.

The next step is rational discussion between all sides. Probably bi-lateral at first and multi-lateral later. ICANN’s role will be to recognize any consensus that emerges, preferably quickly, so that the market can get on with what it does best – commerce.

SiteFinder reprise

I have been attending the Icann conference in Malaysia this week. One of the key events was the submission of the report – ssac-report-09jul04.pdf – from the Security & Stability Advisory Committee regarding SiteFinder.

In reading the committee’s report I discovered what I believe is an incredible breakdown in logic and as a consequence, a very mistaken, or at least confused, set of conclusions. So, why do I say that?

VeriSign’s SiteFinder service effectively took a large number of non-existent domain names and “turned them on” through the use of a wildcard in the .com and .net root zones. Instead of “domain name not found” the names were treated as valid domain names and (for those protocols not dealt with by VeriSign) applications seeking to bind to the relevant protocol received protocol level errors.

The security and stability report claims that domain names that are active, but for which many protocols are not live, break the end to end principle of the Internet.

So here is my point. The 63 million owned domains rarely have active support for most protocols. Most do not even have a web site using the http protocol. All that VeriSign’s SiteFinder did was to turn many more domains into the equivalent of “live domains”, in other words ones which behave like many of the 63 million domains already active. Just like real domains they became live but did not support all protocols.

If SiteFinder breaks the Internet in any way, it certainly is the case that normal domain name practice also does this.

The proof of the fallacy in the Security and Stability report is best given through an example. Let’s say I could buy the error logs from the root servers and discover the domains that I would need to buy in order to recreate the equivalent of SiteFinder. I then bought those domains and pointed them all to my new search engine, but left all other protocols inactive. I would have legitimate ownership of the names, but all of the criticisms of SiteFinder’s negative consequences for applications would be still true. The same end result, but through purchase rather than through a wild card. Nobody could stop me buying those domains and doing as I like with them. But nothing would have improved in terms of the Security and Stability of the internet compared to a wildcard implementation.

What does this all mean?

It means that SiteFinder doesn’t break anything that is not already broken with normal practice by domain name owners today. To single SiteFinder out, and not also criticize all domains that do not enable all protocols is a very obvious error. There is actually no difference between the two from the point of view of the application. Normal domains do not return “domain does not exist”. If they are in the DNS but not running protocols then the application returns an error at the protocol api level due to a failure to bind to the required protocol, just as with SiteFinder. Arguably, because of VeriSign’s efforts to deal with some of the more popular protocols, SiteFinder was a rather more stable environment than normal domain names, which often only implement http.

Hope that clarifies. I’m pleased to say that Steve Crocker told me afterwards that “I get points for figuring this out”. It seems to be a rather enormous discovery given the fuss SiteFinder caused. Steve Crocker wouldn’t, I’m sure, agree with this, but I think it entirely invalidates the committees findings.

ICANN Verbatim minutes re SiteFinder

Steve Crocker presented his report to ICANN in Malaysia:

>>STEPHEN CROCKER: THANK YOU AND YOU ECHO VENI’S CONGRATULATIONS AND THANKS. I HAVE HAD THE PRIVILEGE OF WORKING WITH HER FROM THE BEGINNING OF MY TENURE AND IT’S AMAZING HOW MUCH SHE TAKES CARE OF BEHIND THE SCENES. I CHAIR THE SECURITY AND STABILITY ADVISORY COMMITTEE. IN THE PAST I’VE TRIED TO GIVE SORT OF A BROAD PICTURE OF WHAT WE DO.

