nanog mailing list archives
An Open Letter of corrections to Mark McLaughlin's Innovation and the Internet
From: Owen DeLong <owen () delong com>
Date: Mon, 06 Oct 2003 22:57:05 -0700
While I realize that your Perspectives area is a place where various people are allowed to submit editorials, your publication of this particular very skewed piece without checking some of the stated facts within it does not meet CNet's usual standard of journalism.In addition to Mr. McLaughlin's errors or omissions of fact, he makes a number
of misleading statements and outright incorrect implications. As such, I
will simply address the article paragraph by paragraph, beginning with the
bold paragraph being considered paragraph 1.
Paragraph 1:
It's not about whether innovation should be encouraged. I think if
you were to survey the opponents of Verisign's maneuver, you would
find that each and every one of them would say they are in strong
support of innovation on the internet. What Verisign did was not
innovation. It was a move to line their pockets with significant
additional revenue while simultaneously abusing their monopoly
position in control of a resource contracted to them to manage
in the public trust. They do not OWN the domains that they modified,
instead, they are entrusted with the management of said domains
(namely .NET and .COM). None of Verisigns competitors is in a
position to place wildcard records in these zones, so, Verisign also
was abusing it's position of public trust to gain unfair advantage
over competitors.
Paragraph 2:
The error page simply indicates that they URL they typed involved
the name of a host which did not exist. Verisign ignored the fact
that DNS does not only effect web services. While it is true that
some may say that this is an improvement for web browsers, it creates
significant problems for other applications. More on this below.
Paragraph 3:
Site finder is not about improving the user experience. If it were,
Verisign would have solicited public input prior to inflicting this
change on a critical are of internet infrastructure. Verisign is
now launching this PR campaign to try and make ICANN look like the
bad guys for finally saying no to Verisign's repeated abuses of their
position. Site finder is about profits for Verisign. In fact,
substantial profits on the order of Millions of dollars per day.
This is why they were so reluctant to take it down in spite of a
polite request from ICANN. ICANN had to point out that Verisign
was in violation of several clauses of their contract and threaten
them with legal action to get them to comply.
Paragraph 4:
Similar services were tested in a manner which did not break existing
infrastructure for non-web oriented applications which were well known
on the internet. Verisign didn't do any testing, they simply unleashed
this on the two most popular top level domains without review, notice,
or even a heads up to the operational community. In fact, the first
notification to the NANOG (North American Network Operators Group)
mailing list by Verisign came several hours after the debate had
already started. Verisign's site finder service didn't trigger debate
because they hadn't been tried for .com and .net, it triggered debate
because it disrupted services, constituted a change which was not
subjected to appropriate public review beforehand, and, represented
a cavalier and mistaken attitude by Verisign that these top level
domains were theirs to manage however they saw fit. These domains
have a long history on the internet, and, they have always been
considered a public-trust type of resource. The contract to Verisign
to manage these domains clearly calls for Verisign to manage them
in the public interest. This was Verisign managing the domain in
their own interest, the public be damned.
While it is true that during the three weeks it took to get Verisign
to fix their abomination, DNS continued to function for most visible
levels, the internet continued to route packets, and, most things
functioned as before, that does not mean that their change did not
break things. As an example, prior to Verisign's change, if I sent
an email to user () noexist com intending to send it to user () exists com,
I would get an answer back immediately saying "noexist.com" does not
exist. After Verisign's change, their mail rejector would either
simply drop my mail in a black hole, or, when it was too busy,
fail to respond for long periods of time. Either way, since I don't
get an error message, I don't know that my mail didn't get through.
Another problem comes from anti-spam utilities which depend on
being able to determine if a domain name being used in mail exists
or not. Verisign rendered it virtually impossible, because, under
their proposed system, all domains exist in DNS. They essentially
eliminated a vital and useful error message from the internet, instead
choosing to make everyone use their error handler. Without going
through the IETF and RFC processes, this is an unacceptable move
on their part. Of course, IETF would never approve such an action
and Verisign knows it. Further, if a domain expired or was accidentally
removed, most software is designed to deal with NXDOMAIN responses
(the error code returned prior to Verisign's actions) in a manner
that allows this to be resolved without serious consequences.
With Verisign's change, however, it becomes fatal. Imagine if you
are looking for CNET.COM, but, due to a clerical error, CNET.COM
has been removed from the DNS. Now, instead of getting an error
saying that the site could not be located, you get Verisign.
All your mail for CNET.COM, instead of getting queued and waiting
for it to reappear for several days now instantly disappears into
a black hole. I would think, if you were CNET.COM, in this case,
you would be upset.
Paragraph 5:
ICANN bought into the claims that very specific things were broken
by Verisign's actions. Those claims are true. The effort of Verisign
to deceive the public into believing that this is not true and that
ICANN caved under pressure from zealots and purists is a grossly
inaccurate characterization of what happened. The pressure came from
the operational community, the research community, and, end users.
Sure, for some, technical purity and religion may be an issue. For
most, we were far more upset that real applications in real use for
real economic purposes were being interrupted or hampered by this
unannounced, unprecedented, and, unacceptable change.
