Home / Blogs

To our readers: Does your company offer DNS or DNS Security services? CircleID has an opening for an exclusive sponsor for our DNS topic. Gain unparalleled results with our deep market integration. Get in touch: [email protected]

Breaking the Internet’s Consensus Rule

The Internet, ultimately, is a fragile thing, as an entity. It depends upon the consensus of those responsible for its infrastructure to operate on a daily basis. Because of the inherent robustness as a technical architecture, there is no entity that can “break the Internet” in the sense of stopping the flow of traffic, but there are several entities that can create a variety of inconveniences, some minor and some serious, for the millions who use the Internet.

VeriSign is clearly such an entity. It occupies a schizophrenic position; on the one hand, it is a publicly-traded corporation, legally obligated to do what it can to turn a profit for its shareholders, but on the other hand, it is the recipient of a public trust, granted monopoly registry power in order to perform a vital Internet function.

VeriSign clearly struggles with those two separate mandates; the public good conflicts sharply with the need to deliver shareholder return. SiteFinder is a particularly acute dilemma. The public has spoken. The IAB has spoken. The Security and Stability committee has spoken. ICANN has spoken. And they want things back the way they were.

Yet VeriSign seems convinced that it knows better than anyone else. VeriSign wants to appoint an independent technical review committee, but that is exactly what the IAB is. (It can be argued that the IAB’s members are employed by entities who have a commercial interest in this, but the board’s conclusions and recommendations have been re-iterated a thousand times over by others.) No one qualified to comment on the subject is neutral on it; people who spend their lives ensuring that the Internet stays up have a vested interest in its stability. How can VeriSign possibly hold any hope that any truly qualified committee would arrive at different conclusions from the ones already issued?

It is vital to Internet consensus rule that no one entity be allowed to impose a mandate on others. Yet VeriSign has done just that. It has circumvented the well-established processes that govern widespread operational change to the Internet. They might not have violated the letter of any RFCs, but it’s clear that they have violated, and continue to violate, the spirit that lies behind those RFCs—a spirit of collaborative decision-making and discussion that occurs long before operational changes are actually implemented.

In the meantime, ICANN, legally hamstrung in many ways, has little to rely upon other than consensus. Faced with VeriSign’s defiance, it has little recourse, and each passing day makes ICANN seem more and more impotent.

Of course, the workarounds are showing up in the infrastructure. Of course, people can fix things in software. But new software deployment carries an enormous cost, in capital and in human labor; change is also risk, and thus instability. These costs are incurred not only on the part of the developers of the software, but upon its distributors, and on the systems and network administrators and the end users.

The IETF will have to act on this matter, to alleviate the operational headaches that come with inconsistent responses to VeriSign’s actions, and to prevent the future exploitation of similar loopholes in the RFCs. But in the meantime, those the world over incur the costs of VeriSign’s opportunism.

VeriSign, too, is in a difficult place. Faced with overwhelmingly negative public opinion of the service, its choice to brazen it out is not, perhaps, a bad one from the standpoint of preserving shareholder value. It is gambling that when the furor dies down, when the press finds a more interesting story to pursue, when engineers hunker down to patch up as best they can, when ICANN can only wring its hands helplessly, that SiteFinder will still have the field. It is gambling that there is no entity with sufficient power to force consequences upon it for its actions, and that it can win the lawsuits that will inevitably be brought, and that the revenue and control ultimately gained will justify its actions to history.

We are a herd of hand-wringers. The power is in VeriSign’s hands, and VeriSign knows it. It is an ugly truth.

Given that power, it’s perhaps no great wonder that VeriSign believes that it can, and should, decide the way the Internet works.

This is my personal opinion, not that of my employer.

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet


Mike O'Donnell  –  Sep 24, 2003 8:00 PM

We can “route around” Verisign

The DNS root zone, as supported by Verisign, bundles together two different services:

1. Handle service: a handle is a token (not necessarily humanly readable or mnemonic) that can be owned by a user and reassigned to different IP numbers as that user migrates around the network;

2. Name service: a name is a humanly meaningful token that resolves to an IP address.

DNS is currently the *only* handle service, which gives Verisign a sort of monopoly power. There are many different name services, including DNS, Yahoo, Google, which could compete more evenly if none of them were bundled with the only handle service.

We could deploy a handle service with almost no administrative burden, using current DNS software, at a lower level of the DNS hierarchy (perhaps a 3d level domain), providing meaningless numerical handles freely to all. Bob Frankston has described this idea in his dotDNS proposal: http://www.circleid.com/article/225_0_1_0_C. It only requires a stable institutional sponsor with a highly defensible domain name (e.g. nicesponsor.org), the technical oomph to run a name server at traffic levels similar to the alternate root servers, and the willingness to provide silly looking subdomains (e.g. 188828281282232.dns.nicesponsor.org) to all who request them.

If a handle service under dns.nicesponsor.org proves useful, it can migrate up to a higher level in DNS, and future software deployment can eventually treat it as a new root. Users can assign their own handles using public-key signatures and secure hashing, depending on the sponsor only for dissemination and not for authorization. In the meantime, dotDNS does not interfere at all with the current DNS. Nobody has to abandon her use of DNS while exploiting the alternative value of dotDNS.

It’s time to just do this.

Mike O’Donnell

Loghyr  –  Sep 24, 2003 9:49 PM

Kind of reminds you of the US and the UN, huh?  Where the US is Verisign, the UN is ICANN, and SiteFinder is…....

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.



IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign

Domain Names

Sponsored byVerisign