TODAY I’M GOING TO FOCUS ON SPECIFIC TOPICS, AND THERE’S A LITTLE BIT MORE THAT GOES ON, BUT THIS HAS BEEN A PERIOD THAT HAS BEEN PUNCTUATED BY A FEW BIG ISSUES. HERE’S A LIST OF PEOPLE WHO ARE CURRENTLY ON THE COMMITTEE. THIS LIST IS ALSO ON THE WEB SITE. A VERY DISTINGUISHED GROUP, ACTUALLY, WITH BROAD BASE AND GREAT DEPTH. THE COMMITTEE WAS FORMED IN SPRING OF 2002. THE PROCESS WAS INITIATED FOLLOWING THE EVENTS OF 9/11 IN 2001. INITIAL MEMBERS WERE SELECTED BY THE ICANN STAFF, AND THE COMMITTEE HAS BASICALLY BEEN VERY STABLE. TWO ADDITIONS AND TWO DEPARTURES OVER THE ENTIRE PERIOD. ONE OF THOSE WAS DOUG BARTON ROTATING OFF THE COMMITTEE HE HE THE BECAME IANA GENERAL MANAGER. WE ARE NOW ACTIVELY LOOKING FOR NEW MEMBERS. WE ARE LOOKING FOR ANYBODY THAT YOU THINK MIGHT BE INTERESTED OR IS INTERESTED OR THINK MIGHT BE APPROPRIATE. WE HAVE SORT OF A ROUGH-AND-READY INTERNAL THAT IS INTENDED TO BE INVITING AND INCLUSIVE BUT AT THE SAME TIME NOT OVERBEARING OR HEAVY WEIGHT. ANOTHER KIND OF STAFF CHANGE, JIM GALVIN HAS BEEN OUR EXECUTIVE DIRECTOR ON A PART-TIME BASIS. IT IS CLEAR TO ME THAT WE WILL BE CONSIDERABLY MORE EFFECTIVE IF WE HAVE THE BENEFIT OF A FULL-TIME RESEARCHER AND WRITER. WE POSTED ANNOUNCEMENT. WE CHARACTERIZED THIS AS THE SSAC FELLOW. EVALUATION OF THE APPLICATIONS WE HAVE RECEIVED IS CURRENTLY IN PROGRESS. THE STANDARDS WE HAVE IN MIND ARE QUITE HIGH SO IT’S NOT A GIVEN THAT WE’LL SELECT ANYBODY FROM THE CURRENT CROP. WE’VE BEEN DOING QUITE WELL AS IT IS. SO I’M LOOKING FOR SUBSTANTIAL IMPROVEMENT RATHER THAN JUST AN ARBITRARY CHANGE. AND IF ANYBODY HAS ANY QUESTIONS OR SUGGESTED CANDIDATES, DON’T HESITATE TO CONTACT ME. THANK YOU VERY MUCH. I WANT TO TALK PRINCIPALLY ABOUT TWO THINGS TODAY. WILDCARD REPORT AND THE INTRODUCTION OF SECURITY INTO THE DNS SYSTEM THROUGH THE DNSSEC PROTOCOL. SO THE NEXT SEVERAL SLIDES TALK ABOUT THE REPORT THAT WE’VE RECENTLY ISSUED ON REDIRECTION IN THE COM AND NET DOMAINS. THE REPORT IS AVAILABLE ON THE NET. THE URL IS GIVEN AT THE BOTTOM. THE REPORT IS A DAUNTING 85 PAGES, BUT THE MAJORITY OF THAT ARE APPENDICES AND SUPPORTING MATERIAL. THE MEAT OF THE REPORT IS ROUGHLY 25 PAGES, AND THE EXECUTIVE SUMMARY IS A VERY DIGESTIBLE TWO PAGES. SO YOU CAN HAVE THIS IN SMALL, MEDIUM, OR LARGE SIZE, IF YOU WISH. MIDDLE OF SEPTEMBER LAST YEAR, VERISIGN CHANGED THE WAY THE COM AND NET REGISTRIES WORKED. AND THE CHANGE THAT THEY INTRODUCED IS THAT WHEN A—WHEN RECEIVED A NAME THAT WAS NOT INSTANTIATED, THAT’S A TECHNICAL TERM, NOT REGISTERED OR NOT OTHERWISE VISIBLE IN THE DATABASE, AND THESE USUALLY AROSE FROM TYPOGRAPHICAL MISTAKES, THEN INSTEAD OF RECEIVING A STANDARD ERROR CODE, WHICH HAD BEEN DEFINED IN THE PROTOCOL AND HAD BEEN THE WAY THE SYSTEMS HAD WORKED FOR YEARS AND YEARS, THEY INSTEAD RETURNED AN IP ADDRESS OF ONE OF THEIR OWN SERVERS AS IF THAT NAME EXISTED. AND THEN WHEN SOMEONE ATTEMPTED TO CONNECT TO THAT SERVER, IF IT WAS A WEB CONNECTION, HTTP PROTOCOL, THEY GOT WHAT WAS CALLED THE SITE FINDER SERVICE. BUT IF IT WAS SOMETHING ELSE, THEY EITHER GOT A REFUSAL TO CONNECT OR IN THE SPECIAL CASE OF E-MAIL, WERE CONNECTED TO A SPECIAL E-MAIL SERVER THAT ACCEPTED THE CONNECTION AND THEN REFUSED EACH OF THE ATTEMPTS FOR EACH USER. SORT OF A “NO SUCH USER” RESPONSE. THERE WAS A RATHER SUBSTANTIAL, A VERY LARGE RESPONSE FROM THE COMMUNITY. IT WAS SWIFT, IT WAS QUITE VOCAL, AND IT WAS QUITE NEGATIVE. OVER THE NEXT SEVERAL DAYS, ANGRY MEMOS WENT BACK AND FORTH. ICANN ASKED VERISIGN TO PULL THE SERVICE DOWN. VERISIGN SAID NO. OUR COMMITTEE ISSUED AN ADVISORY. THE INTERNET ARCHITECTURE BOARD ISSUED A MEMORANDUM, ALL BASICALLY ALONG THE SAME LINE, SAYING LET’S NOT DO THIS, AND AT THE VERY LEAST, LET’S ROLL THIS BACK AND START OVER AND HAVE SOME TIME TO THINK ABOUT IT. THEN ICANN INCREASED THE—SORT OF RAISED IT TO ANOTHER LEVEL AND SAID AS A MATTER OF CONTRACTUAL AUTHORITY, WE INSIST YOU TAKE DOWN. VERISIGN OBJECTED, BUT TOOK IT DOWN IN ANY CASE IN EARLY PART OF OCTOBER. OUR COMMITTEE HELD A PAIR OF MEETINGS IN OCTOBER ON THE 7TH AND 15TH. THESE MEETINGS WERE PUBLIC MEETINGS IN WASHINGTON. NUMEROUS PRESENTATIONS, AND TRANSCRIPTS KEPT AND COPIES OF THE SLIDES. ALL OF THAT MATERIAL REMAINS ON THE WEB AND IS AVAILABLE