Home / Blogs

Sitefinder Writ Small

You all remember Sitefinder don’t you?

According to The Register, CentralNic , owner of a number of popular domains including uk.com and us.com, has added wildcard A records to .uk.com.

Cue the usual round of sniping about Internet stability (with which, as you will see, I agree).

The question is, given the difference in scale (.com and .net are huge; .uk.com is quite small) will anyone notice? And does it matter? Certainly CentralNic seems to think the small scale of their domains excuses or at least mitigates the Internet stability side effects of their ploy.

The company’s CTO, Gavin Brown, told us he had not read the SSAC report and that the company did not consider itself under the same contractual constraints as VeriSign with regard to ICANN and the wider Internet community.

“Given our relatively small footprint within the DNS system compared to, for example, any gTLD or ccTLD registry, and taking advice from our registrars, we concluded that introducing a wildcard under .uk.com would not have any serious implications for the stability of the Internet,” Brown told us.

My guess is that people will notice and it does matter. Why? Because as is now standard practice for anyone wishing to justify DNS wildcards, only a single application, web browsing, has been considered. No consideration has been given to, for example, mail routing or intranet applications and this gives rise to a number of problems some of which I have listed here:

  1. Spammers can now spoof a non-existent domain under .uk.com in the sender envelope of their messages and systems which do any validation on the RHS of sender envelopes will blindly accept them all - see illustration below.
  2. At least as troubling, we have the fat finger problem where a user misspells a domain under .uk.com when addressing an email.
    • Where no A or MX is found, such a message will bounce immediately and the sender will have an early opportunity to correct the problem.
    • Where one of these wildcard A records is found, the sending system will attempt to connect on port 25, fail because nothing is listening on that port at the target system and requeue to try again. Bounces will be delayed by a significant period (typically 24 hours) and this will most likely cause at least some inconvenience.

    [There is something of a contrast here between CentralNic’s use of the wildcard and Sitefinder. Sitefinder’s system did actually listen on port 25 and bounced inbound messages though there was some debate at the time over whether VeriSign did anything else with these errant messages.]

  3. The thin end of the wedge. Or to put it another way if CentralNic can do this, soon everyone will want to copy them.

The Register’s summary hits the nail on the head:

If large segments of the Internet start turning over to wildcard systems, there is a risk of the stability of the wider Internet being put at risk. And VeriSign is bound to argue for SiteFinder’s re-inclusion if dozens of other companies are seen to benefit.

ICANN would then face the impossible task of either defining which domains may or may not use wildcard, or ban the system altogether. Either way, it is not a smooth road.

Spam illustration:

Domain gshjgjsghajhgsjgjshg.com does not exist and there is no wildcard (currently) in .com.

my.inbound.mta tests for a valid domain in the SMTP MAIL FROM sender envelope and issues a 554 rejection when the domain does not resolve (it has no published A or MX records).

< 220 my.inbound.mta ready at Wed, 14 Sep 2005 12:41:35 +0100
> helo test
< 250 my.inbound.mta Hello test ([10.0.0.11]), pleased to meet you
> mail from:<[email protected]>
< 554 Mail from [email protected] rejected for policy reasons.
> quit
< 221 my.inbound.mta SMTP Service closing transmission channel

Domain gshjgjsghajhgsjgjshg.uk.com does not exist but there is a wildcard in .uk.com.

my.inbound.mta tests for a valid domain in the SMTP MAIL FROM sender envelope, finds the A record returned by the wildcard lookup and issues a 250 (continue) even though the domain does not exist.

< 220 my.inbound.mta ready at Wed, 14 Sep 2005 12:39:22 +0100
> helo test
< 250 my.inbound.mta Hello test ([10.0.0.11]), pleased to meet you
> mail from:<[email protected]>
< 250 [email protected]… Sender OK
> quit
< 221 my.inbound.mta SMTP Service closing transmission channel

By Chris Linfoot, IT Director @ LDV Group Limited

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Jothan Frakes  –  Sep 14, 2005 9:58 PM

I have operated more than one root listed TLD without adverse impacts, so I can speak from experience on this.

