Verisign vs. ICANN

Stephen J. Wilcox (SJW) wrote:

I do not believe there is any technical spec prohibiting this,
in fact that DNS can use a wildcard at any level is what enables
the facility.

It is not always the case that everything a spec defines, is included
or enumerated in the spec, particularly when specs refer to other specs
and it is the combination(s) of specs which define proper behaviour.

(If every protocol which was built on TCP, had to also include the contents
of the TCP spec, the whole RFC system would quicly collapse under its own

I think this is a non-technical argument…
altho it was demonstrated that owing to the age and status of the com/net
zones a number of systems are now in operation which make
assumptions about the response in the event of the domain not existing…

If it were merely an internal issue within the DNS system, perhaps there
would be areas of disagreement which could be settled via either extending,
or clarifying, the relevant RFCs. However, the issue is, to some degree,
actually outside of the proper scope of the DNS lookup/resolver system.
(see below…)

The technical roots of the problem are: proposed services VIOLATES
internet specification (which is 100% clean - if name do not exist,
resolver must receive negative response).
So, technically, there is not any ground for SiteFinder - vice versa

To make Alexei’s argument’s syntax agree with the intended semantics:

He means to say, "Technically, there is no grounds for implementing SiteFinder
by means of inserting wildcards to the .com and .net zones. Rather, there
are specific grounds for not inserting wildcards, regardless of the purpose
of those wildcards, in .net and .com zones.

(E.g.: in contrast with .museum zone, which is generally special-purpose,
and for which assumptions about which services are expected (www only)
are reasonable and valid, the .com and .net zone are general-purpose,
and pretty much any service, including all assigned values for TCP and UDP
ports from the IANA, should and must be presumed to be used across the
collection of IPv4 space.)

The crux of the problem appears in a particular case, for which no workaround exists, and for which no workaround can exist, from a straight derivational logic of state-machine origins.

The DNS resolver system, is only one of the places where the global namespaces is implemented.

Any assigned DNS name may be placed into the DNS. And only the owner of that name has authority to register that name, or cause its value to return from any query.

An assigned name, however, can also, or even instead of being placed into
the DNS resolver system, be put into other systems for resolving and returning name->address mappings. These include: the predecessor to BIND, which is the archaic “/etc/hosts” file(s) on systems; Sun’s NIS or NIS+ systems (local to any NIS/NIS+ domain space); LDAP and similar systems; X.500 (if this is by any chance distinct from LDAP - I’m no expert on either); and any other arbitrary system for implementing name->address lookups.

And the primary reason for REQUIRING NXDOMAIN results in DNS, is that in any host system which queries multiple sources, only a negative response on a lookup will allow the search to continue to the next system in the search order.

Implementing root-zone wildcards, places restrictions on both search-order, and content population, of respective name-resolution systems, which violates any combination of RFCs and best-common practices.

And, most importantly, cannot be worked around, period.

Until the RFCs are extended to permit population of zones with authoritative negative information, and all the servers and resolvers implement support for such, and operators of root zone databases automatically populate assigned zones with such negative values, wildcards will break, in unreconcileable fashion, existing, deployed systems which refer to multiple implementations of zone information services, and for which no workaround is possible.

Apologies for a long, semi-on-topic post. Hopefully this will end this thread, and maybe even put a stake through the heart of the VeriSign filing (at least this version of it). While the law generally doesn’t recognize mathematically excluded things as a matter of law, when it comes to affirmative testimony, counter-arguments can demonstrably be shown as de-facto purgury (sp?).

Brian Dickson
(who has had to deploy systems in heterogeneous environments, and is aware
of deployed systems that broke because of *.com)

Thanks, Dickson - next time I’ll try to write exact text from the very beginniong -:). This is exactly what I want to say, with examples I was too lazy to write myself.