FRAMINGHAM (09/25/2003) - What were they thinking? What insanely stupid impulse possessed the people at VeriSign Inc. to hijack the Domain Name System? This is a system built on trust. The U.S. government has entrusted VeriSign with control of root domain name servers. Everyone else has trusted VeriSign to deliver accurate domain name information using well-understood DNS standards.
Now VeriSign has flushed that trust down the toilet by breaking those standards and diverting DNS requests to its own Web pages.
VeriSign hopes to get US$150 million a year in advertising revenue with its new "service." The rest of us get e-mail problems, broken network applications and a war of the work-arounds.
Yes, it is that bad. And no, VeriSign's new Site Finder "service" isn't just another innocuous search engine for fumble-fingered Web surfers.
Sure, users who type a misspelled Web address into Microsoft Internet Explorer or Netscape Navigator are redirected to a Microsoft or Netscape Web page intended to help them out.
But that's built into those Web browsers. VeriSign's gimmickry actually hijacks the entire DNS. Anytime any domain name request turns up a blank, instead of returning a name error the way it's supposed to, VeriSign's gimmick sends its own IP address.
Which means VeriSign's redirection affects everything that uses an Internet address. Such as e-mail. And networked printers. And Web services. And any networked application that depends on DNS working the way it's supposed to work.
And now, thanks to VeriSign, a lot of them are broken. And it's likely to cost a lot more than $150 million if even a fraction of them have to be modified to work around VeriSign's gimmickry.
Of course, redirecting Internet traffic this way at the DNS level would be clearly illegal if anyone else did it. But we trusted VeriSign with control of root domain name servers. And because VeriSign is abusing that trust rather than hacking into DNS servers, it may or may not be legal. At least two lawsuits have already been filed over VeriSign's gimmicked DNS, but there doesn't seem to be any way to get VeriSign to stop immediately.
So instead, we're seeing work-arounds for VeriSign's gimmicked DNS. The Internet Software Consortium, which makes the widely used BIND utility for resolving domain names, now offers a new version that can block the VeriSign gimmick and make DNS work the way it's supposed to. At least for the people whose DNS servers use that version of BIND.
But we know what to expect next, don't we? That's right: a VeriSign work-around to the BIND work-around.
And instead of having a clean, efficient, predictable and reliable DNS -- a system we can trust -- we'll have a patchwork of dueling work-arounds. And network applications that work on some parts of the Internet but not on others. And a lot more potential security holes -- and a lot less reliability.
Enough already. This isn't VeriSign's system. It's ours. VeriSign controls those root domain servers only because it has a contract with the Internet Corporation for Assigned Names and Numbers (ICANN). VeriSign has demonstrated that it can't be trusted with the DNS. It's time to strip VeriSign of that contract.
True, VeriSign's contract is supposed to run until 2007. But the contract is subject to oversight by ICANN and the Commerce Department. And if VeriSign won't do what it was contracted to do -- provide a stable, reliable DNS -- it should get out of that business.
VeriSign can still be a domain name registrar. That's a place where VeriSign can focus on trying to make money without being in a position of trust.
But as for the root DNS servers, it's time to take them away from VeriSign -- and put them into the hands of someone worthy of our trust.
Frank Hayes, Computerworld's senior news columnist, has covered IT for more than 20 years. Contact him at email@example.com.