I think that something was lost in the whole shuffle here.  This wildcard record in .uk.com (or us.com for that matter) is not going to grind the internet to a screeching halt.

I have spoken with Gavin Brown, CentralNic’s CTO, about their use of the wildcard.  The CentralNic wildcard record has been in place in uk.com since early April.  Folks are just now noticing it.  That’s FOUR MONTHS (and counting) before anything was noticed.

From my perspective, CentralNic is very technically sophisticated and customer service focused (and I have no business relationship with CentralNic that I benefit from this mention).

There was a great deal of stability testing and impact research and consideration that occured prior to turning on the wildcard in their namespace.

CentralNic is the registrant of UK.COM according to whois records.

Why should CentralNic’s choice to put a * record at the bottom of their domain’s zonefile get this much press?  Slashdot.org, for example, has had a wildcard in place for years.  What is the difference?  There is no difference.

With respect to SPAM, I spoke with Gavin about some SPAM considerations, and it sounded like there were some proactive efforts in this area as part of their early work.

CentralNic is planning to impliment SPF records for the * that identify that no mail is sent from the origination address.

This is quite a proactive step towards thwarting the issue where spammers forge origination domains. 

If it has run for this long without notice, it is the proverbial tree that falls in the woods.  Lets let it be. 

The Famous Brett Watson  –  Sep 15, 2005 3:34 AM

The key difference between CentralNic and Verisign is that CentralNic is the registrant of “.uk.com”, where Verisign is merely the custodian of “.com”. Regardless of whether the wildcard is a wise move, CentralNic is merely exercising their prerogative, whereas Verisign was abusing their privilege. Delegations in “.uk.com” are a private matter; delegations in “.com” are a public matter.

That aside, the wildcard problem illustrates to me that we need to migrate away from using address records as indicators of service availability. Mail has employed the dedicated MX record for nearly twenty years now (since RFC 973, which also discusses the semantics of DNS wildcards, as it happens), and the fall-back to plain address records has been little more than a historical vestige for much of that time. The sooner we deprecate this fall-back strategy, the better, since it will cure the problem illustrated in this article.

The relationship between address records and the web (both HTTP and FTP) won’t be so easily sorted out, sadly.

Chris Linfoot  –  Sep 15, 2005 8:23 AM

Actually the main issue for me is the second one (fat finger mail addressing) though I don’t like to be reminded of Sitefinder. Fat finger addressing is sadly a fairly regular occurrence and it can lead to delays in communication (users have a touching faith in the ability of mail systems to deliver anything to any destination instantly).

That problem can easily be solved without the need to deprecate the use of A records in mail routing if people implementing wildcards would do one simple thing:

Listen on port 25 and issue a 5xx permanent failure when mail clients connect accompanied by text along the lines of “No such domain as baddomain.example. Please check the address and try again.”

Domains  –  Sep 15, 2005 9:06 PM

Yep centralnic sell domain at very high prices and then
benefit from the work of the subdomain holder. For example if I buy domain.uk.com and then someone makes a typo like
doman.uk.com then centralnic get the benefit of the misspell
wherea if an error comes up then users will realise their mistake and type in the correct domain so the one who has
paid for the domain gets the traffic back.

Centralnic prices are far too high as well a .co.uk costs ?5 per year and they charge ?32.50 a year. You can get real .com for ?4 a year from godaddy!!!. They are in general an arrogant company as well.

Suresh Ramasubramanian  –  Sep 16, 2005 2:12 AM

Yes - running something that rejects bogus uk.com domains at least in email would be a welcome step. Without that we’re going to be buried in spam forging *.uk.com domains

One very large provider I know of that

* Publishes a catchall MX record for all subdomains
* Accepts email for all those subdomains even bogus ones
* Generates a bounce later

.. and is suffering from a whole lot of stock spammers forging random subdomain names in its namespace ...

is prserv.net - and they have been doing this for years now.

