Responses on SiteFinder

Lots of responses on my SiteFinder piece. Karl Auerbach [somebody who I generally warm too – although I never told him so] has a rebuttal here. And James Seng [who is a friend] has a piece here.

Karl and James are both good people, and honest too. But …. I believe they are missing several things in their largely negative analyses.

Karl makes an assault on my claim that the small % of people affected by SMTP issues was a “minor inconvenience”. He says:

” SiteFinder’s wildcard-record based redirection goes far beyond being a “minor inconvenience”.

Quite the contrary:  SiteFinder’s commits mayhem on the primary principle that make the internet work.  SiteFinder breaks the end-to-end principle.

The effects are not limited to email – everything from voice-over-IP to iSCSI (storage area networks) are damaged.  And this damage is not “easily worked around”.”

I couldn’t disagree more with Karl on the “end-to-end” point. VeriSign has not broken any end-to-end principle. For what its worth this is a principle I strongly believe in. IPV6 will be great at fixing the damage done by NAT, Proxy’s and Firewalls to that principle. I am a strong supporter of end-to-end. So, what has Sitefinder actually done? It has created a new “end”. The new end is different depending on the protocol in question.

Lets examine this in more detail.

HTTP and HTTPS – the old “end” was an error message from the DNS that there was no such domain. The new “end” is an http or https response that there is no such domain name and a list of possible alternatives. This is still an end

SMTP – The old “end” was a broken email with an error message to the sender after the DNS sent a ‘name error’ message to SMTP. The new “end” is an invalid recipient address with an SMTP error 550 code sent to the user. This is still and end

Indeed, in the case of every protocol – and we could go on with this list but I will preserve the reader from the details – there is a new “end” point of an initial request.

This opens the way for protocol specific error tracking. Certainly a vast improvement over a catch-all DNS error.

So – Karl – I challenge you to justify that end-to-end has been broken here. I can’t see it.

On VoIP, I run a company Santa Cruz Networks that has a major Video and voice over IP platform. We have seen no effects whatsoever. Why? because we run our service on legitimate domain names and our end points are legitimate domain names. There is no way the ‘wildcard’ invoked to produce a SiteFinder results page could actually affect us. If one of our users types a mistaken name, then they will get an error. But there again, that was also the case before SiteFinder.

The rest of Karl’s piece refers to allegorical things – the NASA space disaster and the US east Coast electricity grid failure. I for one do not see the similarities – sorry. Seems like more heat than light here if you will pardon the pun.

James Seng makes some different points.

James first point:

“The Internet is many things, but some of the basic protocols are really fundamental to the functioning of the Internet such as IP, TCP, UDP and of course DNS. Take away or modify them, you are breaking the Internet.

How so? The DNS is a really simple protocol designed to answer queries very efficiently. You send a query and the DNS reply either (a) an answer (b) no such domain or (c) please ask this guy instead. VeriSign’s wildcard in the DNS effectively removed (b) as a possible answer.”[i]

Really! I disagree, SiteFinder is the new [i]case “b”! SiteFinder is saying – the domain does not exist, but it is adding to this by saying – here are some you may have intended to type.

I stick to my point that this is a better end result than the one previously in existence. This domain does not exist is not as good as This domain does not exist and here are some that do in case that is what you intended.

James second point is about innovation needing to be above the DNS. There are several places he speaks of this and here is one of them:

“But over the years, I learnt and I realized there are more important things like keeping the Internet..well, Internet. Innovation above the DNS, which is why Internationalized Domain Name is now standardized as a function above the DNS and not part of it.”

I will simply repeat what I said earlier. SiteFinder is an above the DNS innovation. The wildcard is in the DNS. It is the escape from the DNS that allows SiteFinder to exist. The wildcard is a documented standard that even the IAB refrains from saying should be banned. SiteFinder is a search and directory service, running on http, above the DNS.

Next James suggests that I mistakenly called John Klensin as a witness for VeriSign:

“If you read Keith Teare’s blog, you may think John Klensin agrees with Verisign. While I cannot speak for John, I know him and we work on many projects together over the years and I am quite certain that’s not true. I remember John’s DNS Search and he talks about how people needs better way to locate resources then DNS but it is very specific that all these is to be done above the DNS, not inside it.”

So, to be clear. I do not mean to suggest that John Klensin supports SiteFinder. I do however suggest that if John was to be consistent he would support it. His RFC on dns-search at the IETF seems to me to be a very close approximation to SiteFinder. [NB. This draft has been strangely pulled from the IETF site, but another one relating to it is still there]

Clearly the wildcard as a route to a search and directory layer above the DNS is not part of John’s documents. But the end results look very similar to me.

I believe the industry as a whole should be very open to this innovation.

Having said all of that, am I an unequivocal supporter of VeriSIgn’s handling of this service. No! I have several critical things to say.

1. Notification – this was an important change and people should have been notified. Developers in particular.

2. Implementation. Improvements in implementation would have helped a lot. Wildcard MX records for example. Also the ability to distinguish between a truly non-existent domain and one in various forms of “stasis” with registrars.

3. Developer help. It would have been great if VeriSign had developed or intended to develop an SDK to help application developers implement the wildcard and its consequences into their applications.

Had there been no outburst about SiteFinder these would be the only points worth making. given the reaction and its largely emotional, non-analytical nature, rebutting the reaction seems a whole lot more important to me. Anything less would mean that attempts to innovate above the DNS as SiteFinder is would be destined to political failure – a far more serious issue than technical failure as its way harder to fix.

I hope that clarifies things.






Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: