Verisign Responds

http://www.icann.org/correspondence/lewis-to-twomey-21sep03.htm

I quote:

] As to your call for us to suspend the service, I would respectfully
] suggest that it would be premature to decide on any course of action
] until we first have had an opportunity to collect and review the
] available data.

One would think it would be equally premature to roll out the service
without first asking the appropriate people for their opinion first,
starting with ICANN.

Looks like the lawsuits are going to be the ones to settle this
dispute...anyone think there's a chance of ICANN pulling .COM and .NET
from Verisign due to breach of contract? I think it's highly unlikely.

Even better,

<start quote>
All indications are that users, important members of the internet community we all serve, are benefiting from the improved web navigation offered by Site Finder
<end quote>

This reminds me of the Iraqi Information minister and his lunatic counterfactual arguments.... All indications indeed!

         ---Mike

<start quote>
All indications are that users, important members of the internet community
we all serve, are benefiting from the improved web navigation offered by
Site Finder
<end quote>

"The Americans are comitting suicide!"
:: american bomb falls in the background ::

-hc

] As to your call for us to suspend the service, I would respectfully
] suggest that it would be premature to decide on any course of action
] until we first have had an opportunity to collect and review the
] available data.

One would think it would be equally premature to roll out the service
without first asking the appropriate people for their opinion first,
starting with ICANN.

Looks like the lawsuits are going to be the ones to settle this
dispute...anyone think there's a chance of ICANN pulling .COM and .NET
from Verisign due to breach of contract? I think it's highly unlikely.

Oh, I dunno... ICANN has no teeth, so that won't happen.

Courts are likely to support the position that Verisign has control of .net and .com and can do pretty much anything they want with it.

Of course... Verisign's comments tend to remind one of "There are no Americans in Baghdad!"

As I said over the weekend: ICANN has requested that Verisign remove the wildcards in .com and .net. So what you're basically saying here is: that ain't gonna happen. Correct?

Then I got flamed... hmmmmm

Carnack is ready for the next answer

ISC has made root-delegation-only the default behaviour in the new bind,
how about drafting up an RFC making it an absolute default requirement for
all DNS?

-Dan

ISC has made root-delegation-only the default behaviour in the new bind,

actually, though, we havn't, and wouldn't (ever). the feature is present
but must be explicitly enabled by a knowledgeable operator to have effect.

how about drafting up an RFC making it an absolute default requirement
for all DNS?

this is what the icann secsac recommendation...

  Message from Security and Stability Advisory Committee to ICANN Board - ICANN

...says that ietf/iab should look into:

        We call on the IAB, the IETF, and the operational community to
        examine the specifications for the domain name system and consider
        whether additional specifications could improve the stability of
        the overall system. Most urgently, we ask for definitive
        recommendations regarding the use and operation of wildcard DNS
        names in TLDs and the root domain, so that actions and expectations
        can become universal. With respect to the broader architectural
        issues, we call on the technical community to clarify the role of
        error responses and on the separation of architectural layers,
        particularly and their interaction with security and stability.

and it does seem rather urgent that if a wildcard in the root domain or in
a top level domain is dangerous and bad, that the ietf say so out loud so
that icann has a respected external reference to include in their contracts.

The IAB has done an excellent job with
http://www.iab.org/documents/docs/2003-09-20-dns-wildcards.html.
I quote:

"...
Proposed guideline: If you want to use wildcards in your zone and
understand the risks, go ahead, but only do so with the informed consent
of the entities that are delegated within your zone.

Generally, we do not recommend the use of wildcards for record types
that affect more than one application protocol. At the present time,
the only record types that do not affect more than one application
protocol are MX records.

For zones that do delegations, we do not recommend even wildcard MX
records. If they are used, the owners of zones delegated from that zone
must be made aware of that policy and must be given assistance to ensure
appropriate behavior for MX names within the delegated zone. In other
words, the parent zone operator must not reroute mail destined for the
child zone without the child zone's permission.

We hesitate to recommend a flat prohibition against wildcards in
"registry"-class zones, but strongly suggest that the burden of proof in
such cases should be on the registry to demonstrate that their intended
use of wildcards will not pose a threat to stable operation of the DNS
or predictable behavior for applications and users.

We recommend that any and all TLDs which use wildcards in a manner
inconsistent with this guideline remove such wildcards at the earliest
opportunity."

What else does the IETF need to do here?

This should be enough of an expert opinion for ICANN and others
like the US DoC in the sort term. Verisign have realised that and
are talking about an -so far vapour- expert panel to counter that.
I wonder about its composition .....

Daniel

Daniel Karrenberg wrote:

What else does the IETF need to do here?

Recognize the legacy status of certain zones and establish strict
criteria for making configuration changes to them. This would
be in addition to any guidance for all zones with delegations.

KL