On Monday 15 September 2003 09:50 pm, Tim May wrote:

I didn't get a Verisign page...I go the usual error.

"Could not open the page http://www.thisisjunk55666.com/ because the server www.thisisjunk55666.com could not be found."

Try: http://www.bfafasfas.com Word on the North American Network Operators Group (NANOG) mailing list is that some major ISP's are null routing the address of the verisign server in protest. The DNS name for the site you are redirected to is http://sitefinder.verisign.com . It's IP Address is 64.94.110.11 If you can't get to the Address, it has probably been null-routed. There is an article on slashdot already: http://slashdot.org/article.pl?sid=03/09/16/0034210 -- Neil Johnson http://www.njohnsn.com PGP key available on request.

Official notice from verisign. Today VeriSign is adding a wildcard A record to the .com and .net zones. The wildcard record in the .net zone was activated from 10:45AM EDT to 13:30PM EDT. The wildcard record in the .com zone is being added now. We have prepared a white paper describing VeriSign's wildcard implementation, which is available here: http://www.verisign.com/resources/gd/sitefinder/implementation.pdf By way of background, over the course of last year, VeriSign has been engaged in various aspects of web navigation work and study. These activities were prompted by analysis of the IAB's recommendations regarding IDN navigation and discussions within the Council of European National Top-Level Domain Registries (CENTR) prompted by DNS wildcard testing in the .biz and .us top-level domains. Understanding that some registries have already implemented wildcards and that others may in the future, we believe that it would be helpful to have a set of guidelines for registries and would like to make them publicly available for that purpose. Accordingly, we drafted a white paper describing guidelines for the use of DNS wildcards in top-level domain zones. This document, which may be of interest to the NANOG community, is available here: http://www.verisign.com/resources/gd/sitefinder/bestpractices.pdf Matt -- Matt Larson <mlarson@verisign.com> VeriSign Naming and Directory Services -- Neil Johnson http://www.njohnsn.com PGP key available on request.

What does it mean to say that "64.94.110.11" is or is not certified by .com as the address for bad-example-12345.com , or that something else is? Is it really the same as a wild-card that points to real sites? Your Best Practices says that

At this point it is immaterial what Verisign will or will not do. They followed the predictable course based on their capabilities and the assessment that the response from some imaginary "community" is irrelevant. The actual damage is breaking network diagnostic procedures and spam filtering, increasing chance of undetected lost e-mail (their SMTP does not always bounce) and increased danger of mistyped domain names - as now such typo in http client leads to exposure to possibly adversarial html (which is why they started it all in the first place.) By this time it should be obvious to everyone that in the near future they will establish targeted advertizing depending on what the mistyped URL looks like - and probably sell or rent the "typo name space" - ie. Airborne Express could buy *f?*e?*d?*e?*x?*.com address space, so fredex.com would lead to airborne's web site. And then there is a very small step from there to schemes where, for instance, for basic $15-25/yr name rental your domain will be yours only in 90% of cases. Other 10% will be sold. For $100/yr you will be guaranteed 99.5% of the ownership. Of course, only platinum premium accounts, at $100K/yr, will have 100% ownership. That is the problem when a centralized technical solution relies on the legal system (and they almost always do.) What is important is how and if will this accelerate alternate solutions for name space management. ===== end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com

On Thu, Sep 18, 2003 at 11:17:00AM -0400, Tyler Close wrote:

On Tuesday 16 September 2003 11:38, Morlock Elloi wrote:

...

That is the problem when a centralized technical solution relies on the legal system (and they almost always do.)

What is important is how and if will this accelerate alternate solutions for name space management.

Machines can handle numerical addresses, as a stop-gap measure search engines (hardcoded into browsers) obviate the need to memorize URIs. Though there are several competing search engines, this is of course still mostly a single point of failure. We here all probably agree that the days of open online publishing are counted, and that traffic-remixing P2P (which, by tweaking parameters could be used to implement a BlackNet) networks will rapidly displace the WWW, once a usable system appears on the scene. The publishers knows the cryptographic hash of the document, and can submit it to full-text indexing search services. Each P2P node should come with a search engine, which uses part of the store space to keep an index. Denial of service can be counteracted by agoric load levelling, and prestige accounting. If you provide shitty service, your node gets consulted less and less, and your requests are processed with lower and lower priority. If you push out documents, you have to provide store, bandwidth and crunch, building an impeccable prestige over a long periods of time. Given the recent history, it looks hard to develop a usable system which gets all of the above right, so it will obviously take a while. I haven't spent much time reading up on YURLs, so I can't comment on that. What's the local consensus on the Waterken feller? [demime 0.97c removed an attachment of type application/pgp-signature]

Bill Stewart <bill.stewart@pobox.com> writes:

Matt - I'm interested in finding out Verisign's plans for DNSSEC support for the *.com and *.net wildcards. Are there obvious semantics for securing them?

Bill, I'm not Matt, but you may want to refer to the DNSSEC standard, it answers your question: <http://www.ietf.org/rfc/rfc2535.txt>. Wildcards work fine with DNSSEC. I believe DNSSEC is the least of our worries, since DNSSEC is not used in production, and likely won't be in its current incarnation anyway. Wildcards in DNS at the TLD level are already used (e.g. '.nu'), so that isn't something new, and the consequences are fairly well known. What is new is, on the other hand, is the buggy SMTP server that respond to all non-registered hosts. Analyzing the consequences this has for various anti-spam approaches might be an interesting exercise. Same goes for other protocols that, like SMTP, behave differently depending on if a host doesn't exist or refuse the connection. Regards, Simon