Article: 14293 of ba.internet From: Roger Marquis Newsgroups: comp.protocols.tcp-ip.domains,ba.internet Subject: Re: ICANN RFC regarding Verisign's TLD wildcard A records Date: Sun, 21 Sep 2003 01:56:48 +0000 (UTC) Organization: Usenet News Lines: 86 Message-ID: NNTP-Posting-Host: gw.roble.com X-Trace: news.mainstreet.net 1064109408 93694 207.5.1.105 (21 Sep 2003 01:56:48 GMT) X-Complaints-To: usenet@news.mainstreet.net NNTP-Posting-Date: Sun, 21 Sep 2003 01:56:48 +0000 (UTC) Path: news.meer.net!sea-read.news.verio.net!dfw-artgen!iad-peer.news.verio.net!news.verio.net!news.maxwell.syr.edu!newsfeed.frii.net!newsfeed.frii.net!news-out.newsfeeds.com!propagator2-maxim!news-in.superfeed.net!feedwest.aleron.net!aleron.net!news.mainstreet.net!not-for-mail Xref: archive.mv.meer.net comp.protocols.tcp-ip.domains:88 ba.internet:14293 Doug Barton wrote: >The Security and Stability Advisory >Committee is sincerely interested in your feedback regarding this >issue. We are currently working on a report that details the impacts >of wildcards at the TLD level, and elsewhere as appropriate. > >I would like to request that you restrict your comments to actual >operational issues. That will help ensure that they get due >consideration. We're most interested in issues related to things >that worked before, but don't now; and particularly interested in >non-obvious cases. Of course, if you have other points of interest on >this topic, we're all ears. > >The e-mail address for your feedback is secsac-comment@icann.org. To: secsac-comment@icann.org Subject: Re: ICANN RFC regarding Verisign's TLD wildcard A records 1) The new wildcard A records have broken an important component of our spam filters. The time spent dealing with these unsolicited emails, and attempting to maintain effective filters, has been substantial. 2) This change has also broken several of the software applications we use for domain management, security auditing, and reporting spam and network abuse. 3) Many of the query strings captured by sitefinder.verisign.com were not intended to be accessible by third parties. They contain usernames, passwords, session and encryption keys, even business plans and other confidential information which is all too easily warehoused and parsed for economic espionage. End users have (had) a reasonable expectation that these URL strings would remain private to their local computers and a remote web server. 4) Such large-scale changes to a critical resource such as DNS, without public discussion, notification, or pilot testing, illustrates Verisign's excessive risk tolerance, lack of technical competence, and disregard for established standards. That said the best way to prevent the root server wildcard problem from occurring in the future would be to: A) restrict root server operators from replying to queries with anything other than than NXDOMAIN or NS records, B) restrict root server operators from making any changes whatsoever without prior public discussion and ICANN approval, and C) enjoin Verisign and other DOC contract-holders from acting as both a root operator and registrar, or whois operator and registrar, or whois operator and root operator, or any other similar conflict of interest. This latest incident should not be considered separately from Verisign's other abuses of the public trust: D) by arbitrarily restricting domain owners ability to change registrars at will, free from anti-competitive time frames or other non-technical considerations, E) by illegally holding expired domains. Expired domains are public property and should not be "held" by any entity much less a registrar, and finally F) by Verisign's changing the format of replies to whois queries at will. The fundamental problem is that ICANN and the US Department of Commerce have failed to enact reasonable regulations to protect the public interest. This is how Verisign has come to consider themselves free to enact such a cornucopia of self-serving, consumer-averse policy changes few of which have any technical merit. I sincerely hope ICANN considers this most recent incident as the proper occasion to close these regulatory loopholes and end all contracts with Verisign and its subsidiaries, if not for the public trust then for the social and economic interests which depend on a secure and reliable Internet. Sincerely, -- Roger Marquis Roble Systems Consulting http://www.roble.com/