Lots of other providers do this as well.

uk.com is very very small beer in comparison - and not a new idea

Move along, folks, nothing much to see here.

-srs

Christopher Parente  –  Sep 16, 2005 2:31 PM

The Famous Mr. Wilson hits it for me—they are not a TLD registry. They are taking domains they’ve registered (from VeriSign), marking up greatly, and selling on secondary market. They only constituency they need to watch out for our THEIR customers, who might not like how CentralNic benefits from fat fingering. Wonder how those contracts read, b/c as Jothan points out it looks like CentralNic remains the registrant of record for the TLDs re-sold.

IMO, the difference between a longer time period for bounce backs and the stability of the Internet is vast.  And regarding the Register summary:

ICANN would then face the impossible task of either defining which domains may or may not use wildcard, or ban the system altogether. Either way, it is not a smooth road.

ICANN already IS in this position, since TLDs like .museum have used wildcard for years, and I’m told (never seen myself) that VeriSign’s .com registry agreement with ICANN specifically permits wildcard.

Jothan Frakes  –  Sep 16, 2005 4:35 PM

Point of clarification… Earlier in this thread, I showed that whois for .uk.com to illustrate that policing their use of a wildcard would be like policing any registrant under .com, something that the registry really would not do.

CentralNic operates Whois servers to show the subdelegation registrant.
[ul][li]IANA Whois for COM[/li]
[li]Whois for UK.COM[/li]
[li]Whois for HARRYPOTTER.UK.COM[/li][/ul]
CentralNic does not remain the registrant of record for the subdelegations that they allow registrations of, any more than IANA would for a .com registrant.

Warner Bros., by registering this name (and btw, Warner Bros or their agent does a fabulous Brand management job in my opinion) has a registration with either the registrar of record that they provisioned via or CentralNic directly for the domain HarryPotter.uk.com. 

In registering under .uk.com, they establish the relationship with CentralNic, but not with VeriSign or IANA in this case.

Christopher Parente  –  Sep 16, 2005 5:06 PM

Thanks for the clarification, Jothan. I should have said that CentralNic remains the registrant of record for the secondary domain(s).

And while the registrant isn’t creating a relationship by choice with VeriSign, they actually do have one b/c the subdomain depends on VeriSign’s underlying .com/net resolution infrastructure to enable propagation and resolution, correct?

Jothan Frakes  –  Sep 18, 2005 3:11 AM

Well, we’re both right.  I am talking about technical delegation, but I simplified the relationships and the whois to collapse the relationship between the registry for .com (thin whois) and the registrar of record for uk.com (thick whois). 

The registrant themselves of any domain have a business relationship with the registrar of record, and that registrar provisions and manages the domain name with the registry for their customer.

There is a business relationship between VeriSign and the Registrar,  and then a business relationship between the registrar and CentralNic as the registrant, who in turn services their registrant or reseller/registrars who in turn service registrants.

The only cause that could really impact CentralNic customers would be for the domain name to lapse and expire,

Beyond the customer focus and attention to uptime and service levels that CentralNic is committed to, I can see two reasons that registrants under .uk.com can sleep at night knowing that the upstream delegation is safe.

[ol][li]CentralNic has .uk.com reserved clear through 2011 by my last lookup, so six more years at least of service.[/li]

[li] Given the domain name aftermarket being such a hot area, and that valuation of two character names is exponential (especially those as recognized as a uk.com), two character names are typically watched quite close to ensure things like the expiry.[/li][/ol]

I don’t see the odds of them letting this domain lapse being very high.

But, you are correct.  Someone upstream can always impact those downstream.  It looks like there have been a lot of steps taken to mitigate those impacts, so harrypotter.uk.com can continue its magical existence.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

Related

Topics

Brand Protection

Sponsored byCSC

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API