On September 15, 2003, people woke up to a rather different world. Suddenly typing in an non-existent domain name under the .com or .net TLDs did not produce an error message. Instead you found yourself at the VeriSign Site Finder website, where suggestions were made as to which websites you might have been trying to find, as well as advertisements. Of course, paying advertisers were more likely to be at the top of the list of suggestions of alternative websites.

How?

Normally if you query a DNS server for an non-existent name then you get an NXDOMAIN response back. Whatever software you were using then takes appropriate action, such as displaying an error message to the user, trying another server etc... VeriSign is responsible for the .com and .net domain name registries, which includes managing the zone files for the .com and .net TLDs. VeriSign added a wildcard entry to their DNS servers which pointed at their Site Finder server, i.e. any query which did not match a normal entry would match the wildcard entry. As a result if you mistyped a URL in your browser you would end up on Site Finder (unless of course the mistyped domain was registered). VeriSign also ran a mail server on the machine, any connection attempts to other ports on the server were refused, in an attempt to minimise disruption. As one might expect, traffic to the VeriSign domain rocketed, up tenfold according to Alexa (up from 1559 to 19 in their rankings), and averaging 6 million unique users a day (according to VeriSign). Many many yummy views for the ad space on the Site Finder "service".

Shaking the foundations of the Internet for fun and profit

VeriSign claimed that this was a new service, that aimed to help users that might otherwise be confused by an error message. This was the new friendly face of the Internet. The outcry from the technical community was almost universal. VeriSign was blatantly abusing their position. The DNS protocol is a critical part of the Internet's architecture and as such should not have its behaviour change dramatically overnight without any consultation. Site Finder made the DNS protocol ambiguous, which could have huge ramifications. People felt that VeriSign had been trusted with the running of the .com and .net TLDs because they are a fundamental part of the Internet, not as a money making opportunity. Registrars such as Register.com were also unhappy at VeriSign's behaviour, calling it unfair business practice (and subsequently filed a lawsuit). Basically they argued that it was as if VeriSign had registered every single non-existant domain, clearly abusing their position.

The world fights back

Almost as soon as VeriSign switched Site Finder on, people were looking at ways to block the service. Some blocked the Site Finder server, and patches for BIND were submitted that attempted to reverse the effects of VeriSign's decision. All the hastily implemented countermeasures were another potential threat to the stability of the Internet. Several lawsuits were also filed against VeriSign.

On the 21st ICANN asked VeriSign to suspend their service, citing technical concerns. However VeriSign disputed these concerns, and claimed that their "service" had been an instant hit, pointing to the millions of daily hits. As if users had a choice.

Everyone else is doing it!

Well not quite. It is true however that some TLDs (.museum for example) have similar wildcard entries. However it doesn't take a lot of common-sense to see that the .museum TLD with its few hundred entries is quite a different beast to .com, and that Site Finder is very different to the page that is shown when one types in an invalid .museum name (if only for the fact that the .museum isn't trying to make money out of the situation). It is also true that Windows versions of Internet Explorer can redirect users to an MSN search page if a domain is not found, however there are several important differences:

  • There is no way of turning Site Finder off. If your browser exhibits this kind of behaviour, you can probably turn it off or just change browsers. Of course if you didn't agree with the terms and conditions of Site Finder you were supposed to stop using it, but of course that was easier said than done.
  • There is more to the Internet than the web, and it is not always the case that the user on the other end is a human (as opposed to some sort of automated process). If one really wants to change the way errors are reported to users surfing the web, the place to do it is their browser, not in the DNS protocol.

Site Finder made it hard for a program to simply determine whether or not a website exists. Anti spam software was suddenly unable to check whether email was coming from a bogus domain. Initially the mail server the Site Finder server was running was buggy, so mail would just disappear into a black hole instead of being bounced. The smtp listener they were using was subsequently replaced, but they could still, for example, have used this to harvest email addresses. Site Finder also broke various programs that allowed access to the Internet to people with visual disabilities.

  • Site Finder had serious privacy issues. Bringing up an MSN search box isn't the end of the world. However, if data from a form was submitted to an invalid URL then guess who gets the data? Yup VeriSign, who apparently then forwarded it on to Overture (via some javascript on the Site Finder page), the company responsible for managing the advertising side of things. Microsoft on the other hand explicitly made sure that in these cases users got an error message.
  • User friendly?

    Even the claim that there service was user friendly is also not as clear cut as one might think. If a user running a French version of his/her favourite browser mistypes a URL they get an error message in French. Site Finder is English all over (although VeriSign claim to have been working on localised versions of the service). Personally I'd far rather a simple error message stating that the server could not be found rather than a web page with suggestions. If I've made a typo I'll notice and if I'm not sure of the exact address I want, I'll use a search engine. And for people still on dialup , a whole web page load is orders of magnitude slower than a simple NXDOMAIN response.

    Despite the widespread concern by organisations and committees such as IAB, GNSO, SECSAC, AT&T other registries and of course by numerous users, Verisign maintained that users were loving the service and that they were not breaching any RFCs or agreements. It was not in fact clear whether VeriSign was allowed to do what they did. Finally, on October 3, 2003, in an open letter to VeriSign, ICANN laid down an ultimatum. VeriSign were to turn off Site Finder, or else. VeriSign complied on October 4, 2003.

    Gone for good?

    Although in the end VeriSign backed down and turned off the service, they maintain the Site Finder provided a valuable service to users and that from a technical point of view it did not cause disruptions. According to their surveys 84% of Internet users preferred the service to an error message. They quote a "heavy but non-technical computer user" saying that he welcomed an alternative to the frustrating 404 error. Of course 404 means "page not found" and has absolutely nothing to do with Site Finder. VeriSign has not committed to switching off Site Finder for good, referring to the decision to turn off Site Finder as a temporary suspension. As of early January 2004 sitefinder.verisign.com no longer resolves. Only time will tell whether Site Finder is gone for good or whether this is merely an interlude before a launch under a new name.

    Just when you thought it was all over...

    On February 26, 2004, VeriSign sued ICANN, claiming that ICANN had no authority to stop them implementing Site Finder, and that in doing so ICANN had gone beyond its role as a technical coordinator and had was interfering with VeriSign's business. VeriSign is also filing a lawsuit over ICANN's delay in approving its waiting list scheme for domain names.
    All's well that ends well though, as on August 27, 2004 VeriSign's lawsuit was dismissed.

    Sources: http://story.news.yahoo.com/news?tmpl=story&cid=582&e=1&u=/nm/20040226/wr_nm/tech_verisign_dc http://news.com.com/2100-1038_3-5088128.html?tag=nefd_top
    http://www.icann.org/correspondence/twomey-to-lewis-03oct03.htm
    http://news.com.com/2100-1032_3-5086101.html?tag=st_rn
    http://www.theregister.co.uk/content/6/32926.html
    http://www.icann.org/announcements/advisory-19sep03.htm
    http://www.circleid.com/article/286_0_1_0_C/
    http://VeriSign.com/corporate/news/2003/pr_20031007b.html
    http://www.VeriSign.com/nds/naming/Site Finder/index.html
    http://VeriSign.com/corporate/news/2003/pr_20030923.html
    http://www.icann.org/topics/wildcard-history.html