No Such Weblog

ICANN’s Security and Stability Advisory Committee has issued some recommendations on sitefinder: Recognizing the concerns about the wildcard service, we call on VeriSign to voluntarily suspend the service and participate in the various review processes now underway. We call on ICANN to examine the procedures for changes in service, including provisions to protect users from abrupt changes in service.Also, the committee is soliciting input on practical security and stability implications, to be sent to secsac-comments@icann.org.

Reuters reports that Verisign will ask outside experts for advice about Sitefinder: They are going to create a committee of “Internet leaders” to advise it on technical matters. Recommendations on what to do, though, are apparently not welcome.Of course, the necessary expert advice has been readily available for several days now. It’s telling that Verisign convenes a committee (and wastes more time) instead of listening to what’s out there.I’d respectfully suggest that whoever is asked to join this group decline the invitation.

From an anonymous comment in response to the ALAC’s statement on sitefinder:

In a recent Cnet article, Verisign is quoted as saying, “We’re fully compliant with every RFC”. … If that’s true, it just kills the argument against Verisign as it then becomes “geeks v. users” with Verisign on the side of the users.

That’s a dangerous misconception, in several ways.

In a somewhat ironic move, Verisign has retired its “snubby mail rejector daemon” and has replaced it by postfix.In related news, there’s now an updated BIND patch for dealing with Sitefinder.

The Internet Architecture Board has released a commentary entitled Architectural Concerns on the use of DNS Wildcards. The commentary gives both an explanation of some fundamental design issues that are created by the use of DNS wildcards, and an account of problems encountered in a recent experiment with wildcards.Besides recommending strongly against the use of wildcards in TLDs (and most other situations), the IAB suggests a simple, but powerful guideline: If you want to use wildcards in your zone and understand the risks, go ahead, but only do so with the informed consent of the entities that are delegate within your zone.The document concludes with the recommendation that any and all TLDs which use wildcards in a manner inconsistent with this guideline remove such wildcards at the earliest opportunity.

ICANN has published an advisory about sitefinder.In a nutshell, ICANN is examining the situation (including the contractual questions that arise with respect to the registry agreement), and has requested input from the IAB and from the security and stability advisory committee. The latter committee is expected to deliver advice later today.ICANN also has asked Verisign to voluntarily suspend the service until review is completed.

Via the GNSO council list comes a pointer to two presentations on Sitefinder that were given yesterday at the CENTR GA: CENTR’s Kim Davies; Verisign’s Scott Hollenbeck.

Ross Rader points to a theory that Verisign’s sitefinder may be experiencing something like a denial of service attack due to, among others, side effects from the Blaster worm’s attempted attack on windowsupdate.com.Florian Weimer rebuts that theory: The NS record continued to exist for windowsupdate.com, and that is enough to keep the wildcard from kicking in and synthesizing A records.

James Grimmelmann, at LawMeme: Attention so far has been focusing on the ethics of the move (positive satanic), its effects on DNS and non-Web applications (Considered Harmful), and on possible technical responses …. On the legal side of the fence, though, we’re not just talking about a can of worms. We’re talking about an oil drum of Arcturan Flesh-Eating Tapeworms.(Ross Rader reports that the first Arcturan Flesh-Eating Tapeworm has crawled out of the oil drum.)

Vote now.Stratton Sclavos (the CEO that brought us Sitefinder) is one of the “candidates” in the Internet category.