All Internet users who accessed any unregistered domains in the .com and .net domain space, were redirected to a VeriSign web portal with information about VeriSign products and links to "partner" sites. This gave VeriSign the advantage of receiving greater revenue from advertising and from users wishing to register these domain names. It had the effect of "capturing" the web traffic for several million mis-typed or experimental web accesses per day, and meant that VeriSign effectively "owned" all possible .com and .net domains that had not been bought by others, and could use them as an advertising platform.
VeriSign described the change as an attempt to improve the Web browsing experience for the naive user. VeriSign's critics saw this claim as disingenuous. Certainly, the change led to a dramatic increase in the amount of Internet traffic arriving at verisign.com. According to the web traffic measurement company Alexa, in the year prior to the change verisign.com was around the 2,500th most popular website. In the weeks following the change, the site came into the top 20 most popular sites, and reached the top 10 in the aftermath of the change and surrounding controversy.
Issues and controversy
- that the redirection was contrary to the proper operation of the DNS, ICANN policy, and the Internet architecture in general;
- that VeriSign breached its trust with the Internet community by using technical architecture for marketing purposes;
- that the redirection broke various RFCs and disrupts existing Internet services, such as e-mail relay and filtering (spam filters were not able to detect the validity of domain names);
- that the redirection amounted to typosquatting where the unregistered domain being resolved is a spelling mistake for a famous registered domain;
- that VeriSign abused its technical control over the .com and .net domains by exerting a de facto monopoly control;
- that VeriSign may have been in breach of its contracts for running the .com and .net domains;
- that the Site Finder service assumed that all DNS traffic was caused by Web clients, ignoring the fact that DNS is used by other applications such as network printer drivers, FTP software and dedicated communications applications. If users of these applications accidentally entered a wrong host name, instead of a meaningful "host not found" error they would get a "request timed out" error, making it look like the server exists but is not responding. No statement by VeriSign in support of Site Finder even acknowledged the existence of DNS traffic not caused by web clients, although they published implementation details which mentioned this traffic.
- that Site Finder contained an EULA which stated that the user accepts the terms by using the service--but since mistyping an address automatically caused the service to be used, users could not refuse to accept the terms.
Others were concerned that the Site Finder service was written entirely in English and therefore was not accessible by non-English speakers.
The Internet Architecture Board composed a document detailing many of the technical arguments against registry-level wildcards; this was used by ICANN as part of its supporting arguments for its action.
A number of workarounds were developed to locally disable the effects of Site Finder on a per-network basis. Most notably, the Internet Systems Consortium announced that it had produced a version of the BIND DNS software that could be configured by Internet service providers to filter out wildcard DNS from certain domains; this software was deployed by a number of ISPs.
On October 4, 2003, as a result of a strong letter from ICANN, VeriSign disabled Site Finder. However, VeriSign has made public statements that suggest that they may be considering whether they will change this decision in the future. On February 27, 2004, VeriSign filed a lawsuit against ICANN, claiming that ICANN had overstepped its authority. The claim regarded not only Site Finder, but also VeriSign's much-criticised Wait Listing Service. The claim was dismissed in August 2004; parts of the lawsuit continued, and culminated in a March 1, 2006 settlement between VeriSign and ICANN which included "a new registry agreement relating to the operation of the .COM registry."
On July 9, 2004, the ICANN Security and Stability Advisory Committee (SSAC) handed down its findings after an investigation on Site Finder. It found that the service should not be deployed before ICANN and/or appropriate engineering communities were offered the opportunity to review a proposed implementation, and that domain name registries that provide a service to third parties should phase out wildcard records if they are used.
- VeriSign Site Finder implementation VeriSign Naming and Directory Services, August 27 2003
- IAB Commentary: Architectural Concerns on the use of DNS Wildcards, September 19 2006
- ICANN Board Approves VeriSign Settlement Agreements ICANN, February 28 2006
- VeriSign's Site Finder Implementation document (PDF)
- VeriSign's announcement to NANOG of their wildcard DNS changes
- ICANN Advisory Concerning Demand to Remove VeriSign's Wildcard of 3 October 2003
- Slashdot discussion regarding Site Finder
- Internet Software Consortium announcement of "delegation-only" feature that can be used to ignore gTLD wildcards
- VeriSign to revive redirect service CNET article written 15 October 2003
- Washington Post (27.02.2004): Suit Challenges Powers of Key Internet Authority
- Findings of ICANN SSAC on Site Finder service (PDF)