FOR INSPECTION BY ANYBODY. WE THEN SET ABOUT TO WRITE A REPORT, AND WITH GREAT EMBARRASSMENT I HAVE TO SAY THAT I FELL INTO A BLACK HOLE AND THERE WAS AN ENORMOUS DELAY. BUT THE REPORT IS NOW DONE. IT WAS FORMALLY TRANSMITTED TO THE BOARD, AND MADE AVAILABLE TO THE PUBLIC AND IS AVAILABLE ON THE WEB AT THE URL THAT I PUT UP AT THE BEGINNING. IT CONSISTS OF EIGHT FINDINGS AND FOUR RECOMMENDATIONS AT SORT OF TOP LEVEL, SO I’LL WALK SORT OF BRIEFLY THROUGH THE FINDINGS AND RECOMMENDATIONS. THE WORDS HERE ARE MY QUICK SUMMARY OF THE—OF THESE FINDINGS AND RECOMMENDATIONS RATHER THAN THE PRECISE WORDING, WHICH REFLECTED SOME CARE AND CONSIDERABLE DEBATE TO GET IT TUNED JUST RIGHT. SO MY INTENT HERE IS TO GET THE SENSE OF THESE THINGS ACROSS RATHER THAN THE PRECISE WORDS. DO SEE THE REPORT IF YOU WANT TO DIG INTO IT OR IF THERE ARE ISSUES THAT ARE SOMEWHAT MORE SUBTLE THAN MY PRESENTATION HERE IS INTENDING TO COVER. SO THE FIRST FIND SOMETHING THAT VERISIGN DID, IN FACT, CHANGE THE REGISTRY AND ALSO THAT THAT CHANGE CAUSED HARM TO A WIDE VARIETY OF PEOPLE WHO WERE NOT PARTY TO THE CHANGE. THAT CHANGE VIOLATED ENGINEERING PRINCIPLES BY BLURRING THE ARCHITECTURAL LAYERS, AND AS A CONSEQUENCE, IT HAD THE UNFORTUNATE EFFECT OF PUTTING VERISIGN FUNDAMENTALLY INTO THE DESIGN LOOP FOR ANY CURRENT AND FUTURE PROTOCOL CHANGES. WHY IS THAT? WELL, THE PROTOCOL FOR DOMAIN NAME SYSTEMS SAYS IF THERE’S NO ENTRY, YOU GET BACK A NEGATIVE ANSWER, AND MANY APPLICATIONS ACTUALLY MAKE USE OF THAT NEGATIVE RESPONSE IN A CONSTRUCTIVE WAY. THE CHANGE THAT VERISIGN I UNDERSTAND CONSTITUTED EFFECTIVELY REMOVED THAT NEGATIVE RESPONSE ALTOGETHER, SUBSTITUTING AN APPARENTLY POSITIVE RESPONSE, AND THEN TRIED TO FIX IT UP AT THE NEXT LAYER UP WHEN SUBSEQUENT QUERIES TO THAT—OR CONNECTIONS TO THAT SERVER TOOK PLACE. BUT THEY WOULD TAKE PLACE IN ARBITRARY PROTOCOLS, AND SO IT BECAME A PROTOCOL-SPECIFIC RESPONSE REQUIRED, AND THINGS GET VERY MESSY AT THAT. THOSE THREE FINDINGS ARE INDEPENDENT OF TIMING, INDEPENDENT OF PROCESS. THEY JUST SPEAK TO THE FACTS. THE FOURTH FINDING IS THAT THE CHANGE WAS ABRUPT. THERE WAS VERY LITTLE, ESSENTIALLY NO NOTICE, A LITTLE BIT OF ADVANCE NOTICE IN PUBLIC PRESS. NO COORDINATION WITH THE COMMUNITY. ALTHOUGH IT WAS QUITE EVIDENT THERE WAS A VERY LONG DEVELOPMENT PERIOD, SO IT WASN’T JUST THAT THEY THOUGHT IT UP ONE NIGHT AND INTRODUCED IT THE NEXT DAY. SO THAT CHANGE WAS ABRUPT, AND THAT HAS ITS OWN CONSEQUENCES. THERE WERE—ANOTHER FINDING IS THAT, AS A CONSEQUENCE, THERE WAS VIGOROUS ACTION ACROSS A NUMBER OF FRONTS TO COUNTERACT THAT CHANGE. THE ONE THAT RECEIVED THE WIDEST NOTICE WAS A CHANGE INTRODUCED BY INTERNET SYSTEMS CONSORTIUM IN ITS BIND PROGRAM AS AN OPTION TO BE CHOSEN BY ITS CUSTOMERS THAT WOULD TAKE THE ADDRESS RETURNED AND TAKE NOTE OF THAT AND SAY THAT’S THE ADDRESS OF THIS REDIRECTION; LET’S TURN IT BACK INTO AN ERROR CODE. THAT’S A—AND THERE WERE COMPARABLE CHANGES MADE BY ISPS AND PUT INTO SOME ROUTERS. SO NOT SOLELY THERE—NOT SOLELY THE ISC BIND CHANGE. THE PROSPECT OF WARRING CHANGES THAT MAKE A CHANGE AND THEN ANOTHER PART THAT UNDOES IT IS THE KIND OF THING THAT STRIKES FEAR AND TERROR IN THE HEARTS OF ENGINEERS THAT TRY TO BUILD STABLE SYSTEMS. THINGS BECOME RICKETY AND ONE LOSES SLEEP IN THOSE KIND OF SITUATIONS. 5 AND 6 HAVE TO DO WITH PRIVACY ISSUES. BECAUSE OF THE WAY THEY CHOSE TO HANDLE E-MAIL, AND MAYBE IT’S WORTH BACKING UP A LITTLE BIT. THE GENERAL STRATEGY FOR THE NON-WEB PROTOCOLS WAS SIMPLY TO REFUSE THE CONNECTION. IN THE SPECIAL CASE OF E-MAIL, WHEN ONE E-MAIL SERVER IS TRYING TO SEND MAIL TO ANOTHER E-MAIL SERVER AND IT HAS ITS ADDRESS AND KNOWS THAT IT EXISTS, THE STRATEGIES THAT ARE BUILT INTO THOSE PROTOCOLS ARE TO OVERCOME TEMPORARY TRANSMISSION FAILURES BY RETRYING. SO A REFUSAL TO ACCEPT THE CONNECTION IS SEEN AS A TEMPORARY HURDLE AND IT QUEUES UP THE MAIL AND ATTEMPTS TO SEND IT IN THE AMOUNT OF TIME IT TAKES TO RUN THROUGH ITS COURSE AND GIVE IT VARIES BUT A TYPICAL TIME IS THREE DAYS. SO A MISTYPED NAME IN AN E-MAIL ADDRESS, INSTEAD OF GIVING A VERY QUICK RESPONSE THAT THAT IS AN IMPROPER OR NONEXISTENT DOMAIN NAME LEADS TO A VERY LONG DELAY THAT LOOKS AS IF THE MAIL IS GOING TO GO THROUGH AND THEN THREE DAYS LATER AN ERROR MESSAGE THAT THE SERVER SEEMS TO BE DOWN, CONFUSING AND QUITE DELAYED. SO VERISIGN INSTEAD OF USING THAT STRATEGY BUILT A SERVER THAT ACCEPTED THE CONNECTION AND THEN IN THE PROCESSING OF EACH OF THE USERS, THE TWO ADDRESSES, IF YOU WILL, WHO IT’S FOR, SAID WE DON’T HAVE THAT USER, DON’T HAVE THAT USER, AND THAT GENERATED A MUCH PROMPTER “NO SUCH USER” RESPONSE. PEOPLE CONCERNED WITH PRIVACY ISSUES OBSERVED THAT THAT STRATEGY MEANS THAT THE ADDRESSES OF WHO YOU WERE SENDING THE MAIL TO AND WHO WAS SENDING IT ENTERED VERISIGN SERVERS RAISING THE APPEARANCE OF POSSIBLE PRIVACY ISSUES. VERISIGN WAS ADAMANT THAT THEY DIDN’T RETAIN OR USE THAT INFORMATION. I THINK THERE’S NO EVIDENCE TO THE CONTRARY AND NO REASON TO—NOT TO BELIEVE THAT. BUT THE ARRANGEMENT OF HAVING THAT INFORMATION GO INTO SERVERS THAT ARE UNINTENDED OPENS THE DOOR FOR OTHERS TO DO THE SAME OR FOR OPERATIONAL ISSUES TO CHANGE OVER A PERIOD OF TIME AND LED TO A CERTAIN DEGREE OF NERVOUSNESS. A SEPARATE PRIVACY ISSUE IS RELATED TO THE PAGE THAT WAS DELIVERED UP WHEN—IF YOU WERE MAKING A WEB CONNECTION, INCLUDED SOME SOFTWARE THAT TRACKED USER BEHAVIOR AND REPORTED IT BACK. TO A CERTAIN EXTENT THAT’S STANDARD INDUSTRY BEHAVIOR, BUT ON THE OTHER HAND IN THE CONTEXT OF TRYING TO MAKE A DOMAIN NAME REFERENCE AND NOT HAVING OPTED IN OR EVEN CHOSEN TO GO THERE LEFT ANOTHER SET OF PEOPLE NERVOUS ABOUT THE PRIVACY ISSUES. AND THE LAST FINDING IS THAT COLLECTIVELY, THE SET OF EVENTS FROM A TECHNICAL PERSPECTIVE AND FROM A MANAGEMENT PERSPECTIVE REDUCED TRUST OVERALL, WHO IS IN CHARGE OF THE NETWORK, WHAT IS THE NEXT THING THAT GOING TO HAPPEN. THOSE KIND OF QUESTIONS BECAME MUCH MORE EVIDENT ON PEOPLE’S MINDS. WE FORMULATED FOUR RECOMMENDATIONS. THE FIRST IS DON’T DO THIS REDIRECTION. THE PRIMARY MECHANISM FOR THE REDIRECTION IS USING A MECHANISM CALLED WILDCARDS WHICH IS A TERM THAT SAYS THIS ENTRY COVERS EVERYTHING NOT COVERED ABOVE, BUT THERE ARE OTHER WAYS TO DO REDIRECTION. ONE COULD HAVE A PROGRAM THAT SYNTHESIZES A RESPONSE INSTEAD OF A FIXED DATABASE, AND THAT’S THE LANGUAGE WE USED IN THE REPORT. BUT RECOMMENDATION 1 SAYS LET’S NOT DO THIS GOING FORWARD IN ANY OF THE PUBLIC DOMAINS THAT EXIST. THERE ARE ALSO A HANDFUL OF RELATIVELY SMALL DOMAINS THAT HAVE BEEN USING THIS STRATEGY, AND THAT RAISES, QUITE OBVIOUSLY, THE QUESTION OF, WELL, WHAT ABOUT THEM? DO THEY GET TO CONTINUE? IS THAT OKAY? IF THEY CONTINUE, WHY IS THAT NOT A BAD THING? IN FACING UP TO THOSE ISSUES AND DOING A REASONABLY STRAIGHTFORWARD ANALYSIS, OUR CONCLUSION IS THAT THOSE USES SHOULD BE PHASED OUT. WE DON’T INTEND THAT THAT SHOULD HAPPEN ABRUPTLY. WE BELIEVE THAT FOR MOST OF THE UNDERLYING REASONS THAT THAT STRATEGY IS BEING EMPLOYED THAT THERE MAY BE OTHER WAYS TO ACCOMPLISH A COMPARABLE GOAL. BUT THAT IS OUR RECOMMENDATION. AND I HASTEN TO ADD THAT OUR JOB IS TO MAKE RECOMMENDATIONS. WE DON’T HAVE ENFORCEMENT OR REGULATORY AUTHORITY. BUT WE DO THE BEST ANALYSIS WE CAN AND WE OFFER THAT ADVICE TO THE BOARD, TO THE COMMUNITY, AND TO, IN SOME SENSE, ANYBODY ELSE WHO WILL LISTEN. THE THIRD RECOMMENDATION WAS IN OBSERVATION THAT THE USE OF WILDCARDS IS DOCUMENTED IN THE SPECIFICATIONS, THE RFCS THAT DEFINE THE DOMAIN NAME SYSTEM. BUT THE LANGUAGE IS NOT CLEAR ABOUT THE PROPER USE, AND OVER TIME THERE HAS BEEN DIFFERENT WRITINGS THAT SUGGEST THAT THIS IS SOMEWHAT DANGEROUS OR SHOULD BE USED ONLY IN LIMITED CIRCUMSTANCES. SO OUR RECOMMENDATION IS TO TRY TO BRING GREATER CLARITY IN THAT AREA. WHETHER OR NOT THE IETF WOULD TAKE THAT UP IS A MATTER UNDER THEIR CONTROL, OBVIOUSLY, AND NOT OURS. THE FOURTH RECOMMENDATION SPEAKS TO THE PROCESS OF INTRODUCING CHANGE INTO PUBLIC REGISTRIES, AND OUR RECOMMENDATION IS THAT THERE SHOULD BE A DISCIPLINE PROCESS THAT INCLUDES OPEN NOTICE, AND NOT ONLY OPEN NOTICE BUT A CONSENSUS PROCESS THAT INCLUDES THE PEOPLE WHO ARE AFFECTED AND NOT SOLELY THE REGISTER OPERATORS. SO THAT’S THE BASE PICTURE OF WHAT OUR FINDINGS AND RECOMMENDATIONS ARE. AND HOW DO YOU WANT TO HANDLE THIS, ALEJANDRO? I WILL BE HAPPY TO TAKE QUESTIONS OR NO QUESTIONS IF YOU THINK THAT THAT’S INAPPROPRIATE, OR I CAN MOVE ON TO THE OTHER TOPIC, BUT THIS WILL BE A NATURAL POINT FOR QUESTIONS ON THIS TOPIC.

