Re: [sitefinder-tech-discuss] A technical question

[Michael Loftis <mloftis@wgops.com>]

What follows is probably rather peevish, and is in no way meant as a 
personal attack against Mr. Norton.  If however you wish to take it as an 
affront against the PHBs and corporation with whom he is employed (quite 
likely through no fault of his own) then by all means have at it.  I have 
no lost love for VeriSign.  They still spam me and my mailboxes 
occasionally with their 'Security Whitepapers'.

--On Wednesday, October 08, 2003 1:16 AM -0400 Andrew Newton 
<anewton@verisignlabs.com> wrote:

> It is my understanding that the MX query should become before the A query.
This is true

> We have talked about deploying a wildcard MX record with a target
> pointing to a non-existant name (e.g. does-not-exist.verisign.com). This
> should cause an NXDOMAIN.

This is just as bad.  Not quite as bad as you guys actually answering the 
phoen for all email instead of outright rejecting it.  Still bad though, 
because again, you're removing the ONLY method at the MTA level to detect 
if it should accept a mail for injection and relay it.

> From the anecdotes I'm getting via phone support pools at some smaller ISPs 
I'm still associated with customers are angered and confused about why 
their browsers are suddenly misbehaving.  How is it helpful to anyone but 
VeriSign when you increase support load.

And I think most of us are still waiting for a good explanation as to why 
this didn't go through any of the normal processes.

BTW, for those on this list and the benefit of the archives, this forum 
probably doesn't count as an open discussion since forums like namedroppers 
already exist for this exact purpose.

> We are still seeking constructive advice on this issue.

Don't do it.  Seriously.  You guys are creating millions of man hours of 
headaches, support costs, and lost time.  To the sole tangible benefit of 
VeriSign.

> Matt used the term "web address"?
>
> To clarify the point:  VeriSign talked to major providers of spam
> filtering services and was informed that they do not use a forward domain
> check.

Huh, funny that.  I doubt anyone ont he postfix, sendmail, or qmail MTA 
teams ever heard a peep from VeriSign.


> On the point of forward domain checks and false positives, I believe BCP
> 30 advices against this assumption.

BCP 30 aside, what you guys have done is removed any reliable method of 
sender or recipient verification we have.  WHOIS doesn't count because 1) 
the TOS is too strict to use it as such and 2) overhead is wicked enough 
with DNS queries.  I can't think of what my mailservers would do if they 
had to three way handshake 2000+x/sec!

What *I* ad the rest of the community are DYING to know is how VeriSign 
intends to still allow for the automated, efficient, reliable checking of 
indications of existence of a domain.  Because after the splat is in, this 
is gone.  And that is the basic problem here.  VeriSign unilaterally broke 
what is considered a primary function of the TLDs.

I'd imagine a number of places are pretty pissed about having their email 
either injected into snubby, or dumped into it, instead of being returned 
to recipients or properly held in queues.  VeriSign possibly exposed itself 
to some very hairy issues there with regards to the sort of 'proprietary' 
information that tends to get exchanged via email nowadays.  Yes it does 
require a bit of a blind brain dead mailer to finish a transaction with 
snubby or mailrejector or whatever it was changed to, but that doesn't 
alleviate responsibility, because if things had been done properly (IE 
NXDOMAIN) then VeriSign would never have exposed itself.

Exactly how one could make this stick legally, I'm not sure....But the land 
sharks are rather quite crafty in this area.

The other BIG problem is what about domains (dorkslayers.com comes to mind) 
that are REGISTERED AND RIGHTFULLY OWNED by another entity, that your 
splat's suddenly take over, hmmmm?  I can see so many law suits being filed 
out of this one for using any number of trademarks, or other peoples sites 
to vomit up advertising.

Yes this letter is fairly broad and wandering, but what VeriSign did, and 
is still trying to do, touches on so many issues.  Some of which have legal 
case precedence.

Do I want ot see VeriSign removed as the .com/.net Registry, yes.  I'd also 
like to see some money for the time I spent closing firewalls and patching 
resolvers to fix what VeriSign broke.  And it's either that or go and fix 
the thousands of lines of application code.


--
Undocumented Features quote of the moment...
"It's not the one bullet with your name on it that you
have to worry about; it's the twenty thousand-odd rounds
labeled `occupant.'"
  --Murphy's Laws of Combat