Verisign vs. ICANN

PS. I am excited - Vixie as a co-conspirator... Vixie, you can be proud -:).

i'm not, though. not proud, and not a co-conspirator. this whole thing
makes me want to puke. the worst thing is, the people i know inside
verisign seem to wish i wouldn't take it so personally. but if their
stock options go up in value as a result of this lawsuit, then it's
blood money, and it's on their hands.

anyway, today i was given a courtesy copy of verisign's "final ssac
response", which i've converted from pdf to a number of other
more-greppable formats, and put online. url's are as follows:

    http://sa.vix.com/~vixie/sitefinder/Final SSAC Response.doc
    http://sa.vix.com/~vixie/sitefinder/Final SSAC Response.html
    http://sa.vix.com/~vixie/sitefinder/Final SSAC Response.pdf
    http://sa.vix.com/~vixie/sitefinder/Final SSAC Response.rtf
    http://sa.vix.com/~vixie/sitefinder/Final SSAC Response.sxw
    http://sa.vix.com/~vixie/sitefinder/Final SSAC Response.txt

here are some tidbits:

    Moreover, the Report appears primarily to have been composed and/or
    contributed to by persons who are opponents of Site Finder and/or
    competitors of VeriSign, a fact the Report fails to acknowledge. For
    example, Paul Vixie, a member of the committee who is cited three
    times as evidentiary support for the Committee��s conclusions, fails
    to disclose that he is the president of Internet Systems Corporation
    ("IS C"), which released the BIND software patch discussed in the
    Report as one of the technical responses to VeriSign��s wildcard
    implementation, and competes with VeriSign in other relevant
    respects, including the provision of DNS services and as a potential
    TLD registry operator. The Report also fails to identify that
    Suzanne Woolf, an employee of ISC, K.C. Claffy, an associate of Paul
    Vixie, and Mike StJohns as members of the committee who were added
    to the committee by SSAC��s committee chair, specifically for the
    purpose of rendering conclusions about Site Finder. Ms. Woolf an
    employee of ISC, K.C. Claffy, an associate of Paul Vixie, and Mike
    StJohns as members of the committee who were added to the committee
    by SSAC's committee chair, specifically for the purpose of rendering
    conclusions about Site Finder. Ms. Woolf and Ms. Claffy's
    association with Mr. Vixie suggests they were added for the purpose
    of packing the committee with Site Finder opponents. [...]

    ...

    For example, the Report relies heavily on the opinion of Paul Vixie,
    an outspoken critic and competitor of VeriSign, on the issue of
    Internet stability following the implementation of VeriSign's
    wildcard. Yet the Report fails to include a conflict of interest
    statement for Mr. Vixie, even though he is the president of ISC,
    which released the BIND software patch discussed in the Report as
    one of the technical responses to VeriSign's wildcard
    implementation. Ironically, Mr. Vixie's BIND patch was a primary
    source of the "incoherence" described in the Report.

    ...

    On May 19, 2003, Paul Vixie wrote: "speaking for dnssac, [I] don't
    think we have standing. [D]ns is a distributed, reliable,
    autonomous, hierarchical database system. The key word for this
    purpose is `autonomous'. Delegating something to somebody and then
    telling them what they can and cannot put into it is false (and I
    might add, offensively so.)"

    ...

    As stated above, SSAC was unable to fault Site Finder on security or
    stability grounds. Indeed, SSAC member Paul Vixie has expressly
    admitted as much. In response to an email stating that "I think
    recent events prove pretty well that VeriSign GRS no longer gives a
    crap about stability. Have we forgotten *.COM so quickly?,"
    Mr. Vixie conceded:

  [I] was ... publicly critical of *.COM and *.NET, butthat��s a
  policy problem, not an operational problem. [V]eriSign has a
  very good record for name server uptime both at the TLD and root
  level.

    [Email message posted by Paul Vixie to nanog@merit.edu dated June
    17, 2004 (emphasis added). A copy of this email is attached as
    Exhibit H.]

anyway, the whole thing is worth reading, and not just for history buffs.

(and if the idea that kc or woolf could be depended upon to parrot
somebody else's point of view caused you to laugh so hard you spewed
coffee all over your keyboard while reading the above tidbits, then
send the repair bill to verisign, not me. i'm just the messenger.)

Unfortunately, SiteFinder did not have such a destructive effect as we
had all wanted it to have. Statistics in our network showed no
significant increase in dns traffic. Especially if you compare it
against things like SoBig:

http://www.xtdnet.nl/paul/spam/graphs/versign.png

So even though my own hunch was wrong, I feel I should still publish
the data. If you only publish data when it serves your goal, you lose
your objectivity and your opinions become worthless as well. So I
won't be blaming kc of woolf for not confirming what isn't there but
what we really wanted to see.

So while SideFinder was not as destructive as we might have thought
or hoped, obviously it is still one of the most stupid ideas that
the NetSol/Verisign monstrosity came up with. If they cannot seperate
their Registrar from their Registry business, then ICANN should
break their contract and find a proper party to host the Registry.

Ofcourse, in my dreams I have the money and all the girls too.......

Paul

I'm not a lawyer but I still think businesses have a valid lawsuit against Verisign for whatever the legal term is for using their copyrighted names and likenesses. With SiteFinder it guarantees Verisign 'owns' any domain a particular company may no have yet purchased until such time that they do. And until they do their property gets branded as if it were Verisign's. That's my chief complaint against Verisign.

There is also the problem that no one can easily verify non-existence of ANY domain when the SiteFinder is deployed with the Wildcard A record, this is almost certainly detrimental.

The BIND source was modified in response to CUSTOMERS REQUESTS. It seems as though Verisign intends to implement it's will by legal maneuvering. It's akin to Microsoft being told by say RedHat that they can't have multiple user logins because Linux does that. Or that Windows can't have a good, useful CLI subsystem even though customers are clamoring for it.

I'm not certain what other legal beef Verisign may have with ICANN (and any of the others mentioned in their legal proceedings) but it's certainly not any conspiracy, an option was simply provided at the outcry by a large, well respected, technical community to a change in infrastructure we all rely on that caused problematic effects.

It's very regrettable that Verisign's lawyers decided it was necessary to go about this.

As part of a a disclaimer: Any various mentioned parties were used above in a purely hypothetical manner and do not represent any companies actual intentions. Any mentioned copyrighted names are the property of their respective copyright or other property holders.

mloftis@wgops.com (Michael Loftis) writes:

...
The BIND source was modified in response to CUSTOMERS REQUESTS. ...

actually, it was multiple credible threats of codeforking that got this done.
(as i explained in the press at that time, "isc cherishes our relevance.")

It is not about statistics, it is about DNS system behavior - if domain do
not exists, I wish (and I must) to know it.
By this, SiteFinder violates all Internet addressing system.

In terms of DNS traffic leaving your network, it was the same amount of
traffic. Query packets got sent to the gtld servers, and Answer packets
came back.

Since the wildcard answer was an 'A' (this is it bub), and not 'NS' (go
look over there willya?), the SiteFinder IP address was not sent any DNS
traffic, thus there was no appreciable increase in DNS traffic.