Verisign DNS change broke my HP printer

Letters Reg readers have plenty of say about Verisign's controversial move to direct surfers who get lost on the Web to a search site run by the company. Our coverage provoked a large number of letters, almost all hostile, about Versign's audacious typo-squatting land grab.

All your Web typos are belong to us

Martin Ward is the first to fire brickbats at the company, which Reg readers have rechristened as "VeriSlime".

Verisign are essentially "squatting" on every unregistered domain name, and using them for profit.  How many trademarked names does that include? What are the fines for squatting on just *one* trademark for commercial exploitation?

Roger Thomas worries about the implications if other DNS providers adopt Verisign's tactics.

That's a worrying article, and just thinking about the issues raised I can see the following:
 
1) If it’s good enough for Verisign to mess about with the root servers I can see other DNS providers doing the same, by redirecting users to their own systems.
 
2) This will poison DNS servers across the world as they will end up caching the SOA records created by Verisign for these 'dynamic' DNS entries. While the time to live on these records is short, real entries will be dropped as the junk entries are added to the database. There is now a new DNS attack were nodes on the internet create vast numbers of random DNS look up requests so clearing the DNS caches of all the DNS servers they access.

Oh life if going to be fun.

Let's start a campaign against Verisign, reader Steve Foster, suggests.

I think we need to start a global campaign to black-list Verisign if they don't back off.

Pete Farrow favours more direct action.

This means that the basic "sender domain does not resolve" check in Sendmail and many other mail server software is now obsolete because any .net and .com now resolves.  This will open the internet up to more spam.

But there is a solution, perhaps mail servers should check to see if the sender domain for a particular piece of email resolves to the Ip above. If it does, forward the email to Verisign, any of the email addresses on this page should do :

http://www.verisign.com/corporate/about/contact/index.html?sl=060104

If the email sender domain resolves to the bogus Verisign wildcard entry, then its only fair that the email gets forwarded back to them, as it’s obviously spam and it resolves to their address.

If the internet community applies such a rule, then I think this wildcard DNS nonsense will soon be retired. You could also check the web site at Verisign automatically to see if they change their email addresses just to make sure you always forward the unresolving mail to a real mailbox.

Adrian Wilkins seconds the motion.

Bloody 'ell... so where can we get the home addresses of the "pigtastic" monopolisers of the internet?

I'm only asking because, as a responsible sysadmin, I believe that all mis-addressed surface mail should get redirected to there as well... :)

And what of the wider implications of Verisign's audacious domain land grab? Abby Patel is worried about privacy.

Thanks for running the Verisign story on the Register. As an ISP, this is of great concern to us, as you rightly pointed out, this un-announced and unwarranted change is breaking services. As an example, we provide SPAM filtering for our broadband customers. One of the many checks we do is to ensure mail is coming from actual registered domains. With a single action, this test no longer works, adding to the already difficult war on the volumes of SPAM that our customers have to deal with.

However, the other worry is the data retention that Verisign admits it is carrying out if you look at their terms and conditions. Amazingly enough, they in their PDF file discussing the change,

"2.4 Monitoring and Communication

VeriSign actively monitors all traffic associated with Site Finder, including DNS queries matching the wildcard entries in .com and .net and associated responses, and all traffic sent to the response server. This traffic is correlated and monitored in real time, 24 hours a day, seven days a week, by VeriSign's Network Operations Centre... complete traffic stream to the .com and .net name servers and the response server, as well as rolled up statistics, are stored for analysis."

So, you mistype a domain name, and suddenly to have agreed to Verisign’s T&C's to let them collect information about you. What if the URL was mistyped but had some personal information in it, e.g. http://dummysite-that-is-not-real-at-all.com/userid=mylogin,mypassword=password

Similarly, the SMTP service that replies with the 550 error only does so after you have specified the recipient. What will Verisign do with all the "from" mail addresses that they will be logging? A ready made list of live e-mail addresses for selling on to marketing companies perhaps?

However, it seems that the T&C's might help us to stop this abuse. If you do not agree to the T&C's the only option they have is to not redirect your netblock to their site. So, give them a call on 0800-032-2101, select 2 to speak to their support department and once you get a human, tell them that you don't agree to their T&C's and can they remove your netblocks!

Nick Ryan picks up the theme.

Gah. Note the thinly veiled threats in their whitepaper..

Bah, it has cut'n'paste disabled, of course.

<snip>
Verisign actively monitors all traffic ... 24 hours a day, 7 days a week ... Anomalous events are escalated to engineering staff ... Several hours of the complete traffic stream are stored for analysis.
</snip>

Reading between the lines ; "Try to DoS attack us at your peril, punks"

<snip>
While this monitoring data will not be public available at the launch of Site Finder, Verisign is considering making this information available in the future
</snip>

"If we get a lot of hits for particular unregistered domains, we might consider selling them to interested parties for inflated prices (via a front company, naturally)"

Will anybody defend Verisign? Only reader Justin Cordesman has anything positive to say about Verisign's radical changes.

For some reason I think there was forewarning of this, as a response to typo squatting.  Which is worse, your customer getting a search page (and not one that pops up zillions of ads and tries to make itself your default) when they mistype your address, or getting a porn site or pop ups or an error?

Although Verisign suggested it might be making changes a few weeks ago it was only when the changes were made this week, without specification notification or debate on the technical and commercial implications on the move, that things really kicked off.

But who cares for the wider implications, when your printer stops working. Reader Daniel Salzedo relates his tale of woe.

Thanks for your article "All your Web typos are belong to us", because without it I would probably never have realized why my networked HP printer was refusing to print.

I have an HP Deskjet 6127 which has a built-in NIC and TCP/IP printing capability. Just a basic printer used by one small department and it's been working fine since it was setup. I have a simple LAN with one main W2K Server running DHCP and DNS. I usually setup any shared printer on this server, so installed the HP software which sets up a TCP/IP local port and points it at the printer. As the printer was setup to use DHCP for ease of use the TCP/IP printer port maps via the printer's name.

Today, for no apparent reason, print jobs just stuck in the queue for a few minutes before timing out. To make a long and tedious set of troubleshooting steps short, it turned out the problem was the Verisign DNS change. Due to the way DNS is setup on the server (Because it is the LAN's top-level DNS server) a search for the local printer was being routed via the Internet. I guess it must always have worked this way, but because the printer would never resolve to a routable IP address it must have then tried a local lookup.

Anyhow now, thanks to Verisign, my server always resolves the printer to the external IP address for their search service, hence the dead print jobs, forcing me to move the printer share to a different server. ®