Another nail in the coffin

VeriSign has added a wildcard A record to .COM and .NET. I'm nearly speechless. Here's a PDF of the implementation. I'd seen this in the periphery and thought it would never happen... but it has actually come to pass, and it's a bad thing. From now on, any reverse lookup on a non-existent host will return the IP 64.94.110.11, which resolves to sitefinder.verisign.com. From now on, it will be harder to determine

VeriSign has added a wildcard A record to .COM and .NET. I'm nearly speechless. Here's a PDF of the implementation.

I'd seen this in the periphery and thought it would never happen... but it has actually come to pass, and it's a bad thing. From now on, any reverse lookup on a non-existent host will return the IP 64.94.110.11, which resolves to sitefinder.verisign.com. From now on, it will be harder to determine if a domain exists, or not, since it's no longer boolean. Checking for the IP in the return is considered harmful, since that's just layering bandages on something that shouldn't be broken. VeriSign has introduced dependencies in a process that has worked exactly as intended for years. A major change to the DNS infrastructure for the purposes of selling advertising is abhorrent. I can't believe I'm saying this, but I yearn for the InterNIC. They were slow, sloppy, and annoying, but they wouldn't have done this.

Scripts will break, spam filters will be without another tool to determine the validity of an email, and all for a few dollars. Interestingly, this means that IE won't return the MSN search page, since no lookup fails. You can always null route that IP address at an edge router, but an errored lookup will still have a true return code. Besides, we don't need more one-off holes in the net. Imagine if you got a Verizon or PacBell advertisement every time you dialed a wrong number. Those three tones are there for a reason.

It seems that Safari doesn't like the changes. Directly calling http://sitefinder.verisign.com loads the page, but also generates a "Couldn't connect" error. Wonderful. Thanks, VeriSign.

Solutions? A couple off the top of my head...

1) Write ICANN. They're inept, corrupt, and have performed dismally since time immemorial, but they might actually notice this.

2) If every backbone provider blocked 64.94.110.11, there would be no traffic to the VeriSign site. This goes against all my networking principles, but if conducted as a protest, it would be a very powerful message. This would start an arms race of sorts, and we'd all be playing follow the bouncing A record, but the point would be made.

One of my deepest dislikes is structural modifications for marketing purposes. There's no call for this -- none whatsoever. Their charter should be revoked, and the registry turned over to a body representing the world, not the corporate bottom line.

UPDATE:A wholly unreliable source just told me that they've seeded 4 .COM/.NET roots, and left the rest as-is. This is probably to cut the load for now, or they're just testing the waters. Either way, this needs to be stopped.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies