Verisign DNS Change
Monday, October 13, 2003
Posted by: Charles Oriez
"Editor's note - After this story was approved for publication, ICANN demanded, and Verisign acquiesced to, restoring the status quo of Sept 14 (no wild cards) pending further study. AITP applauds that decision."
Verisign, the company tasked with managing the Internet's root servers, recently rolled out an unannounced and untested change. They added wild cards to their DNS servers for the net and com top level domains. Any mistyped domain name is now reported by Verisign to be a valid domain.
The Internet Architecture Board (IAB), a committee of the Internet Corporation for Assigned Names and Numbers (ICANN), studied the change and found serious problems. "One of the main known weaknesses and dangers of wildcard records is that they interact poorly with any use of the DNS which depends on 'no such name' responses". Web browsers around the world stopped presenting 'page not found' messages in the local language and character set. Domains with misconfigured, but workable, MX records (used to route mail), no longer work properly. Mail now incorrectly goes to a Verisign mail server, where it sometimes bounces, and sometimes does not. Application GUIs that try to ensure that users enter valid domain names now accept anything as valid. Spam filters that reject traffic from invalid domains do not function properly. Cellular phones whose page not found message had been one packet in size now present pages that are 17kb in size. The cellular companies are happy about the higher user charges for this traffic, of course. Others have reported problems with print servers on local networks. IAB concluded that the change should be reversed pending significant additional discussion and study.
Associated Press has reported that ICANN chairman Vint Cerf demanded that Verisign back out its change pending review. Meanwhile, the Internet Software Consortium, authors of BIND, distributed a patch that neutralizes the Verisign change. BIND is the software used on many servers to translate domain names into IP addresses.
The AITP legislative committee has passed a resolution that called on ICANN to either instruct Verisign to stop giving incorrect answers to DNS queries or terminate the Verisign contract to provide DNS service.
Companies and ISPs running their own servers should install the BIND patch. Users wanting an accurate error message for invalid domain names can point the domain sitefinder.verisign.com to IPA 127.0.0.1 in the hosts file on their desktop machine. Users of Windows 2000 and Linux desktop machines will find that file preconfigured in their /etc directory, and need merely to add a single line in the obvious place and format. Users of Windows 98 should make a copy of the file hosts.sam with the extension omitted, in the same directory, and edit that copy. Windows 98 machines need to be rebooted for the change to take effect. This change will significantly speed up browser responses when an invalid domain is entered on the location bar.