>>ALEJANDRO PISANTY: WE ARE ALREADY RUNNING OVER TIME BUT I THINK WE COULD ALLOW FOR FIVE MINUTES OF QUESTIONS HERE.

>>STEPHEN CROCKER: SO I’VE GIVEN THIS TALK MAYBE FIVE TIMES THAT I CAN REMEMBER DURING THIS WEEK TO DIFFERENT GROUPS. THERE MAY BE NOBODY LEFT THAT HAS A NEW QUESTION, AND THAT’S FINE.

Later in the Meeting I had the chance to ask a question/make a point:

>>KEITH TEARE: YEAH. MY COMMENTS RELATE TO THE SITE FINDER EXPERIENCE. AND JUST BY WAY OF DISCLOSURE, I, ALONG WITH I THINK SIX OR SEVEN OTHERS IN THE IMMEDIATE AFTERMATH OF SITE FINDER AND THE CONTROVERSIES SURROUNDING IT WERE ASKED TO SERVE ON A TECHNICAL ADVISORY COMMITTEE TO VERISIGN TO HELP THEM UNDERSTAND WHY THERE WAS SO MUCH CONTROVERSY.

AND I PARTICIPATED IN THAT AND HAVING DONE SO I’VE LOOKED AT THE PROCESS THAT’S GONE ON SINCE WITH A GREAT DEAL OF INTEREST. AND I THINK I’D LIKE TO SHARE WITH THE BOARD A NUMBER OF THINGS WHICH ACTUALLY MOUHAMET’S COMMENTS WERE A GREAT SEGUE TO. I THINK THE FIRST THING IS THE ATMOSPHERE IN THE IMMEDIATE AFTERMATH OF SITE FINDER ACTUALLY MADE IT INCREDIBLY DIFFICULT TO HAVE A RATIONAL CONVERSATION ABOUT IT, BECAUSE THERE WAS SO MUCH PASSION ON BOTH SIDES, THAT ANYONE WITH AN OPINION OF ANY TYPE USUALLY FOUND IT VERY DIFFICULT TO HAVE A DIALOGUE WITH ANYONE THAT HAD A DIFFERENT OPINION. AND I FEAR THAT SOME OF THAT ATMOSPHERE HAS FED THROUGH TO THE FINAL REPORT. AND THAT IS AN ATMOSPHERE OF LET’S SAY FEAR, ONE IN WHICH WORDS LIKE “SAFETY” END UP BEING INCREDIBLY FRIGHTENING WORDS THAT HAVE THE IMPACT OF STOPPING CONVERSATION, BECAUSE YOU JUST CAN’T GO THERE. HOW COULD YOU BE FOR THINGS NOT BEING SAFE? THEREFORE, PLEASE DON’T HAVE AN OPINION ABOUT THIS BECAUSE IT ISN’T SAFE DOESN’T FEEL GOOD TO ME. AND WITH SITE FINDER PARTICULARLY, AND SOME OF THE FINDINGS, I’M PUZZLED, ACTUALLY. I RUN LOTS OF DOMAIN NAMES FOR SOME WEIRD REASON TO DO WITH HISTORY, AND MOST OF THEM DON’T SERVE VERY MANY PROTOCOLS. ACTUALLY, MOST OF THEM DON’T HAVE E-MAIL LIVE. MOST OF THEM DON’T HAVE LDAP LIVE, MOST OF THEM DON’T HAVE IMAP LIVE. VERY FEW PEOPLE WHO OWN DOMAIN NAMES RUN PROTOCOLS, ALL THE PROTOCOLS THAT THOSE DOMAIN NAMES SHOULD SUPPORT. AND IT SEEMS TO ME THAT IF YOU ANALYZED REAL DOMAIN NAMES THAT PEOPLE OWN AND COMPARED IT WITH WHAT SITE FINDER WAS, THE SAFETY CONSEQUENCES WOULD BE EXACTLY THE SAME FOR THOSE THAT ARE OWNED AND THOSE THAT ARE NOT OWNED, THE FAILURE TO SUPPORT PROTOCOLS, FOR EXAMPLE, WOULD BE EXACTLY THE SAME. THE BREAKING OF THE END-TO-END PRINCIPLE WOULD MOSTLY BE THE SAME, BECAUSE MOST DOMAIN NAME OWNERS DON’T RUN ALL THE PROTOCOLS THAT THEY COULD POSSIBLY RUN TO SERVE THE INTERNET. AND SO I FEAR THAT SOME OF THE ARGUMENTS ARE ACTUALLY NOT GOOD ARGUMENTS. NOW, HAVING SAID THAT, CLEARLY, THERE’S A LOT OF ISSUES AROUND SITE FINDER. BUT I THINK I’D LIKE TO RETRIEVE OUT OF IT SOME REALLY IMPORTANT POSITIVE THINGS THAT THE BOARD SHOULD AT LEAST HEAR AND THINK ABOUT. FIRSTLY, ON ADDRESSING SYSTEMS IN THE ABSENCE OF ADDRESSES, THE MAIL SYSTEM HAS A RETURN TO SENDER SYSTEM. IF YOU SEND A LETTER TO A FAKE OR A NONEXISTENT ADDRESS AND YOU PUT ON WHO YOU ARE, THEY SEND IT BACK TO YOU. THE TELEPHONE SYSTEM, IF YOU RING A WRONG NUMBER, HAS A NUMBER OF DIFFERENT WAYS TO TELL YOU YOU DID THAT. EITHER IT MAKES A NOISE OR IT SOMETIMES SAYS YOU’VE DIALED A WRONG NUMBER. IT SEEMS TO ME THAT FOR THE DOMAIN NAME SYSTEM TO HELP USERS WHO MAKE A MISTAKE, THAT ISN’T A BAD GOAL.

