How It Works

Why Verisign is evil.

An online friend of mine had a minor rant on a public chat channel we’re both on, about Verisign and their new ploy. It seems that they’ve goofed a little with the net and DNS, in a way that’s upsetting to most webmasters.

By the way, before you think I’m this smart, I had to look up a lot of this, and my net-friend was VERY patient with explaining it to me.

DNS is Domain Name System and is a distributed Internet directory service. DNS is used mostly to translate between domain names and IP addresses, and to control Internet email delivery. Most Internet services rely on DNS to work, and if DNS fails, web sites cannot be located and email delivery stalls. Basically it’s the numerical ‘address’ of your domain name. A DNS server holds a record of all those addresses and says ‘numerical address equals’ when you try to go to, and passes you to the server at the correct address.

Example: has a numerical address (or IP address) of, so technically should take you there. Now if you clicked on that link, you know it doesn’t. That’s becuase that address is shared with a ton of other domains. Think of it as an apartment building, and is the street address. Some people own their own homes, so their numerical address is the same as their domain name. I’m not one of them.

Okay, so now we know what DNS is and why it’s a nice thing.

So what happens if you go to a URL that doesn’t exist? Say I’m at my office, so I get a fancy error page telling me “A DNS lookup error occurred. The host was not found.”

“A DNS lookup error occurred. The host was not found.” simply means that the web server you’re trying to access does not exist, at least with the name that you typed. Check for a typo (computers are picky; the name must be exactly correct). This error might also mean that the site that you were using yesterday is no longer around; maybe the owner didn’t pay the bill. And sometimes sites simply “drop off” the Internet for a while.

If I was at home, it’d be my browser beeping saying ‘Can not access site!’ In a way I like the office errors better. I get the error right away and bam, I know what’s up

What about It should be the same thing, except that thanks to Verisign, it’s not anymore.

Who’s Verisign? Well, they’re like the post office, to use my apartment/house metaphor above. They control the address numbers and what they translate too, for the most part. In the case of the house, it’s a direct relationship. Address number blah equals, end of story. In the apartment side, it says is really Liquidweb, and hands the request to them, and it’s Liquidweb who sees your asking for, and passes the right data back to you. It’s an extra step.

Verisign is not the only ‘post office’ around, but they’re the biggest.

On September 15th, Verisign made a teeny change. Normally, when you go to a site that’s down or doesn’t exist, you get the DNS ‘whoops!’ error. As of the 15th, Verisign made a change that said ‘all fake .com and .net addresses point to THIS address, instead of nothing at all.’ This means that and now point to & and & instead.

See that first part of the line:

Now if you go to a .com and .net domain that doesn’t exist, you get served up Site Finder, instead of an error message.

Problem One: Ethics
It’s not illegal, but it borders on unethical, since now Verisign has turned domain name typos into an advertising opportunity. Okay, so in the past typing took you to a page someone else owned, but that was the point. They owned the typoed domain name, so you were really going to a legit website. Irritating as it was, it was right. Back to the address metaphor, just because 1235 Clark and 1235 Clerk street are similar and you went to the wrong one doesn’t make it the fault of the company that 1235 Clark is a restaurant and 1235 Clerk is a strip club. You should have read better.

Problem Two: Net Traffic
Currently, I can’t actually get to from the office. Oh, sure, I can tell it exists, but I can’t reach it. Why? It’s too busy serving up pages for every URL that doesn’t exist. And you can bet some geeks are ‘erroring’ in their typing to slam the fuckers. This causes traffic on the net that really isn’t needed. This acts like a Denial of Service (DOS) attack on the DNS root servers. There are less than 20 in the world, and hammering them is a bad idea.

Problem Three: Ownership
Does Verisign actually own the domain name or ? No. So how come THEY get to decide where those names point to? They’re not the only fish in the sea, though yes they’re the biggest. The little fish must be pissed. This doesn’t actually infringe on the rights of the other, smaller, DNS hosts, and they can refuse to server up any pages from (which I hope they do).

Problem Four: Email
One of the ways to avoid Spam is for an email server to check the URL of the sent email against the IP address. Does ‘1235 Clerk Street’ equal ‘Scarlett’s Gentleman’s Club’? Yes, okay, that’s legit. No, and the email is rejected. This ‘no’ error is commonly called a 550 error. What Verisign’s doing is effectively erasing the 550 error, by saying ‘1245 Clerk Street’ is a real place because when I go there, it says … and now that spam email gets delivered because your email server thinks it’s legit.

Going back to Verisign the post office, they host DNS servers, the big database of ‘address = company.’ The DNS servers hold that huge list, and when you request one not on it’s list, it passes you down it’s child servers until it finds a match. If there’s no match, it errors 550 and stores that for faster response later.

It’s pretty complex.

The summary is this: Verisign is making your typo into an advertising venue that increases lag time on the net and possibly can cause more spam to get through your filters. The only known cure is to block on your personal blacklist.

For More Information:
VeriSign Hijacks Unused Domains
All your Web typos are belong to us
Inventor Says Search Service Won’t Break DNS
Verisign’s post about the change

%d bloggers like this: