[registrars] FW: [council] ALAC statement on resolution of non-existing domain names

["Tim Ruiz" <tim@xxxxxxxxxxx>]

Posted at the request of Jeff Neuman.
 
-----Original Message-----
From: Neuman, Jeff [mailto:Jeff.Neuman@xxxxxxxxxx] 
Sent: Wednesday, September 17, 2003 6:53 AM
To: 'Tim Ruiz'; Neuman, Jeff
Cc: registrars@xxxxxxxx
Subject: RE: [council] ALAC statement on resolution of non-existing
domain names 

Tim,

I am merely stating that there are two sides to the debate and before
coming
to a conclusion, both sides should be heard.  I am enclosing a response
by
SESAC to the IAB statement that you reference. I would appreciate you
posting this to the Registrars list so that they can see as well.

-----Original Message-----

From: Steve Crocker [mailto:steve@xxxxxxxxxxxx]

Sent: Monday, August 04, 2003 5:14 PM

To: Paul Twomey; 'Dan Halloran'

Cc: secsac@xxxxxxxxx

Subject: [secsac] SECSAC recommendation re VGRS

Paul and Dan,

The SECSAC hereby forwards its recommendation to the board regarding
Verisign's announced support for international domain names.  This
recommendation has been delayed, for which we offer both an apology and
an
explanation.

In this particular case, the SECSAC was drawn into the discussion after
Stuart Lynn contacted the IAB for advice on this matter.  We deliberated
and
came to the consensus opinion included below.  However, the IAB had also
responded with a noticeably different opinion.  We would normally expect
the
IAB and the SECSAC to have quite similar views on matters of technology,
architecture and security, so we held off submitting our recommendation
in
an attempt to coordinate our thinking with the IAB's. Unfortunately, we
were
not able to engage the IAB in this discussion and time continued to
pass.
Finally, Geoff Huston sent a reply on behalf of the IAB.  This is
included
below.

As you might expect, the IAB and the SECSAC have taken this opportunity
to
establish closer ties to each other so as to improve communication
between
our groups.  We expect this will strengthen the quality of our advice
for
the board.

Sincerely,

Steve Crocker
Chair, Security and Stability Advisory Committee


===============================================================

                                    SECSAC comments on VGRS

EXECUTIVE SUMMARY

We have followed the exchange between the IAB and Verisign in which the
IAB
has raised particular technical issues regarding Verisign's announced
support for international domain names.  Verisign has responded that it
is
in the process of changing what it is doing to address those concerns.
This
committee has no issue with what Verisign is doing.

BACKGROUND

This is a brief description of what Verisign is currently doing and
plans to
do.

Any DNS query to a Verisign server with an eighth bit set in an octet
within
the second label of a domain name would receive an IP address record (A
RR)
in its response, i.e., the address of a special purpose Verisign server.
The resulting action by the client would be to make a connection (or use
UDP
to deliver its data) to the indicated address. The current behavior of
the
Verisign server is to ignore (silently drop) all connection requests and
packets received other than tcp/80 (HTTP).

Upon receiving a tcp/80 connection request, the Verisign server uses the
additional information in the HTTP request (it would also contain the
same
domain name with an eighth bit set that was received in the DNS
query) to identify the various international domain names (IDNs) that
could
match the domain name.  The client web browser will receive a web page
that
presents the various alternatives and an opportunity to download a
plug-in
that fixes the incorrect behavior, i.e., the plug-in ensures that future
DNS
queries are properly encoded before being sent to a DNS server.  If the
user
chooses not to download the plug-in they can simply select the desired
site
from the list offered and they will be redirected there immediately.

Verisign has indicated that the planned behavior (scheduled for
deployment
sometime after mid-May) in response to connection requests to the
special
purpose server is as follows:

- Connection requests to tcp/25 (SMTP) will be accepted but any mail
  sent will be rejected with a 550 response code with human-readable
  error message text.  This will have the have effect of stopping the
  attempted delivery of undeliverable messages.

- Any TCP connection attempts to ports other than 80 (HTTP) and 25
  (SMTP) will be reset, i.e., the same behavior any ordinary host would
  exhibit when receiving a connection to a port without a listening
  process.

- Any UDP packets received will result in an ICMP port unreachable
  response, i.e., the same behavior any ordinary host would exhibit when
  receiving a similar packet to a port without a listening process.

DISCUSSION

The technical issue is that the DNS protocol requires that when names as
presented (QNAMEs) do not exist the correct reply is "non-existent
domain"
(NXDOMAIN).  However, as an operational matter, we also know that a
significant fraction of all queries are for NXDOMAINs (in the case of
the
root servers it is the majority).  Verisign is simply observing that
some
number of the queries it gets are not really for NXDOMAINs but are
presented
incorrectly because the software making the query is "broken."

In that context they are a providing a service for those users with
broken
software.  They are both providing a way for the user to get the answer
they
actually want and providing a plugin that ensures the user will not have
this problem in the future (bootstrapping the deployment of IETF
standards).

The downside is that some number of users who do such broken things
(make
queries for a non-existent domain name with the eighth bit set in one of
its
octets) get a response with an address in it.  If the application being
used
by the client user is web-based (e.g., a browser), then they will get
the
web page described above.  All other applications will not get the most
desirable response, since preferred response should have been NXDOMAIN
from
the DNS.  This is not a technically correct interpretation of the DNS
protocol.

More generally, what Verisign is doing is deploying a mapping layer on
top
of the DNS, in this case primarily to assist some number of users.
Similarly, the following registries are providing a mapping layer on top
of
the DNS:

    http://steve.tv
    http://k.mark.nu
    http://www.doron.cc
    http://dnssac.museum

Specifically, they are returning "wildcard" address records for
non-existent
domain names.  The web page they display when attempting to connect to a
non-existent domain name is a sales pitch attempting to sell it to you.
In
some cases the sales pitch is an auction offering the domain name to the
highest bidder.

The critical difference between what these example sites are doing and
what
Verisign is doing is that Verisign is providing a service that
facilitates
the use of the web by users, without offering a "sale."  The example
sites
above are using the opportunity to sell domain names to the highest
bidder.

If we are to take issue with what Verisign is doing, then we it seems
reasonable to take issue with the others as well.  However, although the
practices give us some discomfort, we can't really see a technical basis
for
objecting to what Verisign is doing.

BIBLIOGRAPHY

Verisign's original announcement:

  VeriSign Enables Companies to Enhance Their Online Brands in
  Virtually Any Language Using Internationalized Domain Names
  http://www.verisign.com/corporate/news/2003/pr_20030114b.html

IAB's response to the request:

  http://www.iab.org/Documents/icann-vgrs-response.html
  http://www.icann.org/correspondence/iab-message-to-lynn-25jan03.htm

Verisign's response to the IAB response:

  http://www.icann.org/correspondence/lewis-letter-to-lynn-07feb03.htm

Verisign's followup announcement:

  VeriSign Confirms Support for IETF IDN Standard
  http://www.verisign.com/corporate/news/2003/pr_20030216.html

=========================================================

30 July 2003

Steve Crocker,
Chair,
ICANN Security and Stability Advisory Committee

Steve,

I refer to your note of the 19th May 2003 to the Chair of the Internet
Architecture Board (IAB), seeking to coordinate your committee's views
on
Verisign Global Registry Services (VGRS) Internationalized Domain Name
services (IDN) with the published views of the IAB.

Your letter notes that the ICANN Security and Stability Advisory
Committee
(SECSAC) does not appear to be as uncomfortable with Verisign's
practices as
the IAB appears to be, and you are seeking to compare notes on this.

It is noted that the IAB response refers specifically to the proposal to
synthesize A records for certain queries, and did not address the
subsequent
proposal to synthesize NS records in response to queries for
non-existent
domains. The IAB has not yet reached any conclusion as to whether this
subsequent VGRS proposal adequately addresses the IAB's original areas
of
concern.

In reviewing the documents, the IAB agrees that it does appear that the
IAB
and SECSAC are looking at this practice from different perspectives. The
IAB
took the position of comparing the VGRS proposal to the standard
specifications, and noted a number of aspects of the proposal where the
mechanism did not conform to these standard specifications. The SECSAC
appears to have looked at this matter from the perspective of
operational
deployment.

The expressed differences in opinion are therefore not surprising. The
IAB
feels that the most helpful way to provide some clarification of these
issues is to document them clearly as general questions relating to the
intended behavior of the DNS. This is currently underway within the IAB.
The
IAB then intends to take these general questions to a larger IETF forum
for
discussion. Clear outcomes from this consideration will be passed to
ICANN
for their consideration.

Regards,

Geoff Huston
IAB Executive Director,
for the IAB


-----Original Message-----
From: Tim Ruiz [mailto:tim@xxxxxxxxxxx]
Sent: Wednesday, September 17, 2003 5:16 AM
To: jeff.neuman@xxxxxxxxxxxx
Cc: registrars@xxxxxxxx
Subject: RE: [council] ALAC statement on resolution of non-existing
domain names 

[SNIP]

Jeff Neuman wrote:

>To state there are "grave technical concerns" is probably one of
>the greatest overstatements that I have heard in a long time.

The IAB has responded to a similar issue regarding VeriSign's
implementation of IDN. Their conclusion:

"...the system...contains significant DNS protocol errors, risks the
further development of secure DNS, and confuses the resolution
mechanisms of the DNS with application-based search systems."

That sounds pretty grave to me.

Full text of their response can be found at
http://www.iab.org/Documents/icann-vgrs-response.html