IT’S NOT AN UNWORTHY GOAL. IT’S ACTUALLY QUITE A GOOD GOAL. THE FACT THAT SOMEONE MAKES MONEY FROM IT IS NOT A BAD THING, EITHER. I MEAN, ULTIMATELY, WE LIVE IN MARKET ECONOMIES FOR THE MOST PART. I CAN’T FIND ANYTHING BAD IN THAT. SO I THINK THE UNDERLYING GOALS OF SITE FINDER, THERE’S SOMETHING WORTHY IN THOSE GOALS THAT’S GENERALLY OKAY. AND THE FACT THAT THERE WERE THE PROBLEMS IS SOMETHING THAT’S COMMON TO BOTH SITE FINDER AND EXISTING DOMAIN NAMES. THERE’S NOTHING DIFFERENT IN MY MIND THERE AT THE LEVEL OF THOSE PROBLEMS. APPLICATIONS ARE BROKEN. IF SOMEBODY TRIES TO SEND ME AN E-MAIL AT KEITH@E-MAIL NEWS.COM, WHICH IS A DOMAIN I KNOW. IT’LL BREAK. IT JUST WON’T GET THROUGH TO ME, THE SAME WAY AS IN SITE FINDER. SO I THINK AT LEAST TO SOME EXTENT, PASSION AND OPINION IS OVERRIDING DIALOGUE AND DISCUSSION. AND WHAT MOUHAMET SAID ABOUT THE CONSEQUENCES OF THAT FOR A FREE-THINKING INTERCHANGE THAT CAN LEAD TO INNOVATION IS ACTUALLY CRUSHING IN SOME REGARD. I KNOW I’M PRETTY NERVOUS EVEN MAKING THESE POINTS BECAUSE OF THAT. BECAUSE, YOU KNOW, IT’S A DIFFICULT DISCUSSION TO HAVE BECAUSE THERE’S SO MUCH PASSION AROUND THE ISSUE.

>>VINT CERF: KEITH, I’M GOING TO TAKE CHAIRMAN’S PRIVILEGE AND RESPOND, IF YOU’RE FINISHED.

>>KEITH TEARE: YEAH, I CAN FINISH NOW.

>>VINT CERF: I ACTUALLY THINK THOSE ARE VERY BAD ARGUMENTS.

SO I DON’T WANT TO PROLONG THIS TOO MUCH. BUT I ACTUALLY BELIEVE THEY ARE ARGUMENTS FOUNDED IN MAYBE A MISUNDERSTANDING ABOUT HOW SOME OF THIS STUFF BEHAVES. WHEN YOU DESIGN A SYSTEM SUCH AS THE INTERNET WITH THE DOMAIN NAMES UNBOUND IN ANY FASHION TO ANY PROTOCOL, THE ONLY ASSUMPTION YOU CAN MAKE FROM THE ENGINEERING POINT OF VIEW IS THAT ANY PARTICULAR DOMAIN NAME MAY BE USED WITH ANY PARTICULAR PROTOCOL IN THE INTERNET. YOU CAN’T MAKE THE ASSUMPTION THAT THIS PARTICULAR DOMAIN NAME IS SOMEHOW SHIELDED, BECAUSE YOU DON’T KNOW WHEN YOU’RE DOING THE DESIGN WHETHER AT SOME LATER TIME THAT DOMAIN NAME WILL BE USED WITH A PARTICULAR PROTOCOL. SO THE FEAR AND SAFETY AND SO ON, WHICH ARE LOADED TERMS, SHOULD, I THINK, IN THIS CASE BE THOUGHT OF MORE AS ASSURANCE THAT THINGS WILL WORK IN AN UNCERTAIN FUTURE. THAT’S POINT NUMBER ONE. THE EXAMPLES THAT YOU GAVE ABOUT, YOU KNOW, THE TELEPHONE SYSTEM TELLING YOU THAT YOU DIALED A WRONG NUMBER OR THE POSTAL SERVICE DELIVERING A MESSAGE BACK TO YOU THAT YOU MISADDRESSED, THE DESIGN OF DNS DOES GIVE EXACTLY THAT SIGNAL. THE SIGNAL WAS, “THIS DOMAIN NAME IS NOT REGISTERED.” THAT’S A WELL-DEFINED RESPONSE.

IT’S LEFT TO WHICHEVER PROGRAM SENT THE REQUEST TO DECIDE WHAT TO DO WITH IT. WHAT HAPPENED IN THE SITE FINDER CASE IS THAT THE PARTICULAR DIVERSION, BASED ON THE RECOGNITION THAT THE DOMAIN NAME WASN’T PRESENT, TOOK AWAY FROM THE PROGRAM MAKING THE QUERY THE OPPORTUNITY TO DECIDE FOR ITS PURPOSES WHAT TO DO. AND IT DID SOMETHING ELSE. AND THERE WAS NO OPT IN OR OUT OR ANYTHING. SO I THINK THAT THE REASONING THAT YOU’RE GOING THROUGH DESERVES SOME CAREFUL DISCUSSION, NOT TODAY. BUT I WOULD LOVE TO ENGAGE YOU ON THIS, BECAUSE I BELIEVE THAT THERE ARE SOME PRETTY DEEP ISSUES THAT ARE MISSED IN THE CONVERSATION. ANYBODY ELSE? NO. THANK YOU.

>>KEITH TEARE: OKAY. 

Letter from Rome – Susan Crawford.

I have to agree with Susan. The world needs ICANN or something like ICANN. But it does not need ICANN to make decisions that are better left to the market. It needs ICANN to set a minimum level of rules and processes and then let business get on with what it does best, sorting out the winning models from the losing ones. ICANN would benefit from this.

I, for one, believe that no matter what one’s personal opinion of SiteFinder, WLS or multi-lingual domain names are, a registry – any registry – should be able to experiment with its business model and introduce new services so long as the underlying workings of IP numbering and DNS remain intact. The market will tell a registry whether or not it is a good idea. Registrars will not adopt services they do not benefit from, for example. And channels will dry up. So revenues will be low.

So, to my friends in ICANN, and even those who disagree, see this lawsuit, and the ITU rumblings as an opportunity to redress what ICANN is and allow business to be business. It can be done.

ICANN Sued by VeriSign

ICANN – the body whose job it is to coordinate control of the Internet’s naming and numbering systems – has recently been making decisions that many feel fall outside of it’s authority. Now, VeriSign, which has the contract to run .com and .net top level domains as a Registry operator, is suing ICANN, alleging it has overstepped it’s rights under the contract. The services in question are SiteFinder – a search service for helping users when they type a non-existent domain into a browser; Multi-lingual domains – allowing the use of all Unicode character strings in a domain name; and the Wait List Service, a service allowing the claim to a domain that is already registered in the event that the domain becomes available in the future.

