Re: David McGuire's VeriSign article from 10/4/03 Page E01

[Owen DeLong <owen () delong com>]

An open letter to the Ombudsman at the Washington Post

Please also forward to David McGuire

I would like to correct some errors of fact and some potentially erroneous
perceptions conveyed in Mr. McGuire's article.  I would appreciate it if
Washington Post would correct these in a subsequent article.

Perception:

1.      There is no reason to believe that turning off the wildcard
        records in the DNS is a temporary move.  ICANN has said that
        if there is significant evidence that these changes are not
        doing harm to the internet (they most definitely are), they
        would consider making changes to allow them to be turned back on.

2.      Verisign initiated the changes without notice to ICANN, IETF,
        or the community at large.  ICANN is, essentially, the top-level
        authority in such matters.  IETF is the body entrusted with the
        engineering, design, and specifications development for the
        internet through the RFC process.

3.      Verisign was politely asked to stop breaking the internet by
        ICANN quite some time before this demand letter.  Verisign
        chose to refuse that request.

Facts:

1.      Verisign changed the behavior of a critical component of Internet
        infrastructure without hearing, notice, or even a heads up to
        the community until after it was implemented and the public
        outcry began.  ICANN, while, not holding a formal hearing prior
        to this action, did solicit community input and review from the
        various organizations responsible for these issues.  ICANN has
        not asked Verisign to change a functional part of the internet,
        but, to undo the changes Verisign made without hearing.  This
        is not unreasonable and shouldn't require a hearing process that
        the changes didn't go through in the first place.

2.      This is just the latest in a string of abuses by Verisign of
        their position in control of these aspects of the namespace.

3.      The engineers and scientists you refer to as a close-knit group
        are anything but.  We are a very diverse group of people from
        an even more diverse set of geographies.  There are a number of
        different organizations which contain various fragments of this
        group, but, to my knowledge, not a single one which contains all
        of us.  In general, our agendas are so diverse that we have
        tremendous trouble coming to consensus on even basic things such
        as the minimum IP allocation boundary.

        In reality, this move angered virtually everyone running any
        operational part of the Internet.  This is the most united
        I have _EVER_ seen the operational portion of the Internet
        Community.

Some further information for your consideration:

1.      The Site Finder service isn't about helping lost internet users.
        It's about hijacking typos for profit.  Verisign is trying to
        line it's profits while preventing others from providing similar
        services.

        Currently, an ISP can capture NXDOMAIN responses at the resolver
        level and, (although few do, and, most would think this was as
        bad as Verisign's move), redirect it to their own error handling
        servers.  Even if an ISP does this, however, users have the option
        of configuring other resolvers to get their DNS services from.

        With Verisign placing these wildcards in the top-level zone files
        they have disabled this NXDOMAIN functionality for everyone.
        This prevents mail servers from verifying that a sender domain
        (or even a recipient domain) even actually exists (they all do
        according to DNS with the wildcard).

2.      Verisign can claim that the claims are overblown all they want.
        They are actually mostly understated.  Verisign had no right
        to make this change to critical infrastructure which they are
        operating in the public trust.  The key problem here is that
        Verisign seems to think they own that and it is theirs to do
        with as they wish.  The reality is that it is held in the public
        trust by ICANN and it's stewardship is contracted out to Verisign.

3.      The statement that there is no data to indicate the core operation
        of DNS or the stability of the Internet has been adversely affected
        is a very carefully chosen set of words.  While it is technically
        true, it creates a very different impression from what it actually
        says.  The impression it intends to create is that there is no
        evidence that this broke anything.  In fact, it broke quite a number
        of things.  It did not break DNS per se, but, it did change one
        functional aspect of DNS in a way that was incompatible with
        existing systems implementations (it didn't break DNS, but, it
        broke several things that depend on DNS).  The "stability of
        the internet" can be said to relate specifically to the ability
        to forward packets from one host to another.  While it didn't
        impact this ability, it did affect a number of applications
        in an adverse manner.

4.      ICANN is using anecdotal and isolated issues -- This is a most
        specious claim.  ICANN is using real reports of real damage to
        functioning systems on the internet from real operators of those
        facilities.  Sure, that's annecdotal, but, it's also annecdotal
        if a patient tells a doctor on the phone that his wrist has been
        cut and he is bleeding profusely.  No rational doctor would tell
        this patient not to call an ambulance.  No rational person
        in ICANNs position would not tell Verisign to undo this change
        post haste.

5.      Verisign's claim that this is an attempt to regulate non-registry
        services is also untrue.  The contents of the DNS zone files for
        the top level .com and .net zones is very much a registry service.
        Placing stuff in there that does not serve the public trust for
        which those files are contracted is very much a non-registry service,
        and, such things don't belong in those zone files.  ICANN does not
        care what non-registry services Verisign wants to provide.  ICANN
        does care about damaging polution being added to the DNS namespace
        by the company entrusted as a registry to manage that namespace.
        ICANNs right to regulate that is anything but dubious, and, Verisigns
        claims that it is dubious are an obvious attempt to hijack this power
        for yet more abuse of their contract privileges.  The issues are
        not isolated, they are wide spread.

In summary, I ask you to print an appropriate update to the facts of Mr.
McGuire's piece.  I ask you to check your facts and examine the situation
better in order to present a less biased approach to stories about the
internet in the future.  I realize that because the internet operational
community is so diverse it is hard to find a "spokesman".  I also understand
that it is easy to find the chosen spokesperson for Verisign.  However,
I believe that as reporters, especially for an institution like the
Washington Post, you have an obligation to put in the effort to find a
sampling of communities that have no designated spokespeople so that
you can get their side of the story as well.  In short, I don't think
Mr. McGuire's biases in this article are the result of malice, but, I
think they demonstrate a certain amount of laziness and nonfeasance of
his journalistic responsibilities.

Sincerely,

Owen DeLong
owen () delong com

P.S.  The other email address I sent this to is a list which contains some
portion of the North American Operations community.  It might be a good
resource for further comment/investigation on these issues.