Reactions to Sclavos Interview
Date: Friday October 17 2003, @09:52AM
Topic: Verisign/NSI

We got some reactions to the interview with VeriSign CEO Stratton Sclavos. Here's a couple of them.

NetWizard got excited by this quote:

Still, a lot of people in the Internet community were quite surprised by Site Finder--and then you had complaints surfacing that it was not complying to approved standards.
and wrote in, "The second claim, that we brought it out without testing--Site Finder had been operational since March or April, and we had been testing it with individual companies and with the DNS traffic at large. Ninety-nine percent of the traffic is pure HTTP (Hypertext Transport Protocol), and so it handles it the way it should. Just so you know, our customer service lines went from 800 or 900 calls on the first day to almost zero right now. For every customer who had a Site Finder issue, the remediation took less than 12 hours.

First of all, 90% of traffic is HTTP yet many email and spam systems where broken due to a non-compliant SMTP server, hmm... And second, it took more than 12 hours to replace the server with a compliant one, it actually took several days. Note the phrase "For every customer" which seems not to include the regular Internet folks and us at the IRTF."

Rick F writes "One interesting tidbit: in talking about root server DDOS vulnerabilities, Sclavos says "The reason the root server problem was a big one was because they were attacking the underbelly of the addressing system. Yes, we could have lived 24 to 48 hours. You could say that in that time, we can fix anything--but maybe not. Microsoft was down for four days with a much simpler denial-of-service attack."

Two brief comments on that: If VRSN can't deploy alternate root servers within 48 hours or less, or if it doesn't have alternate/backup root server ips already in the master zone file, they shouldn't be in the root-server operations business - that's just common sense and a function of the third principle of effective network security (availability). Second, Microsoft's outage was because some network engineer in Redmond parked all their DNS boxes behind the same router on the same piece of cable. Had their DNS servers been distributed across the net, those 4 days would have been a non-event. Stratton's mixing apples-and-oranges by using MS' outage as an example. That had nothing to do with rootservers and everything to do with human stupidity.

Interestingly, Sclavos does the FUD-furthering Chicken Little thing - "We sure as hell don't need the digital equivalent of 9/11 to convince us we need to have a better digital infrastructure." So we can add him to our list of Internet fear-mongerers."

This discussion has been archived. No new comments can be posted.
Reactions to Sclavos Interview | Log in/Create an Account | Top | 5 comments | Search Discussion
Click this button to post a comment to this story
The options below will change how the comments display
Check box to change your default comment view
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Competition, eh?
by cambler ( on Friday October 17 2003, @12:54PM (#12495)
User #36 Info |
From the interview...
Four years later, things are very much changed. Domain names have been flat for the longest time. If I were in ICANN's shoes, I'd want to put forth a charter of promoting innovation, stability and competition. It was really designed to promote competition, and frankly, it did it haphazardly, because it was in such a rush.

I couldn't agree more. How about we start with real competition for .com? Stratton? Can I count on you to give some public support for IOD's .Web registry now?



Ambler On The Net []

[ Reply to This | Parent ]
Fear Mongering?
by ldg on Saturday October 18 2003, @12:01PM (#12502)
User #2935 Info |
Interestingly, Sclavos does the FUD-furthering Chicken Little thing - "We sure as hell don't need the digital equivalent of 9/11 to convince us we need to have a better digital infrastructure." So we can add him to our list of Internet fear-mongerers."

The net isn't going down even if all the USG root servers disappear. There are plenty of root servers out there with public DNS servers that anyone can use. There are also untold numbers of caching servers that will continue to function regardless of whether the 13 servers in USG root server system are functioning.

That is not my fear. I am more afraid of the types of "innoovations" contemplated by Verisign and those of the same ilk. Tampering with the core protocols that the net relies upon is a road map for instability. That's the issue, not whether the root itself is unstable. It really isn't. The management may be unstable if it allows the core to be tampered with.

I can see VGRS taking control of the root and using wildcards for all TLDs, redirecting errors to their own servers or ICANN's. Talk about screwing up the entire world; that would do it nicely.

VGRS inherited a contract to operate a registry as a public trust. That contract did not suggest that the operator could change the rules by which it is governed. It is not supposed to alter the way the DNS works and it rakes in $6 per registration or renewal. NSI was allowed to charge for registrations because they needed to recover costs. This is how the registry should be run, with a small profit margin to boot. VGRS now considers .com to be their own and further thinks they can make any changes they wish regardless of what - in their own words - "minor inconveniences" they may cause to others. They want to raise their bottom line and don't give a darn who it hurts. The cash cow they thought they had is no longer so robust, but they are stuck with it.

Well, that's horse puckey. Dot-com is not the property of VGRS and never was. It was simply a contract to operate it. It is still "owned" by the USG and I hope it remains so. It is now very apparent that VGRS has no interest in the public, but just its bottom line. That's fine for the registrar, but not this registry. Mess with the registry for the largest domain in the world and you mess with all of us who rely upon it to operate the way it always has.

It's time to find a new operator and show VGRS that it cannot take what does not belong to them and cannot abuse the trust that went with the contract. It is not there for VGRS to abuse it - or us.

As for new registries, for profit or not, none of them should be using wildcards, but if they do from the outset, people at least know what they are buying into and DNS operators can block errnoenous errors based on standards. That's a choice to be made at the edges, not the core. If a registry chooses to use non-standard methods, they need to be prepared to not be accepted.

ICANN should have known better than to accept registries that use wildcards rather than delegation. Instead they opted to allow their contracted registries to circumvent known practices and standards. What did it achieve? Chaos.

[ Reply to This | Parent ]

This article comes from ICANNWatch

The URL for this story is: