Home / Blogs

ICANN and IAB Ask VeriSign to Suspend Site Finder

The Internet Corporation for Assigned Names and Numbers (ICANN) has released an advisory concerning VeriSign’s deployment of DNS wildcard (Site Finder) service. It includes the following statement:

“Since the deployment, ICANN has been monitoring community reaction, including analysis of the technical effects of the wildcard, and is carefully reviewing the terms of the .com and .net Registry Agreements.

In response to widespread expressions of concern from the Internet community about the effects of the introduction of the wildcard, ICANN has requested advice from its Security and Stability Advisory Committee, and from the Internet Architecture Board, on the impact of the changes implemented by VeriSign. ICANN’s Security and Stability Advisory Committee is expected to release an objective expert report concerning the wildcard later today.

Recognizing the concerns about the wildcard service, ICANN has called upon VeriSign to voluntarily suspend the service until the various reviews now underway are completed.”

The Internet Architecture Board (IAB), a committee of the Internet Engineering Task Force (IETF) has also released its own document containing a number of observations on the implications of the use of wildcards in DNS zones, and makes some recommendations concerning their use.

In a section called “Problems encountered in a recent experiment with wildcards” the IAB’s document states:

“We must emphasize that, technically, this was a legitimate use of wildcard records that did not in any way violate the DNS specifications themselves. One of our main points here is that simply complying with the letter of the protocol specification is not sufficient to ensure the operational stability of the applications which depend on the DNS: there are protocol features which simply are not safe to use in some circumstances.”

The document goes on to conclude:

“The Principle of Least Astonishment suggests that the deployment of wildcards was disastrous for the users. It had widesweeping effects on other users of the Internet far beyond those enumerated by the zone operator, created several brand new problems, and caused other internet entities to make hasty, possibly mutually incompatible and possibly deleterious (to the internet as a whole) changes to their own operations in an attempt to react to the change.”


“For zones which do delegations, we do not recommend even wildcard MX records. If they are used, the owners of zones delegated from that zone must be made aware of that policy and must be given assistance to ensure appropriate behavior for MX names within the delegated zone. In other words, the parent zone operator must not reroute mail destined for the child zone without the child zone’s permission.

We hesitate to recommend a flat prohibition against wildcards in “registry”-class zones, but strongly suggest that the burden of proof in such cases should be on the registry to demonstrate that their intended use of wildcards will not pose a threat to stable operation of the DNS or predictable behavior for applications and users.

We recommend that any and all TLDs which use wildcards in a manner inconsistent with this guideline remove such wildcards at the earliest opportunity.”

By CircleID Reporter

CircleID’s internal staff reporting on news tips and developing stories. Do you have information the professional Internet community should be aware of? Contact us.

Visit Page

Filed Under


Phillip Holmes  –  Sep 21, 2003 1:46 AM

VeriCrime must be stopped. This is an obvious abuse of trust that the web community may never forgive.

Root operation is a privilege which VeriCrime should no longer be allowed the honor of participation.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix


Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign

Domain Names

Sponsored byVerisign