David McGuire's VeriSign article from 10/4/03 Page E01

An open letter to the Ombudsman at the Washington Post

Please also forward to David McGuire

I would like to correct some errors of fact and some potentially erroneous
perceptions conveyed in Mr. McGuire's article. I would appreciate it if
Washington Post would correct these in a subsequent article.


1. There is no reason to believe that turning off the wildcard
  records in the DNS is a temporary move. ICANN has said that
  if there is significant evidence that these changes are not
  doing harm to the internet (they most definitely are), they
  would consider making changes to allow them to be turned back on.

2. Verisign initiated the changes without notice to ICANN, IETF,
  or the community at large. ICANN is, essentially, the top-level
  authority in such matters. IETF is the body entrusted with the
  engineering, design, and specifications development for the
  internet through the RFC process.

3. Verisign was politely asked to stop breaking the internet by
  ICANN quite some time before this demand letter. Verisign
  chose to refuse that request.


1. Verisign changed the behavior of a critical component of Internet
  infrastructure without hearing, notice, or even a heads up to
  the community until after it was implemented and the public
  outcry began. ICANN, while, not holding a formal hearing prior
  to this action, did solicit community input and review from the
  various organizations responsible for these issues. ICANN has
  not asked Verisign to change a functional part of the internet,
  but, to undo the changes Verisign made without hearing. This
  is not unreasonable and shouldn't require a hearing process that
  the changes didn't go through in the first place.

2. This is just the latest in a string of abuses by Verisign of
  their position in control of these aspects of the namespace.

3. The engineers and scientists you refer to as a close-knit group
  are anything but. We are a very diverse group of people from
  an even more diverse set of geographies. There are a number of
  different organizations which contain various fragments of this
  group, but, to my knowledge, not a single one which contains all
  of us. In general, our agendas are so diverse that we have
  tremendous trouble coming to consensus on even basic things such
  as the minimum IP allocation boundary.

  In reality, this move angered virtually everyone running any
  operational part of the Internet. This is the most united
  I have _EVER_ seen the operational portion of the Internet

Some further information for your consideration:

1. The Site Finder service isn't about helping lost internet users.
  It's about hijacking typos for profit. Verisign is trying to
  line it's profits while preventing others from providing similar

  Currently, an ISP can capture NXDOMAIN responses at the resolver
  level and, (although few do, and, most would think this was as
  bad as Verisign's move), redirect it to their own error handling
  servers. Even if an ISP does this, however, users have the option
  of configuring other resolvers to get their DNS services from.

  With Verisign placing these wildcards in the top-level zone files
  they have disabled this NXDOMAIN functionality for everyone.
  This prevents mail servers from verifying that a sender domain
  (or even a recipient domain) even actually exists (they all do
  according to DNS with the wildcard).

2. Verisign can claim that the claims are overblown all they want.
  They are actually mostly understated. Verisign had no right
  to make this change to critical infrastructure which they are
  operating in the public trust. The key problem here is that
  Verisign seems to think they own that and it is theirs to do
  with as they wish. The reality is that it is held in the public
  trust by ICANN and it's stewardship is contracted out to Verisign.

3. The statement that there is no data to indicate the core operation
  of DNS or the stability of the Internet has been adversely affected
  is a very carefully chosen set of words. While it is technically
  true, it creates a very different impression from what it actually
  says. The impression it intends to create is that there is no
  evidence that this broke anything. In fact, it broke quite a number
  of things. It did not break DNS per se, but, it did change one
  functional aspect of DNS in a way that was incompatible with
  existing systems implementations (it didn't break DNS, but, it
  broke several things that depend on DNS). The "stability of
  the internet" can be said to relate specifically to the ability
  to forward packets from one host to another. While it didn't
  impact this ability, it did affect a number of applications
  in an adverse manner.

4. ICANN is using anecdotal and isolated issues -- This is a most
  specious claim. ICANN is using real reports of real damage to
  functioning systems on the internet from real operators of those
  facilities. Sure, that's annecdotal, but, it's also annecdotal
  if a patient tells a doctor on the phone that his wrist has been
  cut and he is bleeding profusely. No rational doctor would tell
  this patient not to call an ambulance. No rational person
  in ICANNs position would not tell Verisign to undo this change
  post haste.

5. Verisign's claim that this is an attempt to regulate non-registry
  services is also untrue. The contents of the DNS zone files for
  the top level .com and .net zones is very much a registry service.
  Placing stuff in there that does not serve the public trust for
  which those files are contracted is very much a non-registry service,
  and, such things don't belong in those zone files. ICANN does not
  care what non-registry services Verisign wants to provide. ICANN
  does care about damaging polution being added to the DNS namespace
  by the company entrusted as a registry to manage that namespace.
  ICANNs right to regulate that is anything but dubious, and, Verisigns
  claims that it is dubious are an obvious attempt to hijack this power
  for yet more abuse of their contract privileges. The issues are
  not isolated, they are wide spread.

In summary, I ask you to print an appropriate update to the facts of Mr.
McGuire's piece. I ask you to check your facts and examine the situation
better in order to present a less biased approach to stories about the
internet in the future. I realize that because the internet operational
community is so diverse it is hard to find a "spokesman". I also understand
that it is easy to find the chosen spokesperson for Verisign. However,
I believe that as reporters, especially for an institution like the
Washington Post, you have an obligation to put in the effort to find a
sampling of communities that have no designated spokespeople so that
you can get their side of the story as well. In short, I don't think
Mr. McGuire's biases in this article are the result of malice, but, I
think they demonstrate a certain amount of laziness and nonfeasance of
his journalistic responsibilities.


Owen DeLong

P.S. The other email address I sent this to is a list which contains some
portion of the North American Operations community. It might be a good
resource for further comment/investigation on these issues.