Wednesday, 14. September 2005
PermaLink Sitefinder writ small

Update: This article now also on CircleID.


You all remember Sitefinder don't you?

According to The Register, CentralNic , owner of a number of popular domains including uk.com and us.com, has added wildcard A records to .uk.com.

Cue the usual round of sniping about Internet stability (with which, as you will see, I agree).

The question is, given the difference in scale (.com and .net are huge; .uk.com is quite small) will anyone notice? And does it matter? Certainly CentralNic seems to think the small scale of their domains excuses or at least mitigates the Internet stability side effects of their ploy.

The company's CTO, Gavin Brown, told us he had not read the SSAC report and that the company did not consider itself under the same contractual constraints as VeriSign with regard to ICANN and the wider Internet community.

"Given our relatively small footprint within the DNS system compared to, for example, any gTLD or ccTLD registry, and taking advice from our registrars, we concluded that introducing a wildcard under .uk.com would not have any serious implications for the stability of the Internet," Brown told us.

My guess is that people will notice and it does matter. Why? Because as is now standard practice for anyone wishing to justify DNS wildcards, only a single application, web browsing, has been considered. No consideration has been given to, for example, mail routing or intranet applications and this gives rise to a number of problems some of which I have listed here:

  1. Spammers can now spoof a non-existent domain under .uk.com in the sender envelope of their messages and systems which do any validation on the RHS of sender envelopes will blindly accept them all - see illustration below.

  2. At least as troubling, we have the fat finger problem where a user misspells a domain under .uk.com when addressing an email.

    • Where no A or MX is found, such a message will bounce immediately and the sender will have an early opportunity to correct the problem.

    • Where one of these wildcard A records is found, the sending system will attempt to connect on port 25, fail because nothing is listening on that port at the target system and requeue to try again. Bounces will be delayed by a significant period (typically 24 hours) and this will most likely cause at least some inconvenience.

    [There is something of a contrast here between CentralNic's use of the wildcard and Sitefinder. Sitefinder's system did actually listen on port 25 and bounced inbound messages though there was some debate at the time over whether VeriSign did anything else with these errant messages.]

  3. The thin end of the wedge. Or to put it another way if CentralNic can do this, soon everyone will want to copy them.

The Register's summary hits the nail on the head:

If large segments of the Internet start turning over to wildcard systems, there is a risk of the stability of the wider Internet being put at risk. And VeriSign is bound to argue for SiteFinder's re-inclusion if dozens of other companies are seen to benefit.

ICANN would then face the impossible task of either defining which domains may or may not use wildcard, or ban the system altogether. Either way, it is not a smooth road.

Spam illustration:

Domain gshjgjsghajhgsjgjshg.com does not exist and there is no wildcard (currently) in .com.

my.inbound.mta tests for a valid domain in the SMTP MAIL FROM sender envelope and issues a 554 rejection when the domain does not resolve (it has no published A or MX records).

< 220 my.inbound.mta ready at Wed, 14 Sep 2005 12:41:35 +0100
> helo test
< 250 my.inbound.mta Hello test ([10.0.0.11]), pleased to meet you
> mail from:<bogus@gshjgjsghajhgsjgjshg.com>
< 554 Mail from bogus@gshjgjsghajhgsjgjshg.com rejected for policy reasons.
> quit
< 221 my.inbound.mta SMTP Service closing transmission channel


Domain gshjgjsghajhgsjgjshg.uk.com does not exist but there is a wildcard in .uk.com.

my.inbound.mta tests for a valid domain in the SMTP MAIL FROM sender envelope, finds the A record returned by the wildcard lookup and issues a 250 (continue) even though the domain does not exist.

< 220 my.inbound.mta ready at Wed, 14 Sep 2005 12:39:22 +0100
> helo test
< 250 my.inbound.mta Hello test ([10.0.0.11]), pleased to meet you
> mail from:<bogus@gshjgjsghajhgsjgjshg.uk.com>
< 250 bogus@gshjgjsghajhgsjgjshg.uk.com... Sender OK
> quit
< 221 my.inbound.mta SMTP Service closing transmission channel



Category: T'Internet
Technorati:

Comments :
None yet...
Unable to post a comment? Please read this for a possible explanation...
Add Manual Trackback
Please enter the details of the trackback post. Your trackback will not appear on the site until it has been verified. This won't be immediate, as trackbacks are validated on a scheduled basis. Be patient.











Search
Popular Categories
Blogs
Coffee and Cats
Computing Systems Fundamentals
DNSBLs
Domino Administration
Domino Whitelist
Dumb and Dumber
Flickr
IPv6
SMTP AUTH
Show n Tell
Software
Spam
Spam Statistics
T'Internet
Trunk Monkeys
Viruses and Worms
Wallace and Gromit
Whitelisting
Wii
Monthly Archive
2008
2008
2008
2008
2008
2008
Full Archive
Other stuff
Anti-Spam Tools
Misc Links
Land banking information
ClustrMaps
Locations of visitors to this page
Meta
Proudly powered by IBM Lotus Domino 8 Proudly powered by IBM Lotus Domino 8

Subscribe to articles Subscribe to articles feed

Subscribe to comments Subscribe to comments feed

ROR info ROR info

Like what I do?
Then please consider a donation to support the work of Research Autism.

Idea Jam
Planet Lotus
Contact Me
email - Chris Linfoot