Security

VeriSign’s Move To Redirect Domain Errors Comes Under Fire

The Internet community is failing to see the value of domain giant VeriSign’s SiteFinder service, which redirects users to a VeriSign site with a search tool instead of producing the traditional error message for mistyped or nonexistent Internet addresses.

The service, known as “wildcard” functionality, is fouling efforts to block unwanted e-mail, or spam, and is being vilified as a departure from accepted practice and a danger to Internet security by many spam fighters and network administrators.

VeriSign, which oversees the majority of all domain names through administration of the .com and .net registries, did not respond for comment, but said in its description of SiteFinder that the service “improves the user Web browsing experience.”

Revenue Ploy Reviled

VeriSign contends that prior to its introduction of the new service, users typing unregistered .com or .net URLs received an error message with no useful information. “With the rollout of SiteFinder, in the same situation users now receive a useful Web page offering links to possible intended destinations and allowing an Internet search.”

However, the service has been the focus of both condemnation and concern as it changes fundamental Internet infrastructure procedure, critics said.

“What [this] means in plain English is that most mistyped domain names that would formerly have resulted in a helpful error message now results (sic) in a VeriSign advertising opportunity,” said a posting on Slashdot.

Benefits Versus Need

Jay Elliott, a spokesperson with Vancouver-based Web hosting and domain registration provider NetNation, told TechNewsWorld that VeriSign likely views SiteFinder as a good potential revenue stream.

He said there also are benefits for Web browsers who might be better equipped to find what they are looking for, but he added that there is a question of whether or not Internet site operators want the redirection.

While a representative of security firm ISS told TechNewsWorld that VeriSign’s service is more of an infrastructure issue than security-related, there was also concern from spam fighters that SiteFinder would hamper antispam efforts.

One way of identifying and subsequently blocking spam involves a check on the legitimacy of domain names, which are often spoofed to send spam.

Antispam advocates complain that domain name checks are no longer working because all domain names will now appear to be valid.

Jumping the Gun

Similar techniques have been undertaken by other companies, including Microsoft with its Explorer browser, but these techniques did not have the large-scale impact of VeriSign’s service that covers the most common .com and .net domain names.

Rival domain registry service Afilias, which oversees the .info domain name, is not considering similar moves primarily because of a lack of support from groups such as the Internet Engineering Task Force (IETF) and the Internet Corporation for Assigned Names and Numbers (ICANN), which oversees all domain names, Afilias spokesperson Heather Carle told TechNewsWorld.

“There’s not an official consensus in the IT community in general to support this,” Carle said. “We really would prefer to wait for approval and a support project from ICANN.”

Carle, who said Afilias gets about one billion domain name server (DNS) queries daily, reported that 10 to 12 percent of them fail because of mistyped or nonexistent addresses. She said the revenue opportunity for VeriSign, which probably takes around 20 billion DNS queries daily, is clear.

However, Carle said, the implications of such a service make it something Afilias is willing to wait on. “It’s a change of existing business services,” she said. “It’s changing the user experience itself in a way people have generally not supported.”

Binding Resistance

While resistance to VeriSign’s plan has begun appearing in workarounds and blocks to SiteFinder from network administrators, a more central counter to the service took shape in the form of a patch from the Internet Software Consortium, which publishes critical Berkeley Internet Name Domain (BIND) software that powers most domain name servers.

The patch prevents the SiteFinder service and delivers the usual error message in the case of a typo or nonregistered domain name.

“In response to high demand from our users, ISC is releasing a patch for BIND to support the declaration of ‘delegation-only’ zones in caching-recursive name servers,” the group said on its site.

“This can be used to filter out ‘wildcard’ or ‘synthesized’ data from Network Address Translation boxes or from authoritative nameservers whose undelegated in-zone data is of no interest.”

This means that if VeriSign does not reverse its decision, those who operate the main root zone servers can still take matters into their own hands to provide standard error messages for unregistered domain names.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels