Routing around the damage

A few days ago, I came across a post from Seki about Veri$ign’s latest Internet power-grab.

V$, you see, not only has monopoly control of the .com and .net top level domans (TLDs), but it also runs two of the several DNS servers on the Internet, which route requests for given web pages (or e-mail addresses, which becomes important below) to the appropriate machines.

V$ decided, Hey, wouldn’t it be cool if we could boost our bottom line and get people to register more domains with us? What if, whenever someone tried to contact a .com or .net web page that didn’t exist, or which they mistyped the name to, rather than get an Internet protocol standard error page, or if they’ve configured things that way, their default search engine, we instead used our DNS servers to route them over to a search page of our own, identify what sites we think they might want to go to, offer to sell them some domains, include some advertising, and make money from it? Cool!

Well, that’s only speculation on my past as to what they said. I suspect it had a lot more maniacal laughter to it, not to mention a whiff of brimstone.

But, at any rate, that’s what V$ did. They changed the way the Internet behaves, and they did it to line their own pockets.

(I don’t know if Bill Gates is sobbing because he didn’t think of this first, or cackling because Veri$ign is the one company out there that makes Micro$oft look like an Industry Good Citizen.)

This was followed by much outrage, especially when it was discovered that there were more dire consequences. See, lots of sysadmins use systems to validate incoming e-mail. Spammers like to create bogus, nonsensical addresses, so sysadmins run scripts to see if the domains involved, at least, are legit. That doesn’t get rid of spam that has a real address, or that has a spoofed address for some hapless netizen out there, but it’s a good filter nonetheless.

But now that tool is broken. If your request to see if a domain is valid routes through one of V$’s servers, it will come back as finding something (that what it finds is just the V$ search page, not a valid domain, isn’t apparent).

Until Sunday, if the spammer had just made up a string of letters, you could reject the mail right away, knowing it was invalid. Now, it looks like a valid name, so you accept the mail. Your user gets spam. Of course, maybe you bounce the message. In that case, your bounce message gets routed to VeriSign’s very very overloaded machine, so it takes a long time (and possibly a few tries) to bounce it, and then the bounce fails – because there’s nowhere to deliver it – and the sysadmin gets a copy of the spam, complete with records showing why the bounce couldn’t be delivered.
So, thanks to VeriSign, that’s another hundred or more messages a day for tiny sysadmins. Another million for the big guys. A friend of mine is a sysadmin at a major company, and he says this is loading their servers more than SoBig did.

Gee, that’s just swell, guys.

The Internet, though, was designed to be a distributed communciation system that could handle a nuclear war. It’s designed to route around damage, and that’s what’s beginning to happen, both technically and societally. Sysadmins are beginning to manually block the IP addresses of the V$ search page, so that errors come back as errors again. And now the Internet Software Consortium, which publishes the BIND software used on most domain servers, has put just that kind of block into a patch to BIND, so that the blocking takes place automatically.

Good for them.

Veri$ign was unavailable for comment.