September 16, 2003 3:31 PM PDT
VeriSign redirects error pages
On Monday, VeriSign began to redirect domain lookups for misspelled or nonexistent names to its own site, a process that has confused Internet e-mail utilities and drawn angry denunciations of the company's business practices from frustrated network administrators. The Mountain View, Calif.-based company enjoys a government-granted monopoly as the master database administrator for .com and .net.
VeriSign's new policy is intended to generate more advertising revenue from additional visitors to its network of Web sites. But the change has had the side effect of rewiring a portion of the Internet that software designers always had expected to behave a certain way, snarling antispam mechanisms that check to see if the sender's domain exists, complicating the analysis of network problems, and possibly even polluting search engine results.
A representative for VeriSign did not respond to a request for comment Tuesday. On Monday, VeriSign released an eight-page paper describing the implementation of its "Site Finder" program, saying it "improves the user Web-browsing experience when the user has submitted a query for a nonexistent second-level domain in the .com and .net second-level domains...(Previously) his or her Web browser returned an error message that contained no useful information."
In an unusual kind of grassroots movement, some network administrators have begun to invent and launch technical countermeasures against VeriSign. A discussion thread on the North American Network Operators' Group mailing list was titled "What *are* they smoking?" and offered technical tips on how to configure routers and servers to block access to VeriSign's site, so Web users would receive the traditional "nonexistent domain" error message.
"There are already modifications to BIND software to take responses that contain that VeriSign address and turn it into a nonexistent domain error," Karl Auerbach, a veteran Internet engineer and former board member of the Internet Corporation for Assigned Names and Numbers (ICANN), said about the standard utility used for domain name lookups. "There are also several Internet service provider-type people dealing with routing information who are already talking about blocking (the VeriSign site). I believe some have."
VeriSign is not the first domain-name company to try to profit from typos and errors, but because .com and .net represent such a huge percentage of Internet names, its decisions have the most profound impact. Some of the other top-level domains that have adopted a similar policy include .cc, .museum, .nu, .ph, .tm and .ws. Microsoft's Internet Explorer also returns a similar error message and search box, but because the redirection is performed by the end user's computer, the effect is limited.
The antispam foil
Yakov Shafranovich, co-chair of the Anti-Spam Research Group organized under the Internet Research Task Force, said some spam blockers are being thrown for a loop, because the computer that VeriSign uses to respond to misspelled or nonexistent domains is misconfigured. The VeriSign software--named the "Snubby Mail Rejector Daemon v1.3"--does not follow Internet standards, Shafranovich said. He also warned the VeriSign change was creating problems--for example, leading some older versions of SpamAssassin to view the entire Internet as a source of spam.
"Some of the antispam tools in our group broke because of this," Shafranovich said. "They put up an SMTP server, but it's not a real SMTP server."
One post to an Internet Engineering Task Force mailing list quipped: "This certainly qualifies as 'most broken SMTP implementation ever.' Will the protocol police please send out a squad car to pick up the suspects?" SMTP stands for the Simple Mail Transport Protocol, the Internet's workhorse standard.
Neither ICANN, which in principle oversees VeriSign's actions as the domain name registrar, nor the U.S. Department of Commerce, which has a contract with VeriSign, responded to requests for comment.
An ICANN representative said, "We have no comment at this time, but I hope that we'll have something over the next few days."
A representative for the Commerce Department referred questions to ICANN and VeriSign. The government's contract says VeriSign "shall take all reasonable steps to ensure the continued...functionality and accessibility" of the domain name registration system.
Auerbach said he strongly dislikes VeriSign's new policy, but he admits: "ICANN and the Department of Commerce can't clearly say that (VeriSign is) violating Internet standards. It's impossible for Internet standards to enumerate all the dumb things you can do."
Critics say VeriSign's move evokes privacy and national security implications as well. Because passwords sometimes are included after the hostname in Web links, a misspelled domain name could transmit sensitive information to the company. Also, because of the way network providers cache domain name queries, VeriSign's policy means that it will take longer for new domains to propagate--something that could be a problem if a Web site is launched to deliver emergency information about an earthquake or a terrorist attack, for example.
Earlier this year, VeriSign was dealt a harsh rebuke in a similar matter by the highly regarded Internet Architecture Board. Referring to the Domain Name System (DNS), the board's unanimous statement said: "The system VeriSign had deployed for .com and .net contains significant DNS protocol errors, risks the further development of secure DNS, and confuses the resolution mechanisms of the DNS with application-based search systems."
VeriSign shares closed Tuesday at $15.81, up 4 cents.