Network World Canada
Companies controlling top-level Internet domains like “.ca” and “.uk” say they will not follow in VeriSign Inc.’s footsteps after the firm cranked up a service that could spell headaches for network managers.
“There is nothing like this on the plans or in the books for the .ca world,” said Gabriel Ahad, spokesperson for the Canadian Internet Registration Authority (CIRA), the Ottawa-based .ca registry.
Mountain View, Calif.-based VeriSign, the .com and .net directory provider, turned on its Site Finder service in September. If a Web surfer misspells a universal resource locator (URL) in a browser’s address field, he’s directed to the Site Finder page and offered a search function, as well as a list of similar URLs.
For example, if the user types “www.cisdo.com,” he’ll come to Site Finder, where he’s presented another option: “www.cisco.com” for Cisco Systems Inc.
VeriSign says, “Site Finder provides useful tools for Internet users who mistype a domain name or attempt to connect to a Web site that doesn’t exist.”
But others say the service wreaks havoc on the Internet’s underpinnings.
“I don’t think the implementation of Site Finder respects the integrity of the DNS (domain name system),” said Jesse Dougherty, Vancouver-based director of development at ActiveState Corp., an antispam firm.
Dougherty said Site Finder messes with rudimentary antispam software that checks to see if e-mail comes from a legitimate domain name. If the domain name doesn’t exist, the program assumes the message is spam.
Site Finder effectively makes every domain name legitimate, thereby confusing antispam programs into thinking every e-mail message is OK.
“If you’re relying on a less-sophisticated spam filter, that would be enough to increase the flood of spam that you get,” Dougherty said.
A.J. Byers, chief operating officer at Magma Communications Ltd., an Ottawa ISP, said Site Finder is making its presence known to his staff.
“I’ve talked to people around the building…who don’t normally get spam. In the last week or so these people are getting probably 10 spam messages a day now, because of the introduction of that product.”
The Internet Architecture Board’s report on DNS wildcarding – the mechanism powering Site Finder – says this kind of service affects e-mail transmission. Whereas e-mail messages destined for non-existent addresses normally bounce as a result of the Internet’s inner workings, now it’s up to the registry’s own e-mail servers to ensure those errant letters are returned to sender. If the registry’s servers fail, messages don’t bounce. Instead, they’re queued up, waiting to be processed. Meanwhile the sender has no idea her message didn’t make it.
Network managers are working around Site Finder.
“We did apply the BIND patch,” said Sylvain Robitaille, senior systems administrator at Concordia University in Montreal. A new version of Berkeley Internet Name Domain (9.2.3rc3), the Internet Software Consortium’s popular DNS implementation, applies a “delegation-only” filter to intercept Site Finder.
But Robitaille said patching only solves part of the problem. VeriSign “shouldn’t have done it in the first place. But I suspect it was simply a lack of foresight on their part. Because what they did didn’t break any documented mechanisms, they didn’t see anything wrong with it. And technically there isn’t. Politically, it’s a huge foible in my opinion.”
Some network managers said Site Finder isn’t that big a deal.
“I can see how if a company makes money on tech support, if they lose an e-mail, that’s an issue for them,” said Kam Mohammed, manager of IT at Totten Sims Hubicki Associates, an engineering consulting firm in Whitby, Ont. “We’re not a service like that, so it’s really not a concern for us at this point.”
Others are adamant that VeriSign is wrong.
“I absolutely think they should shut it down,” said Elliot Noss, CEO of Internet registrar Tucows Inc. in Toronto. “I question their right to do it….The operator of the .com and .net registry should not engage in behaviour like this.”
CIRA and Nominet UK, the .uk registry, say they will not turn on their own Site Finders.
“Nominet UK would like to reassure the Internet community that it has not been asked to offer a similar service for .uk domain names, nor is it considering doing so.”
Noss pointed out that not every registry had chimed in with a no vote. “I think some of them are waiting to see what happens: will this blow over? Is the backlash really that strong?”
For its part, VeriSign says it has started a technical review committee to ensure Site Finder becomes less of a concern and more of a useful tool.
“VeriSign is gratified that millions of Internet users have found Site Finder a helpful service to improve Web navigation,” the firm said, adding that as of late September, the Site Finder search field had been used 11 million times.
Noss said Site Finder’s positive side effects include greater scrutiny. The BIND update gives network managers more insight into their networks.
“To this point, VeriSign was the only entity that could see all the errors. Now anybody running a network with a lot of users on it gets to see all the misspellings, errors or corrections, or sites [users] went to that don’t exist….Any time the Internet becomes more distributed, it becomes healthier.”
Would Noss thank VeriSign for making the Internet more distributed?
“I won’t go that far,” he said.