ICANN has been on the soapbox on the topic of DNS recently, encouraging DNSSEC adoption, and taking a stand against top-level domain (TLD) redirection of DNS inquiries.

The DNS error resolution market — usually manifesting itself as the display of an advertising-festooned Web page when a user tries to browse to a non-existent domain — has been growing over the years, primarily thanks to ISPs who have foisted it upon their users. The feature is supported in commercial DNS software and services that target the network service provider market; in most current deployments of this sort, business customers typically have an opt-out option, and consumers might as well.

While ICANN’s Security and Stability Advisory Committee (SSAC) believes this is detrimental to the DNS, their big concern is what happens when this is done at the TLD level. We all got a taste of that with VeriSign’s SiteFinder back in 2003, which affected the .com and .net TLDs. Since then, though, similar redirections have found their way into smaller TLDs (i.e., ones where there’s no global outcry against the practice). SSAC wants this practice explicitly forbidden at the TLD level.

I personally feel that the DNS error resolution market, at whatever level of the DNS food chain, is harmful to the DNS and to the Internet as a whole. The Internet Architecture Board’s evaluation is a worthy indictment, although it’s missing one significant use case — the VPN issues that redirection can cause. Nevertheless, I also recognize that until there are explicit standards forbidding this kind of use, it will continue to be commercially attractive and thus commonplace; indeed, I continue to assist commercial DNS companies, and service providers, who are trying to facilitate and gain revenue related to this market. (Part of the analyst ethic is much like a lawyer’s; it requires being able to put aside one’s personal feelings about a matter in order to assist a client to the best of one’s ability.)

I applaud ICANN taking a stand against redirection at the TLD level; it’s a start.

Bookmark and Share

Posted on June 24, 2009, in Infrastructure and tagged . Bookmark the permalink. 3 Comments.

  1. Nice post, cool to see that there is some interest in this topic.

    I think that there was some commentary about where to draw the line on the synthesized responses. Two reasons that come to mind is that there is some good that comes of those responses (rewriting phishing sites) and the fact that the technique is so new and that not all of the benefits are clearly known (although the detractions are much better known).

    One point, which I can infer from your writing is that this is much more than just port 80 and HTTP but what about mail and every other protocol.

    My personal opinion is that when you are a step away from the authoritative server and if you have a reasonable bound set on users within your caching/recursive nameserver, then the benefits start outweighing the cons pretty quick. The current TLDs who wildcard do not make their zone data publish so it is impossible to see what is actually real.

    The entire study is available at: http://bit.ly/TKUTn


  2. I was reading something about this on netbookspoint.com and I started to wonder if the Kindle app will be ported to the iPad, therefore allowing access to Amazon’s library and lower prices, anyone know?


  3. Howdy would you mind letting me know which hosting company you’re working with?

    I’ve loaded your blog in 3 completely different browsers and
    I must say this blog loads a lot quicker then most. Can you
    suggest a good hosting provider at a reasonable price? Thank you, I appreciate it!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: