Ouch.
I'm not going to be at NANOG in Chicago next Monday (October 20th), but if I were, I'd be in the foyer Monday morning with a few crates of tomatoes, selling individual tomatoes.
If everyone who attends NANOG goes to the 9:15 session on Monday morning
<http://www.nanog.org/mtg-0310/dns.html>
and takes a single large tomato into the session with them, that this will make a VISIBLE sign to Verisign. It will make for a great photo opportunity, and turn this issue into something that the ordinary press can more easily explain to the non-technical Internet using masses. I also suggest that people wear red shirts on Monday. Enable the press to write about how Network Operators obviously and visibly *demonstrated* their unhappiness with Verisign. Try "Network Operators are seeing Red over Sitefinder" or "Verisign gets pelted with tomatoes over Sitefinder" as a headline. Note: I'm not actually suggesting that people pelt Verisign representatives with the tomatoes, you could just individually walk up to the front of the room and put your tomatoes in a pile where they can be seen. A pile of 500 tomatoes that are brought there individually, each tomato representing the opinion of a NANOG participant, *will* make an impact.
jc
I like it. I'm game.
Owen
lots of misconceptions here today. declan, you ought to pay closer attention.
verisign didn't say at the meeting yesterday that they were planning to revive
the redirect service, in fact they used the term "if or when" when describing
their plans in that area. furthermore they did not commit to a notification
period, they only pointed out that 60 to 90 days notice seemed reasonable "if
or when" the service was reenabled. check the icann site for transcripts.
but wait, it gets better:
If everyone who attends NANOG goes to the 9:15 session on Monday morning
and takes a single large tomato into the session with them, that this will
make a VISIBLE sign to Verisign.
no, it really won't. straton sclavos' statements about "technical zealots"
mean that anything nanog en masse might do has been pre-label-engineered.
if anything, bringing a pile of tomatos would just make his point for him,
helping to convince the press that only fringe-dwelling pinko loonies have
any disagreement with the sitefinder redirection effort. my advice: *don't*.
wait, wait, don't tell me:
To change this: what else can we do to prevent this? Does the last BIND
version truly break sitefinder?
in my last conversation with a verisign executive, i learned that there is a
widely held misconception that the last BIND patch truly breaks sitefinder,
and now here you go proving it. the last BIND patch adds a feature, whose
default is OFF, that can make non-delegation data from specified domains
disappear (or in other cases, non-delegation data from non-specified tld's.)
let me just emphasize that the default is OFF. BIND doesn't break sitefinder;
nameserver adminstrators break sitefinder. be mindful of that difference!
hit D now if you're bored, because i'm still not done:
... I have got to ask just one question. Can these people at Verisign
really think that they know better than all of the real experts that have
worked with/on the DNS over the years. It seems rather silly to assume
that a few people have more knowledge than the collective community.
silly or not, they actually do believe it. verisign positions itself, both
in high level discussions with government and security and financial agencies,
and in its edgar filings, as being the major brain trust for DNS expertise.
(otoh, exodus and abovenet both said the same thing about their BGP expertise
so perhaps this is just how things go for publically traded companies.)
just one more thing:
While I agree that handling of NXDOMAIN needs to improve, such handling
must be done by the application. Popular browsers have already started ...
i think i agree with where this was going, but it would be a fine thing if
we all stop calling this NXDOMAIN. the proper term is RCODE 3. when you say
NXDOMAIN you sound like you've only read the BIND sources and not the RFC's.
NXDOMAIN is a BINDism, whereas RCODE 3 refers to the actual protocol element.
Good writeup Paul.
<SNIP>
> To change this: what else can we do to prevent this? Does the last BIND
> version truly break sitefinder?in my last conversation with a verisign executive, i learned that there is a
widely held misconception that the last BIND patch truly breaks sitefinder,
and now here you go proving it. the last BIND patch adds a feature, whose
default is OFF, that can make non-delegation data from specified domains
disappear (or in other cases, non-delegation data from non-specified tld's.)
let me just emphasize that the default is OFF. BIND doesn't break sitefinder;
nameserver adminstrators break sitefinder. be mindful of that difference!
Paul, you've just bought into the Verisign propaganda here.
The BIND modification does NOTHING to break Sitefinder. One can still go to
http://sitefinder.verisign.com/ and use the web page without any interference
from BIND. What the latest release does is to break the redirection of
RCODE 3 to http://sitefinder.verisign.com/. It is just semantics, but
there is a HUGE difference.
Verisign can get people to start using the Sitefinder web site in any
number of ways which don't affect other applications. These methods
have been noted here and elsewhere (web browser plugins, advertising of
the site, make it better than anything else and they will come, ...).
Verisign's Sitefinder is NOT a TLD web site but they are trying to
make it one.
bye,
ken emery
p.s. I just went to sitefinder.verisign.com and it took forever to load.
I assume that loads are down on this service so I can't understand why
it would take so long to load the page. If this is the type of service
Verisign is going to offer they will surely be inviting workarounds
solely becuase things suck.
i just got done reading http://news.com.com/2008-7347_3-5092590.html,
so now at least i know why my phone was ringing so much earlier today.
anyway, ken@cnet.com (ken emery) quotes me as saying...
> let me just emphasize that the default is OFF. BIND doesn't break
> sitefinder; nameserver adminstrators break sitefinder. be mindful of
> that difference!
and then adds:
Paul, you've just bought into the Verisign propaganda here.
The BIND modification does NOTHING to break Sitefinder. One can still go
to http://sitefinder.verisign.com/ and use the web page without any
interference from BIND. What the latest release does is to break the
redirection of RCODE 3 to http://sitefinder.verisign.com/. It is just
semantics, but there is a HUGE difference.
ken is right and i apologize for the confusion. most of the early patches
to bind8 and djbdns that i saw were dependent on the sitefinder address, and
as such, would have enabled nameserver administrators to break _sitefinder_.
isc's patches for bind9 enable nameserver administrators to break only the
_redirection_ to sitefinder.
But aren't we back at the same argument we had a few weeks ago about what is
SiteFinder?
Some people argue SiteFinder is the thing at sitefinder.verisign.com and,
hence, is different from the wildcard that points to it. So your patch
breaks the redirection (and personally, I shudder at calling an A record
redirection, but perhaps that's a bias from years in the DNS business with
customers who throw that word around in all kinds of inappropriate contexts)
Others, like myself, would argue that SiteFinder is VeriSign marketing's
brand name for the wildcard record and the thing it points to. With that
definition, the ISC patch does break SiteFinder...
Vivien
Paul Vixie wrote:
While I agree that handling of NXDOMAIN needs to improve, such handling must be done by the application. Popular browsers have already started ...
i think i agree with where this was going, but it would be a fine thing if
we all stop calling this NXDOMAIN. the proper term is RCODE 3. when you say
NXDOMAIN you sound like you've only read the BIND sources and not the RFC's.
NXDOMAIN is a BINDism, whereas RCODE 3 refers to the actual protocol element.
Sorry, Paul. I have gotten too used to seeing the BINDism on-list. You will find that most of my speach matches that of those I'm talking to. It cuts down on miscommunication and confusion. Please see fit to report me to RFC-ignorant for not using the proper RFC terminology. 
-Jack
NXDOMAIN *was* a BINDism (you do not find it in RFC 1035) but it is now, not
only a very common way to describe RCODE 3, but also a word you can find in
RFC. Check 1536, 2136, 2308 and 2535.