David McGuire article on Verisign 10/4/2003

Let me begin with appropriate disclaimers and identifiers. While in college in 1966-1967, I was a part-time science writer for The Washington Post, so have some familiarity with the news process. At the present time, I am an independent consultant in networking and medical computing, with experience including Internet operational design. With respect to the latter, I have four published books, including one on ISP design: _Building Service Provider Networks_ (Wiley). I am a participant in the Internet Engineering Task Force and North American Network Operators' Group. I have no financial interest in Verisign or its competitors.

My concern is first with journalistic balance with respect to sources, and second with technical inaccuracy. The article quotes a Verisign executive, as well as an executive of a firm with a commercial offering similar to Verisign's Sitefinder process. In contrast, the Post cited "the close-knit group of engineers and scientists who are familiar with the technology underpinning the Internet" without naming a single name of an acknowledged expert on the Domain Name System, the Internet function that translates human-oriented names to computer-oriented Internet addresses. It would be simple to find recognized professionals with no financial interest in the type of redirection from Verisign and Paxfire.

Balanced reporting should cover both sides of the story. There are a great may individuals and firms that were adversely affected by Verisign's action, and considerable sentiment in the worldwide Internet engineering community that the Verisign action was technically unsound, and in a manner that can be demonstrated objectively, interfered with the normal operations of the Internet.

While I wouldn't quite call the article a Verisign press release, I'm appalled either that Mr. McGuire failed to obtain opinion from independent, financially disinterested individuals, or, alternatively, that the editorial staff removed such material.

Let me summarize some of the major operational concerns, and not get into the governance issues between Verisign and ICANN. Strong arguments can be made that adding the wildcard (i.e., that which causes any undefined domain to be redirected to Sitefinder) to .com and .net breaks the operational and even protocol aspects of DNS. A great many network security tools, especially spam filters, depend on checking if domains are undefined. There is a specific DNS protocol message for undefined domain, which the wildcard defeats.

Beyond security, the wildcards have an indirect effect of potentially slowing electronic mail or causing it to be dropped. One thing that Verisign seemed not to consider is that the Internet is more than the Web, and mail agent redirection to Sitefinder provides absolutely no value to the mail-using Netizen.

Here's the problem. Let's say I misaddress a piece of mail to foo.com, which I shall assume is a nonexistent domain. When an ISP first tries to deliver it without the DNS wildcards, when it discovers there is no such domain, it will treat that as an error, usually returning the mail to sender with an appropriate error message.

With wildcards, however, an unmodified SMTP agent will get back an address (Sitefinder) and try to set up a SMTP session with it. At best, it will discover that Sitefinder does not support mail exchange and treat the message as undeliverable, again returning it.

It's more likely, however, that the SMTP software will decide that since it can find foo.com (with sitefinder's address), a temporary error is interfering with delivery. It will requeue the message for retry. Typically, mail agents try to redeliver for several days, and may or may not return intermediate warning messages.

We now have the effects:

       --ANY mail to an incorrectly spelled name gets added to the outgoing
         mail queue for retry, increaasing queue length. Doing so:

             -- slows down mail delivery due to the need for repeatedly
                processing mail that will never be delivered
             -- consumes queue storage resources and increases ISP costs,
                which may be passed on to the end user

       --Inconveniencing the user, who, if they received a prompt error
         notification, might discover they spelled an address incorrectly
         and simply need to correct the message and resend it. With the
         wildcards, days may elapse before the sender even knows there
         is a problem.