VeriSign planning more changes to .com, .net

VeriSign Inc. is planning changes to a DNS (Domain Name System) component responsible for coordinating updates to the .com and .net domains throughout the DNS system, according to a company spokesman.

The changes are intended to prepare .com and .net for more frequent daily updates of information such as new subdomains, address changes and the culling out of obsolete subdomains. Internet users and organizations managing Web sites on .com and .net will not notice the change, VeriSign said.

However, some networking experts worry that the change, which is scheduled for Feb. 9, may have unanticipated consequences that could interrupt traffic to some .com and .net Web sites and other online services.

The modifications will change the way part of a DNS component called the SOA (Start of Authority) Record is generated for .com and .net domains, according to information posted to the Nanog networking discussion group by Matt Larson, of VeriSign Naming and Directory Services and confirmed by Pat Burns, a VeriSign spokesman.

SOAs are used to manage DNS zones, areas of an Internet domain that are managed by a single DNS server. The records contain identifying information about the zone, such as the name of the primary DNS server for the zone, the e-mail address of the person responsible for the zone and a unique serial number that can be used to compare whether the zone information in one DNS server is newer or older than that managed by other, secondary servers.

VeriSign Naming and Directory Services will change the serial number format in the .com and .net zones' SOA records. Currently, the serial number format is YYYYMMDD, plus an additional two-digit number (00 to 99) that is updated whenever the zone data is updated.

Under the new system, VeriSign will change the serial number to a unique value equal to the number of seconds since 00:00:00 Greenwich Mean Time on Jan. 1, 1970, Larson said.

That will allow VeriSign to make better use of its ATLAS (Advanced Transaction Lookup and Signalling system) technology to make more frequent and efficient updates to .com and .net, from the current system of two daily updates, Burns said.

VeriSign does not anticipate disruptions stemming from the change, Larson said. But the company did allow that "processes that rely on the semantics of the .com/.net serial number" could be affected.

For example, companies that have created scripts to monitor domain change on .com and .net will almost certainly need to make changes to account for the serial number change, said Thor Larholm, senior security researcher at Pivx Solutions LLC of Newport Beach, California.

Also, companies that have incorrectly formatted their DNS servers to get information directly from the DNS root servers maintained by VeriSign will stop receiving updates on Feb. 9, leaving those servers and the Internet users who rely on them out of step with the rest of the Internet, he said.

"The damage won't be catastrophic, but some DNS servers could stop receiving updates," he said.

While there is general agreement within the technical community that VeriSign has the right to make the serial number changes, there is also suspicion about the move, especially after the feud over VeriSign's controversial Site Finder service in 2003, which redirected requests for nonexistent Web addresses to a Web site maintained by VeriSign.

VeriSign complied with an Internet Corporation for Assigned Names and Numbers (ICANN) request to shut down Site Finder after ICANN complained that Site Finder hobbled antispam filters and automated tools like Web spidering applications, and hampered the ability of some applications to determine whether or not an Internet domain existed.

"There's distrust of VeriSign on a basic level and (the Site Finder dispute) removed any level of trust for many system administrators," Larholm said.

Burns denied that VeriSign would be offering the more frequent updates as a paid service.

"From our perspective, this is just a way to prepare to offer a more efficient domain name registration process," he said.