Verisign Greed Breaks the Internet

Link: Verisign redirects error pages.

Verisign, the operator of the largest databases for Internet domains, has taken greed to a new level. This week, they implemented a new service to squat on domain typos, and cavalierly broke major Internet functions in the process. Their service, called Site Finder, redirects web queries for non-existent domains to a web site they manage. They will be able to make money by showing you advertising when you make an error typing in a URL. The change, however, creates signficant havoc.

I've estimated my spam load will go up about 6.25% because of Verisign greed. Spammers can get into trouble if they forge a return address using a valid domain. So spammers often use an invalid domain in their return address. That's good news, because bogus domains are easily recognized and mail from them can be bounced as spam.

Verisign broke that. Now, when the mail server checks on a bogus domain, it no longer gets a "no such domain" response. Instead, the mail server gets a response saying the domain is valid, and it points to a Verisign mail server. This means the checks for forged domains no longer work, and all that spam that used to be bounced out of hand will now be accepted.

The Verisign change is going to create confusion for my users. Before, if they made a typo in a the domain part of an email address, my mail server would intercept it and return an error. Now, the message is going to be passed along to a Verisign mail server, which is going to cause a misleading error. The user is going to be told the user does not exist, rather than the domain is invalid.

Verisign has shown continued arrogance and hubris in their management of the Domain Name System. Unfortunately, the organizations that oversee them have been ineffectual in their management. This time, however, they may have pushed too far. The Internet Software Consortium which writes the software that runs most of the DNS, is preparing a new version that will filter out the bogus Verisign responses. I expect this will be deployed quickly, so that network operators can route around the damage created by Verisign.


Comments have been closed for this entry.

re: Verisign Greed Breaks the Internet

It would, of course, be more work, but would it be feasible to patch your mailer so that if a domain resolves to Verisign, it is treated as spam? I realize that would cause a different set of problems, but it would be poetic justice.

re: Verisign Greed Breaks the Internet

Adam - The ISC folks have published their patch, and I've got it installed on our mail server.

So, that issue is solved. The remaining issue is how to get the DNS ripped away from Verisign and handed to somebody who can run it correctly.

re: Verisign Greed Breaks the Internet

ICANN is soliciting comments about Verisign's SiteFinder. Thought you might want to chime in.