David McGuire article on Verisign 10/4/2003
Howard C. Berkowitz
hcb at gettcomm.com
Sun Oct 5 06:34:03 UTC 2003
Let me begin with appropriate disclaimers and identifiers. While in
college in 1966-1967, I was a part-time science writer for The
Washington Post, so have some familiarity with the news process. At
the present time, I am an independent consultant in networking and
medical computing, with experience including Internet operational
design. With respect to the latter, I have four published books,
including one on ISP design: _Building Service Provider Networks_
(Wiley). I am a participant in the Internet Engineering Task Force
and North American Network Operators' Group. I have no financial
interest in Verisign or its competitors.
My concern is first with journalistic balance with respect to
sources, and second with technical inaccuracy. The article quotes a
Verisign executive, as well as an executive of a firm with a
commercial offering similar to Verisign's Sitefinder process. In
contrast, the Post cited "the close-knit group of engineers and
scientists who are familiar with the technology underpinning the
Internet" without naming a single name of an acknowledged expert on
the Domain Name System, the Internet function that translates
human-oriented names to computer-oriented Internet addresses. It
would be simple to find recognized professionals with no financial
interest in the type of redirection from Verisign and Paxfire.
Balanced reporting should cover both sides of the story. There are a
great may individuals and firms that were adversely affected by
Verisign's action, and considerable sentiment in the worldwide
Internet engineering community that the Verisign action was
technically unsound, and in a manner that can be demonstrated
objectively, interfered with the normal operations of the Internet.
While I wouldn't quite call the article a Verisign press release, I'm
appalled either that Mr. McGuire failed to obtain opinion from
independent, financially disinterested individuals, or,
alternatively, that the editorial staff removed such material.
Let me summarize some of the major operational concerns, and not get
into the governance issues between Verisign and ICANN. Strong
arguments can be made that adding the wildcard (i.e., that which
causes any undefined domain to be redirected to Sitefinder) to .com
and .net breaks the operational and even protocol aspects of DNS. A
great many network security tools, especially spam filters, depend on
checking if domains are undefined. There is a specific DNS protocol
message for undefined domain, which the wildcard defeats.
Beyond security, the wildcards have an indirect effect of potentially
slowing electronic mail or causing it to be dropped. One thing that
Verisign seemed not to consider is that the Internet is more than the
Web, and mail agent redirection to Sitefinder provides absolutely no
value to the mail-using Netizen.
Here's the problem. Let's say I misaddress a piece of mail to
foo.com, which I shall assume is a nonexistent domain. When an ISP
first tries to deliver it without the DNS wildcards, when it
discovers there is no such domain, it will treat that as an error,
usually returning the mail to sender with an appropriate error
message.
With wildcards, however, an unmodified SMTP agent will get back an
address (Sitefinder) and try to set up a SMTP session with it. At
best, it will discover that Sitefinder does not support mail exchange
and treat the message as undeliverable, again returning it.
It's more likely, however, that the SMTP software will decide that
since it can find foo.com (with sitefinder's address), a temporary
error is interfering with delivery. It will requeue the message for
retry. Typically, mail agents try to redeliver for several days, and
may or may not return intermediate warning messages.
We now have the effects:
--ANY mail to an incorrectly spelled name gets added to the outgoing
mail queue for retry, increaasing queue length. Doing so:
-- slows down mail delivery due to the need for repeatedly
processing mail that will never be delivered
-- consumes queue storage resources and increases ISP costs,
which may be passed on to the end user
--Inconveniencing the user, who, if they received a prompt error
notification, might discover they spelled an address incorrectly
and simply need to correct the message and resend it. With the
wildcards, days may elapse before the sender even knows there
is a problem.
--
Howard C. Berkowitz
5012 25th Street South
Arlington VA 22206
(703)998-5819 voice
(703)998-5058 fax (alas, sometimes poorly operated by "helpful" cat)
More information about the NANOG
mailing list