David McGuire's VeriSign article from 10/4/03 Page E01
Owen DeLong
owen at delong.com
Sat Oct 4 16:40:54 UTC 2003
An open letter to the Ombudsman at the Washington Post
Please also forward to David McGuire
I would like to correct some errors of fact and some potentially erroneous
perceptions conveyed in Mr. McGuire's article. I would appreciate it if
Washington Post would correct these in a subsequent article.
Perception:
1. There is no reason to believe that turning off the wildcard
records in the DNS is a temporary move. ICANN has said that
if there is significant evidence that these changes are not
doing harm to the internet (they most definitely are), they
would consider making changes to allow them to be turned back on.
2. Verisign initiated the changes without notice to ICANN, IETF,
or the community at large. ICANN is, essentially, the top-level
authority in such matters. IETF is the body entrusted with the
engineering, design, and specifications development for the
internet through the RFC process.
3. Verisign was politely asked to stop breaking the internet by
ICANN quite some time before this demand letter. Verisign
chose to refuse that request.
Facts:
1. Verisign changed the behavior of a critical component of Internet
infrastructure without hearing, notice, or even a heads up to
the community until after it was implemented and the public
outcry began. ICANN, while, not holding a formal hearing prior
to this action, did solicit community input and review from the
various organizations responsible for these issues. ICANN has
not asked Verisign to change a functional part of the internet,
but, to undo the changes Verisign made without hearing. This
is not unreasonable and shouldn't require a hearing process that
the changes didn't go through in the first place.
2. This is just the latest in a string of abuses by Verisign of
their position in control of these aspects of the namespace.
3. The engineers and scientists you refer to as a close-knit group
are anything but. We are a very diverse group of people from
an even more diverse set of geographies. There are a number of
different organizations which contain various fragments of this
group, but, to my knowledge, not a single one which contains all
of us. In general, our agendas are so diverse that we have
tremendous trouble coming to consensus on even basic things such
as the minimum IP allocation boundary.
In reality, this move angered virtually everyone running any
operational part of the Internet. This is the most united
I have _EVER_ seen the operational portion of the Internet
Community.
Some further information for your consideration:
1. The Site Finder service isn't about helping lost internet users.
It's about hijacking typos for profit. Verisign is trying to
line it's profits while preventing others from providing similar
services.
Currently, an ISP can capture NXDOMAIN responses at the resolver
level and, (although few do, and, most would think this was as
bad as Verisign's move), redirect it to their own error handling
servers. Even if an ISP does this, however, users have the option
of configuring other resolvers to get their DNS services from.
With Verisign placing these wildcards in the top-level zone files
they have disabled this NXDOMAIN functionality for everyone.
This prevents mail servers from verifying that a sender domain
(or even a recipient domain) even actually exists (they all do
according to DNS with the wildcard).
2. Verisign can claim that the claims are overblown all they want.
They are actually mostly understated. Verisign had no right
to make this change to critical infrastructure which they are
operating in the public trust. The key problem here is that
Verisign seems to think they own that and it is theirs to do
with as they wish. The reality is that it is held in the public
trust by ICANN and it's stewardship is contracted out to Verisign.
3. The statement that there is no data to indicate the core operation
of DNS or the stability of the Internet has been adversely affected
is a very carefully chosen set of words. While it is technically
true, it creates a very different impression from what it actually
says. The impression it intends to create is that there is no
evidence that this broke anything. In fact, it broke quite a number
of things. It did not break DNS per se, but, it did change one
functional aspect of DNS in a way that was incompatible with
existing systems implementations (it didn't break DNS, but, it
broke several things that depend on DNS). The "stability of
the internet" can be said to relate specifically to the ability
to forward packets from one host to another. While it didn't
impact this ability, it did affect a number of applications
in an adverse manner.
4. ICANN is using anecdotal and isolated issues -- This is a most
specious claim. ICANN is using real reports of real damage to
functioning systems on the internet from real operators of those
facilities. Sure, that's annecdotal, but, it's also annecdotal
if a patient tells a doctor on the phone that his wrist has been
cut and he is bleeding profusely. No rational doctor would tell
this patient not to call an ambulance. No rational person
in ICANNs position would not tell Verisign to undo this change
post haste.
5. Verisign's claim that this is an attempt to regulate non-registry
services is also untrue. The contents of the DNS zone files for
the top level .com and .net zones is very much a registry service.
Placing stuff in there that does not serve the public trust for
which those files are contracted is very much a non-registry service,
and, such things don't belong in those zone files. ICANN does not
care what non-registry services Verisign wants to provide. ICANN
does care about damaging polution being added to the DNS namespace
by the company entrusted as a registry to manage that namespace.
ICANNs right to regulate that is anything but dubious, and, Verisigns
claims that it is dubious are an obvious attempt to hijack this power
for yet more abuse of their contract privileges. The issues are
not isolated, they are wide spread.
In summary, I ask you to print an appropriate update to the facts of Mr.
McGuire's piece. I ask you to check your facts and examine the situation
better in order to present a less biased approach to stories about the
internet in the future. I realize that because the internet operational
community is so diverse it is hard to find a "spokesman". I also understand
that it is easy to find the chosen spokesperson for Verisign. However,
I believe that as reporters, especially for an institution like the
Washington Post, you have an obligation to put in the effort to find a
sampling of communities that have no designated spokespeople so that
you can get their side of the story as well. In short, I don't think
Mr. McGuire's biases in this article are the result of malice, but, I
think they demonstrate a certain amount of laziness and nonfeasance of
his journalistic responsibilities.
Sincerely,
Owen DeLong
owen at delong.com
P.S. The other email address I sent this to is a list which contains some
portion of the North American Operations community. It might be a good
resource for further comment/investigation on these issues.
More information about the NANOG
mailing list