By Jonathan Yarden
In September of 2003, there was a dramatic change made to the Internet, and it's likely that you noticed. VeriSign instituted a number of changes to the .com and .net Top Level Domain zones, or root DNS servers, including the deployment of a wildcard service that responds with a "valid" IP address for previously unresolvable domain requests.
VeriSign's wildcard DNS redirection works by creating a registry-synthesized address record in response to lookups of invalid domains. This includes domains that are unregistered names and registered but inactive names. Traffic was redirected to a VeriSign-operated search engine.
On the surface, it would seem that VeriSign implemented this DNS redirection to further its interests over the interests of other domain registrars. But that's only the tip of the iceberg.
Another issue is that other Internet services, including SMTP e-mail, also use DNS. So, in effect, VeriSign's change has made it possible for any unknown domain name, and any unknown hostname in a domain, to be considered "valid" from the standpoint of being resolvable.
This means that junk e-mail filters that depend on whether a domain or hostname exists to qualify e-mail stopped working or required additional resources to work properly. In addition, redirecting unresolvable Web browser requests to VeriSign's SiteFinder service greatly increased the volume of junk bandwidth on the Internet.
According to many in the industry, VeriSign's actions showed a wanton disregard for Internet security. According to a statement released by the Internet Corporation for Assigned Names and Numbers (ICANN) Security and Stability Advisory Committee, "VeriSign's change appears to have considerably weakened the stability of the Internet, introduced ambiguous and inaccurate responses in the DNS, and has caused an escalating chain reaction of measures and countermeasures that contribute to further instability."
This is the same VeriSign that users go to for Secure Sockets Layer (SSL) certificates that enable secure Web site functionality, and it's the same VeriSign that took over management of the root DNS servers from the government a few years ago.
VeriSign's actions in this case showed a clear bias toward its own services at the expense of everyone else. This is not the type of conduct you expect from a company charged with the task of maintaining the primary DNS servers for the .com and .net domains worldwide—not to mention a company that claims to have security as a primary service.
So if your junk e-mail filters didn't seem to work properly or your systems showed an increase in HTTP traffic to and from IP address 220.127.116.11, you can thank VeriSign for causing the confusion. Many ISPs quickly countered VeriSign's wildcard DNS redirection by implementing a new version of the popular BIND DNS server system that prevents wildcard DNS resolution.
ICANN sent VeriSign a formal request asking it to discontinue the service, at least until ICANN could review the service. VeriSign initially refused to honor the request, but the company later agreed to suspend redirection to its SiteFinder service.
Because ICANN is considered the overseeing worldwide authority on the Internet, it has scheduled a meeting regarding VeriSign's actions and the issue of DNS stability in general on Oct. 7 in Washington, D.C.
As of this writing, VeriSign has agreed to halt the wildcard redirection of unresolvable hostnames to SiteFinder, but the issue of whether a private company has the right to change previously established Internet practices to further its own interests remains.
Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.