Paragraph 6:
This vocal minority is the MAJORITY of the people actually keeping
bits flowing on the internet. It is, admittedly, not the majority
of users of the internet, but, it does represent the majority of
internet service providers. It represents the connectivity of
the majority of users on the internet. Most end users don't even
know what DNS is, let alone what happens when it is changed.
It's not about resentment of use for commercial purpose. I'm sure
there are people out there that think the internet shouldn't be
used for commercial purposes. The majority of the outcry, however,
came from people trying to make a living out of keeping the internet
running for commercial purposes. Mr. McLaghlin and Verisign seem,
instead, to have ignored the fact that there's more to the ineternet
that matters to our economy than just Web Browsing.
Paragraph 7:
They can disagree with purists all they want. The problem is that
here they are disagreeing with the actual operators of the internet
who are not trying to hold the internet back, but, keep it functioning.
Paragraph 8:
Throughout that history, the debate has been held in public and
actions and changes to standards on the internet have been based
on a combination of rough consensus and running code through a
public process known as the IETF (Internet Engineering Task Force).
Verisign did not subject these changes to any form of review
outside of Verisign. There was no community input or review.
If there had been, the community would have rejected this before
it started, because it had real operational impact, and, because
it had Verisign abusing public trust to line their pockets.
Fierce debate is good. Verisign tried to avoid debate all together
by launching this without the required reviews beforehand. Verisign
has a long history of doing this.
Paragraph 9:
This is the one paragraph with significant truth in it. The
result of this debate will have far reaching implications for
the future of the internet. Do we send a clear message to
Verisign that their role as agent of the public trust does not
involve making whatever changes to critical infrastructure they
feel are in their best interests? Do we allow Verisign to continue
down the road that they have repeatedly attempted where it is
as if they think they own all rights to these TLDs which were
entrusted to them to manage by contract from ICANN. ICANN is
a non-profit public benefit corporation charged with managing
this part of the internet infrastructure. They contracted out
this specific duty to Verisign with some reasonably strict rules
about how they can do it. Verisign, in spite of this, has repeatedly
ignored those rules in it's own interest. If ICANN allows this
to continue, it will, indeed, change the face of the internet
significantly. Mr. McLaughlin may think that's a good thing,
as he will surely profit heavily from it. I doubt that it will
improve things for internet users or operators, however.
Paragraph 10:
The internet already has a process for doing that. It's called
the IETF. If this didn't happen in IETF, we wouldn't have HTTP,
IPSEC, or, even DNS. Almost every protocol in use today on the
internet was developed through the IETF process. Many improvements
to protocols (BGP is currently on version 4, for example) have
also come through the IETF and the related RFC process. The significant
test is not whether the internet can do this (it already has), but,
whether the internet can control the contractors entrusted with
the management of items in the interest of the public. If not,
ICANN will need to find an alternative. That will be difficult
and painful.
Paragraph 11:
Noone is discouraged from exploring the bounds of the internet.
Verisign is discouraged from BREAKING existing functionality
in the name of lining their pockets. There are lots of places
on the internet to experiment with new tools. The two most
populated top level domains in the DNS tree are _NOT_ the right
place to experiment. You wouldn't want a rocket scientist
developing new fuels at your kid's elementary school, would you?
Well, what Verisign has done is equivalent to that. They
decided without warning to conduct their experiment in production
instead of a laboratory.
Paragraph 12:
This paragraph cannot stand without the lies from the previous
paragraphs.
Paragraph 13:
Verisign did not spend hundreds of millions of dollars to fortify
the two root servers alone. Also, a number of other root servers
withstood the attack as well. This whole paragraph is specious and
misleading. In fact, Verisign has one of the worst track records
for errors of any DNS provider in history. The technical community
is less concerned about what will happen without Verisign than they
are about what Verisign will do to the internet.
Paragraph 14:
The decisions made in this debate will not be about innovation.
They will be about theft and hijacking. Will Verisign be allowed
to hijack non-existant domain names to their own purpose and profit?
Will they be allowed to continue to make arbitrary changes to
services which are considered critical infrastructure by a large
portion of the Internet community? Will ICANN stand up and
say "no more" to Verisign's abuse of their position under the
ICAN and USDOC contracts? These are the decisions that will be
made around this issue. Innovation is safe and secure in the
IETF. I will agree that there are problems to be solved in the
IETF process, but, Verisign's actions won't even touch those,
let alone make any positive contribution.
Paragraph 15:
The decisions made over the next months and years will determine
whether the namespace remains a consistent and well-ordered
hierarchy, or, whether the distaste for Verisign and the lack
of action by ICANN to stop them becomes so distasteful to enough
network operators that the authority of ICANN is usurped and
the namespace becomes fragmented. That would be bad for everyone.
Biography:
Owen DeLong is a Network Architecht for a Mountain View based
communications firm. He has held positions ranging from Systems
Administrator to Senior Backbone Engineer at ISPs ranging from
very small to very large. He has designed and built networks
from dialup to OC-192. He has been an active participant in
the Internet Operational Community and NANOG for more than a
decade.
Owen DeLong
owen () delong com
Current thread:
- An Open Letter of corrections to Mark McLaughlin's Innovation and the Internet Owen DeLong (Oct 06)