David McGuire article on Verisign 10/4/2003

Sun Oct 5 06:34:03 UTC 2003

Let me begin with appropriate disclaimers and identifiers. While in 
college in 1966-1967, I was a part-time science writer for The 
Washington Post, so have some familiarity with the news process. At 
the present time, I am an independent consultant in networking and 
medical computing, with experience including Internet operational 
design. With respect to the latter, I have four published books, 
including one on ISP design:  _Building Service Provider Networks_ 
(Wiley).  I am a participant in the Internet Engineering Task Force 
and North American Network Operators' Group. I have no financial 
interest in Verisign or its competitors.

My concern is first with journalistic balance with respect to 
sources, and second with technical inaccuracy.  The article quotes a 
Verisign executive, as well as an executive of a firm with a 
commercial offering similar to Verisign's Sitefinder process.    In 
contrast,  the Post cited "the close-knit group of engineers and 
scientists who are familiar with the technology underpinning the 
Internet" without naming a single name of an acknowledged expert on 
the Domain Name System, the Internet function that translates 
human-oriented names to computer-oriented Internet addresses. It 
would be simple to find recognized professionals with no financial 
interest in the type of redirection from Verisign and Paxfire.

Balanced reporting should cover both sides of the story.  There are a 
great may individuals and firms that were adversely affected by 
Verisign's action, and considerable sentiment in the worldwide 
Internet engineering community that the Verisign action was 
technically unsound, and in a manner that can be demonstrated 
objectively, interfered with the normal operations of the Internet.

While I wouldn't quite call the article a Verisign press release, I'm 
appalled either that Mr. McGuire failed to obtain opinion from 
independent, financially disinterested individuals, or, 
alternatively, that the editorial staff removed such material.

Let me summarize some of the major operational concerns, and not get 
into the governance issues between Verisign and ICANN.  Strong 
arguments can be made that adding the wildcard (i.e., that which 
causes any undefined domain to be redirected to Sitefinder) to .com 
and .net breaks the operational and even protocol aspects of DNS. A 
great many network security tools, especially spam filters, depend on 
checking if domains are undefined. There is a specific DNS protocol 
message for undefined domain, which the wildcard defeats.

Beyond security, the wildcards have an indirect effect of potentially 
slowing electronic mail or causing it to be dropped. One thing that 
Verisign seemed not to consider is that the Internet is more than the 
Web, and mail agent redirection to Sitefinder provides absolutely no 
value to the mail-using Netizen.

Here's the problem.  Let's say I misaddress a piece of mail to 
foo.com, which I shall assume is a nonexistent domain.  When an ISP 
first tries to deliver it without the DNS wildcards, when it 
discovers there is no such domain, it will treat that as an error, 
usually returning the mail to sender with an appropriate error 
message.

With wildcards, however, an unmodified SMTP agent will get back an 
address (Sitefinder) and try to set up a SMTP session with it. At 
best, it will discover that Sitefinder does not support mail exchange 
and treat the message as undeliverable, again returning it.

It's more likely, however, that the SMTP software will decide that 
since it can find foo.com (with sitefinder's address), a temporary 
error is interfering with delivery. It will requeue the message for 
retry.  Typically, mail agents try to redeliver for several days, and 
may or may not return intermediate warning messages.

We now have the effects:

       --ANY mail to an incorrectly spelled name gets added to the outgoing
         mail queue for retry, increaasing queue length.  Doing so:

             -- slows down mail delivery due to the need for repeatedly
                processing mail that will never be delivered
             -- consumes queue storage resources and increases ISP costs,
                which may be passed on to the end user

       --Inconveniencing the user, who, if they received a prompt error
         notification, might discover they spelled an address incorrectly
         and simply need to correct the message and resend it.  With the
         wildcards, days may elapse before the sender even knows there
         is a problem.
-- 

Howard C. Berkowitz
5012 25th Street South
Arlington VA 22206

(703)998-5819 voice
(703)998-5058  fax (alas, sometimes poorly operated by "helpful" cat)