Here is a story from MSN Money on the issue: The original is here

VeriSign Sues ICANN on Service Delays

February 26, 2004 5:19:00 PM ET

By Andy Sullivan

WASHINGTON (Reuters) – Internet infrastructure company VeriSign Inc (VRSN). sued a domain-name oversight body on Thursday, saying it had overstepped its authority when it prevented VeriSign from introducing new Web-address services.

The Internet Corporation for Assigned Names and Numbers has no authority to prevent VeriSign from rolling out a search engine for users who mistype Internet addressees, VeriSign said, as well another feature that allows users to sign up for a waiting list for desirable domain names.

“This brazen attempt by ICANN to assume ‘regulatory power’ over VeriSign’s business is a serious abuse of ICANN’s technical coordination function,’’ said VeriSign in the suit, which was filed in U.S. court in Los Angeles.

An ICANN spokesman declined immediate comment.

Unlike other search engines, VeriSign’s Site Finder popped up on users’ screens when they typed in the name of a Web site that did not exist. Technical experts said it could impact the stability of the Internet, and rivals said VeriSign was abusing its position as administrator of the database of “.com’’ addresses.

ICANN ordered VeriSign to temporarily shut down the search service in October 2003 while it underwent technical review. The reviewing body has not yet issued a decision on the service.

Other proposed VeriSign services, such as the waiting list and a means to translate addresses into non-Roman alphabets, have been unnecessarily held up as well, the Mountain View, Calif.-based company said.

Though ICANN restructured itself to operate more efficiently last year, a VeriSign official said the group was still too cumbersome.

“Working the ICANN process is like being nibbled to death by ducks,’’ said Tom Galvin, VeriSign’s vice president for government relations. “It takes forever, it doesn’t make sense, and in the end we’re still dead in the water.’’

Incorporated in 1998, ICANN oversees management of the Internet’s crucial addressing system which matches numerical addresses to familiar Web site addresses such as http://www.reuters.com.

One of its first tasks was to open up the sale of domain names for competition. Network Solutions Inc., which was bought by VeriSign in 2000 and sold last year, previously had been the only company authorized to sell domain names ending in “.com,’’ “.net’’ and “.org.’’

The nonprofit group has faced heated criticism from Internet activists who say it favors business interests, as well as developing-world governments that want a greater say in how the global computer network is run.

© 2004 Reuters

SiteFinder and ICANN

James has responded again. He makes clear his views on my points. It’s clear we disagree. And that we remain friends. So decide for yourself by reading both views. No more on this from me re James. Maybe more on the subject as it develops.

To turn to another subject. SiteFinder is particularly interesting in the context of ICANN and its evolution. I have so far been very impressed with Paul Twomey as President and CEO. This issue is a real test of ICANN. There is enormous pressure on it to stand in the way of SiteFinder. Much of the pressure is well intentioned, much is purely driven by VeriSign hatred. ICANN was not set up as a regulatory body, and it was not set up to tell a registry how to run a business. It was explicitly set up as a private corporation to work with the private sector in the running of the DNS. That decision – to keep the DNS in the private sector – is key. It is what makes ICANN different to the ITU, where treaties and Governments are far more involved.

If ICANN steps outside its scope, and accepts the loudest voices as indicating consensus, it would be doing itself a serious disservice. It would soon become clear that the ITU is a more appropriate body for that more heavy handed, treaty driven, form of government. And the attempt to allow private industry and policy to co-exist will have failed. The onus – in my view – is on ICANN to step back, draw a line where it has no authority, and allow the market to decide winners and losers.

Of course all of this would be different if VeriSign, as accused, had really broken with standards in the DNS and had really threatened the stability of the Internet, or its security. In reality none of those things have happened and ICANN needs to be big enough to say so, despite the unpopularity of that viewpoint in certain circles.

Oh dear!

James has responded again. I am responding because I believe the use of our weblogs as a place for public discussion is a great service to the community in airing the arguments – whether one agrees or disagrees with a given point of view.

This doesn’t need to be long but …. James, please re-read my piece.

I do not say John Klensin either does or will support SiteFinder. I say that his dns-search piece describes an outcome that is in every way similar to SiteFinder. It is an “above the DNS” search and directory layer. I also say that “if” John is consistent he would support it. By implication I am assuming he is not being consistent. His views, aired publicly, at the Stability committee last week suggest that too. So I am aware he is unlikely to actually support SiteFinder. I believe that is a “political” decision, not one that is justified technically. Shame on him if it is so.

Secondly. I absolutely see SiteFinder as “above the DNS”. It is an http service with search results. So by definition it is “above the DNS”. Why do you keep insisting it is not? 🙁

Also please distinguish between the wildcard and SiteFinder. They are two entirely different things. The wildcard is part of the DNS, and a standard part, albeit previously unimplemented. Let me repeat what the IAB said:

“We hesitate to recommend a flat prohibition against wildcards in “registry”-class zones, but strongly suggest that the burden of proof in such cases should be on the registry to demonstrate that their intended use of wildcards will not pose a threat to stable operation of the DNS or predictable behavior for applications and users.”

James, this is explicitly about the use of a wildcard in a TLD. And RFC is about the DNS in general, not excluding TLDs. So I really believe you are wrong on the issue of standards.

SiteFinder on the other hand is what happens once the DNS has released a query, having detected no valid domain name for the query in question. It is in that sense outside of and “above” the DNS.

Given all of this I really believe your rebuttal is simply avoiding my key points rather than addressing them.

VeriSign’s key mistake was one of not informing. It’s actual service is not a threat to the stability of the Internet and in my opinion can actually be a service to users and developers alike. What is needed is a clear statement of intent to re-introduce the wildcard, a date for doing so, and help for developers and network administrators in getting the best from it across all protocols.

I do not see any point in VeriSign engaging with the IETF on the wildcard. The IETF alrady has an RFC covering the wildcard and VeriSign has stuck to the RFC. So in a way there is nothing to discuss.

