Home / Blogs

To our readers: Does your company offer DNS or DNS Security services? CircleID has an opening for an exclusive sponsor for our DNS topic. Gain unparalleled results with our deep market integration. Get in touch: [email protected]

Site Finder as Starting Point for True Innovation Above DNS

Well, I have remained silent on this issue for now—mainly because of conflicts. I was one of a few members of the technical advisory group asked by VeriSign to look at Site Finder and ask the questions—what does it add, what does it break, and how can we fix anything it breaks? The scope of the group was unlimited by any VeriSign edict and the members were of impeccable individual credentials. This group has now completed its work so I feel able to comment.

Stratton Sclavos is interviewed at CNET where he declares that the key issue is the ability to innovate in the DNS infrastructure. To evolve it.

Kevin Werbach declares that to be a wrong point of view. He says innovation must be above the DNS.

I think both of these comments have their merits, but actually, they each have something right and something wrong. Stratton is right that innovation must happen, he is wrong to suggest that Site Finder is an example of innovation—it is actually the implementation of an existing standard [update: actually this is acknowledged in Strattons interview]. Kevin is right that innovation should be on top of the core protocols, he is wrong in thinking that Site Finder breaks that rule. Lets examine this.

The “innovation” VeriSign did was to place a wildcard into the .com and .net root domains. This means that if a non-existent domain is typed into an application the DNS is able to redirect the request to the Site Finder service, which is in turn able to provide a meaningful help service to users. In the process of doing this, VeriSign has implemented an existing standard. The wildcard IS part of the IETF standard for DNS. The IAB acknowledged this clearly in their deliberations on the matter.

“We hesitate to recommend a flat prohibition against wildcards in “registry”-class zones, but strongly suggest that the burden of proof in such cases should be on the registry to demonstrate that their intended use of wildcards will not pose a threat to stable operation of the DNS or predictable behavior for applications and users.”

To this extent “innovation” might not be the right word. What VeriSign has done is to implement a previously unimplemented standard. The worst I can think to say is that they might have notified people more ahead of time. They certainly did not and, in my opinion, do not need permission to do it. It’s all about being community friendly, but not about rights.

For what its worth the DNS service is actually better than it was before for HTTP requests to mistaken addresses. An error message has effectively been replaced with a redirected help screen. Where there are minor inconveniences - as with SMTP - these can easily be worked around if the industry is aware of the use of wildcards. No need for a huge over-reaction here.

So who is right Stratton or Kevin? Actually both are. Let’s look at the issues.

Is Stratton right to declare the need to innovate in the infrastructure? Absolutely yes!

Look at the farce on international domain names. Still today the use of Japanese, Chinese, Korean and indeed any non-roman ascii character is disallowed in a domain name. In order to make anything work at all here VeriSign has deployed a plug-in that, like all plug-ins, is only sparsely distributed. It had to do this because the IETF and ICANN together have been unable to come up with a workable solution. This is an area crying out for true innovation. Somebody needs to take the lead and let the market decide on the appropriateness of the solution. And this needs to be as free as possible from the control of a regulatory body.

Is Kevin right that the correct place to innovate is on top of the core protocols? Absolutely yes!

John Klensin [former iab chair at the ietf] has been arguing for a couple of years now for layers on top of the DNS facilitating search and directory like results. This is something I wholeheartedly agree with him on and I would say RealNames was exactly that - and internationalised too. Site Finder is also that when looked at from the point of view of the results page. The wildcard in the DNS is the standard being implemented, but the results page is produced through an “escape” from the DNS - allowed by the wildcard. It is indeed, at that point a search and directory service built on top of the DNS.

My own viewpoint is that Site Finder should be the starting point for true innovation above the DNS. Internationalised search and directory should be a high priority for the product folks. For me this can only be a good thing. Heck, it could even provide some competition to my friends at Google, who must be bored out of their skulls with the lack of outside pressure on them to innovate.

Bottom line—let’s get rid of the emotion, lets allow ICANN to focus on helping the entire industry to evolve—and not be distracted by a bunch of fake stability claims, and lets allow the naming industry to evolve a strategy for a search and directory layer on top of the DNS.

By Keith Teare, Principal

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet


Mike O'Donnell  –  Oct 21, 2003 3:20 PM

“what does it add, what does it break, and how can we fix anything it breaks?”

Those aren’t really the key questions. They draw all attention to the “what"s that are already around. The key questions are

1. “Does it at least maintain and preferably advance sound architectural principles for the future of the Internet (which mostly consists of innovations that we haven’t thought of yet)?”

2. “Does it allocate resources that belong to Verisign, or does it take over resources that belong to others?”

The fact that Site Finder was implemented with a wildcard is a red herring. Site Finder configures DNS, a fundamental address resolution service, in a way that serves only the HTTP protocol. Whether or not it breaks other current activities, it skews the simple specification of DNS function in a way that prejudices future development. So the redirection of nonexistent domains to Site Finder fails question 1.

Control of the resolution of domain names is a very valuable power. Verisign is custodian of the second-level domain names under .com and .net, but not the owner of those names. Verisign is allowed by its contract to profit from the assignment of these names under certain general conditions, but it does not have full rights to assign them to itself free of charge. The redirection of formerly nonexistent domain names to Site Finder constitutes a capture of property over which Verisign has no proper authority. So, the redirection is wrong under question 2.

Mike O’Donnell

James Seng  –  Oct 23, 2003 7:19 AM
Henry Minsky  –  Nov 13, 2003 12:49 PM

What Berisign did was exactly the opposite of innovation. They simply broke an existing protocol, for their own greedy and shortsighted goals.

While you could say in a narrow technical definition that they are obeying DNS protocol, in fact that is a specious argument. They may be sending well formatted packets but the contents of those packets are lies. They are lying when you ask if a domain exists, and they tell you it does. It is like if I went out into the middle of a busy freeway at night and placed a big “Road Closed, Detour” sign to get people to come to my shopping mall. I would technically be obeying the traffic sign protocol, but I am abusing it by lying about the content, for my own gain.

And by lying about the existence of a domain name, they actually prevent innovation by others; if someone wanted to make their browser give some kind of helpful response to a domain-does-not-exist error message, they cannot now, because Verisign has removed the information about whether a domain actually exists.

You say that this should be the starting point for new innovations; well up until SiteFinder each browser could in fact implement all these nice things, although Microsoft Internet Explorer chose to not bother, and that was the opening that Verisign needed to jump in and grab the family jewels.

So, in summary, I cannot understand your argument. SiteFinder restricts the ability of everyone else to innovate by breaking the protocol at the wrong level, and makes it impossible for anyone else to play. And that is not even touching the issue of all the non-HTTP protocols that are just fucked now. Try debugging your mailer or time server, when Verisign is spoofing any incorrectly configured hostname.  It’s that simple.

This “feature” belongs in the browser. End of story.  How could you possibly think it is OK to do this? Do you have any actual experience implementing real network protocols? There is clearly no need for this “service”, it was just Verisign’s way of trying to grab a slice of the web advertising pie.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.



IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign


Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC