FYI. Sent yesterday :
Submission by the London Internet Exchange to the ICANN Security and Stability
Advisory Committee Regarding Verisign's Deployment of Wildcard DNS Records
The London Internet Exchange (LINX) is Europe's largest Internet exchange point.
Owned mutually by nearly 140 member Internet Service Providers and Content
Services Providers, LINX members carry the overwhelming majority of Internet
traffic within the United Kingdom. Most of the Internet traffic exchanged
between ISPs within the UK by public peering is passed across the LINX.
LINX is concerned about Verisign's insertion of wildcard records into the .com
and .net zones, and about the use of these wildcards to direct traffic that
would otherwise have resulted in a "no domain" response to Verisign's own hosts.
LINX views the DNS tree as extremely important to the smooth operation of
Internet services: anything that damaged confidence in the integrity and unified
nature of the DNS tree would be very unfortunate.
LINX is concerned that Verisign's actions may undermine confidence in the DNS.
In particular, LINX fears that individual networks may implement workarounds to
avoid the effect that Verisign is seeking to create, and that this could result
in reduced confidence in the DNS system continuing as a single coherent tree.
Once the prospect of DNS resolvers choosing not to honour the DNS tree appears
we have to consider the possibility of further fragmentation of the DNS through
individual networks suborning the Domain Name System in order to pursue other
commercial or policy interests.
Another avenue of concern lies in the area of respecting end user privacy. While
we take note of and welcome Verisign's assurances that they are not logging
traffic to its mail servers, end users around the world are forced to rely on
the promise offered by a commercial entity operating in a single national
jurisdiction. The United States does not share the same data protection laws
offered in some other countries, and most end users would have no practical or
legal recourse if Versign were to fail to adhere to its policy, either for its
own purposes or for those of the relevent legal authorities. There is therefore
a powerful argument that end users should not have to take the promise not to
retain private data on trust.
In contrast to these concerns, there is Verisign's own interest in preserving
its freedom of action and ability to pursue its commercial success. We are not
persuaded that in this case Verisign's private interests outweigh the
considerable public concerns that have been expressed by LINX and others on
behalf of the wider Internet community.
The longer term implications of such DNS fragmentation are directly relevent to
the stability of Internet service, and thus to the work of ICANN's Security and
Stability Advisory Committee. We believe that these implications would be quite
regretable, and that it is appropriate to take steps to ensure that this does
LINX endorses the statement of the Internet Architecture Board and recommends
that Verisign is asked to remove the wildcard records it has inserted in the
.com and .net zones.