As for SiteFinder, there may well be very constructive discussions possible on how to evolve the service on top of the DNS. If VeriSign is prepared to engage the outside world in that discussion I can see only good coming from it. To be clear, that is not a standards discussion however. The very fact that SiteFinder is above the DNS makes it a discussion where different people can take differing views and none are either right or wrong in the abstract – it’s all a matter of opinion.

Clearly VeriSign’s opinion will count for a lot as it runs the .com and .net TLDs and so can redirect wildcard traffic to its own “above the DNS” solution. It is not very likely to abandon its own solution. That is just a commercial reality. We should all calm down and just get used to it. Running .com and .net carries a lot of power. Lets acknowledge it and get over it!

Responses on SiteFinder

Lots of responses on my SiteFinder piece. Karl Auerbach [somebody who I generally warm too – although I never told him so] has a rebuttal here. And James Seng [who is a friend] has a piece here.

Karl and James are both good people, and honest too. But …. I believe they are missing several things in their largely negative analyses.

Karl makes an assault on my claim that the small % of people affected by SMTP issues was a “minor inconvenience”. He says:

” SiteFinder’s wildcard-record based redirection goes far beyond being a “minor inconvenience”.

Quite the contrary:  SiteFinder’s commits mayhem on the primary principle that make the internet work.  SiteFinder breaks the end-to-end principle.

The effects are not limited to email – everything from voice-over-IP to iSCSI (storage area networks) are damaged.  And this damage is not “easily worked around”.”

I couldn’t disagree more with Karl on the “end-to-end” point. VeriSign has not broken any end-to-end principle. For what its worth this is a principle I strongly believe in. IPV6 will be great at fixing the damage done by NAT, Proxy’s and Firewalls to that principle. I am a strong supporter of end-to-end. So, what has Sitefinder actually done? It has created a new “end”. The new end is different depending on the protocol in question.

Lets examine this in more detail.

HTTP and HTTPS – the old “end” was an error message from the DNS that there was no such domain. The new “end” is an http or https response that there is no such domain name and a list of possible alternatives. This is still an end

SMTP – The old “end” was a broken email with an error message to the sender after the DNS sent a ‘name error’ message to SMTP. The new “end” is an invalid recipient address with an SMTP error 550 code sent to the user. This is still and end

Indeed, in the case of every protocol – and we could go on with this list but I will preserve the reader from the details – there is a new “end” point of an initial request.

This opens the way for protocol specific error tracking. Certainly a vast improvement over a catch-all DNS error.

So – Karl – I challenge you to justify that end-to-end has been broken here. I can’t see it.

On VoIP, I run a company Santa Cruz Networks that has a major Video and voice over IP platform. We have seen no effects whatsoever. Why? because we run our service on legitimate domain names and our end points are legitimate domain names. There is no way the ‘wildcard’ invoked to produce a SiteFinder results page could actually affect us. If one of our users types a mistaken name, then they will get an error. But there again, that was also the case before SiteFinder.

The rest of Karl’s piece refers to allegorical things – the NASA space disaster and the US east Coast electricity grid failure. I for one do not see the similarities – sorry. Seems like more heat than light here if you will pardon the pun.

James Seng makes some different points.

James first point:

“The Internet is many things, but some of the basic protocols are really fundamental to the functioning of the Internet such as IP, TCP, UDP and of course DNS. Take away or modify them, you are breaking the Internet.

How so? The DNS is a really simple protocol designed to answer queries very efficiently. You send a query and the DNS reply either (a) an answer (b) no such domain or (c) please ask this guy instead. VeriSign’s wildcard in the DNS effectively removed (b) as a possible answer.”[i]

Really! I disagree, SiteFinder is the new [i]case “b”! SiteFinder is saying – the domain does not exist, but it is adding to this by saying – here are some you may have intended to type.

I stick to my point that this is a better end result than the one previously in existence. This domain does not exist is not as good as This domain does not exist and here are some that do in case that is what you intended.

James second point is about innovation needing to be above the DNS. There are several places he speaks of this and here is one of them:

“But over the years, I learnt and I realized there are more important things like keeping the Internet..well, Internet. Innovation above the DNS, which is why Internationalized Domain Name is now standardized as a function above the DNS and not part of it.”

I will simply repeat what I said earlier. SiteFinder is an above the DNS innovation. The wildcard is in the DNS. It is the escape from the DNS that allows SiteFinder to exist. The wildcard is a documented standard that even the IAB refrains from saying should be banned. SiteFinder is a search and directory service, running on http, above the DNS.

Next James suggests that I mistakenly called John Klensin as a witness for VeriSign:

“If you read Keith Teare’s blog, you may think John Klensin agrees with Verisign. While I cannot speak for John, I know him and we work on many projects together over the years and I am quite certain that’s not true. I remember John’s DNS Search and he talks about how people needs better way to locate resources then DNS but it is very specific that all these is to be done above the DNS, not inside it.”

So, to be clear. I do not mean to suggest that John Klensin supports SiteFinder. I do however suggest that if John was to be consistent he would support it. His RFC on dns-search at the IETF seems to me to be a very close approximation to SiteFinder. [NB. This draft has been strangely pulled from the IETF site, but another one relating to it is still there]

Clearly the wildcard as a route to a search and directory layer above the DNS is not part of John’s documents. But the end results look very similar to me.

I believe the industry as a whole should be very open to this innovation.

Having said all of that, am I an unequivocal supporter of VeriSIgn’s handling of this service. No! I have several critical things to say.

1. Notification – this was an important change and people should have been notified. Developers in particular.

2. Implementation. Improvements in implementation would have helped a lot. Wildcard MX records for example. Also the ability to distinguish between a truly non-existent domain and one in various forms of “stasis” with registrars.

3. Developer help. It would have been great if VeriSign had developed or intended to develop an SDK to help application developers implement the wildcard and its consequences into their applications.

Had there been no outburst about SiteFinder these would be the only points worth making. given the reaction and its largely emotional, non-analytical nature, rebutting the reaction seems a whole lot more important to me. Anything less would mean that attempts to innovate above the DNS as SiteFinder is would be destined to political failure – a far more serious issue than technical failure as its way harder to fix.

I hope that clarifies things.