[At-Large] DNSSEC and end users
ebw at abenaki.wabanaki.net
Wed Feb 9 15:08:26 UTC 2011
Dear <hat="SSAC Liaison"> Patrick,
First, TimeWarner, and quite a few other ISPs, do not return NXDOMAIN
to stub resolvers (end users of the resolution system), which a
browser may render as a blank page. What is returned is a Yahoo
synthesized search page.
If recursive resolver operator behavior for NXDOMAIN / synthesized
results is indicative of recursive resolver operator behavior for
"domain name failing DNSSEC resolution", then a third-party
synthesized search page is the likely result returned to the stub
resolver and application, for applications which use HTTP.
While ICANN goes to great pains to make the point that any behavior by
infrastructure operators other than contracted parties, from
withdrawing all prefixes announcements for a region to substitution of
all resolution requests made to a recursive resolver, is outside its
scope, this is a situation which could be, to coin the obvious pun,
So, in the first instance, the end-user DNSSEC experience is likely to
be a planned increase in presentation of PPC or other monitized
synthesized resources, with total control of the end-user DNSSEC
experience held by the recursive (eyeball network) resolver operator.
Stepping back, the .com string space ICANN created contains "hot
spots", the post-UDRP form of original, name-for-sale speculation
generally called "cyber-squatting". Modulo Sitefinder, the one attempt
by VGRS to capture the value of strings not resolvable, via wildcard
matching in the authoritative resolver, the locus of monitized benefit
for false matches, e.g., typos, similar strings, etc., lies in the
"domainer" sector of the market.
Restated, the benefit of interposition upon the .com name space
end-user resolution attempt is currently broadly held, mostly by
parties other than resolver, authoritative or recursive, operators.
The benefit of interposition upon signed .com name space end-user
resolution attempt will initially be overwhelmingly narrowly held,
mostly by resolver operators. Over time, as the targets of "domainer"
interposition and the "domainer" sector sign their respective
portfolios, the benefit of interposition upon signed .com name space
end-user resolution attempt will relax from this unimodal distribution
to the existing semi-uniform distribution.
I suggest that a likely outcome will be revenue contraction for the
domainer industry, moving millions of low-value domains into
non-renewal status and eventual expiry as domainers fail to adapt to
revenue loss, with the monitized value, of those domains going to the
eyeball network operators, followed by a gradual re-appearance of the
now-signed domainer-held portfolios,
I think your question can be restated "How will end-users interpret
the transformation of the .com interposition industry?"
Before trying to suggest answers, it is worth pointing out that there
is little interposition industry, other than that operated by eyeball
network operators, for the name spaces other than
com/net/org/biz/info. Where ad network operators are not paying or
paying significantly less for matches, domainers are relatively absent
and PPC domain portfolios are significantly smaller.
Given the string space that ICANN's created, primarily in the .com
name space, but also in the rest of the CNOBI market, the policy
question is what changes, if any, will it attempt to make through its
contract with Verisign, that will affect the distribution of revenues
acquired through the continued capture of end-user attempts to resolve
a resource through interposition.
You may want to compare and contrast the benefit of making cache
poisoning for a specific, recursive resolver held unit of resolution
data obsolete, and enabling synthetic return for any signed request
for an unsigned resource, or unsigned request for a signed resource,
or simply any initial request, and possibly several subsequent
requests, whether signed or unsigned.
The scenario offered: "some say that ISP support desks will get lots
of calls from customers complaining about "the Internet is not
working" if users are annoyed by pop-up messages, for what appears to
be legitimate domain names" should be restated as a cost-benefit issue
for eyeball network operators maximizing ad inventory impressions and
minimizing support costs.
You may also want to reflect on the utility of ICANN's current program
of getting 40 ccTLDs signed, particularly if the following are not
signed: .de (14), .uk (9), .cn (7), .tk (5), .nl (4) .ru (3) .ar (2),
.bz (2), .it (2), .pl (2), .au (2), .us (2), .ca (1). The (numbers in
parenthesis) are the number of registrations in millions.
Absent a means to obtain an outcome less undesirable than the
end-users interpretation of DNSSEC as simply the transformation of the
.com interposition industry from one exploitation business model to
another exploitation business model, the likely outcome will be the
rational reflection that the network trust model benefits parties
other than end-users.
FYI, the "DNSSEC Workshop" at the Bruxelles meeting was a complete
waste of time. Rather than hand over a valuable hall to a bunch of
vendors doing dog-and-pony as a phony "worksho", a
sign-a-zone-and-re-sign-a-zone exercise could have been conducted,
with real work by the participants. Fake DNSSEC Workshops are
something that should not be left unfixed.
You may want to register for the OARC event, held contemporaneous with
ICANN-40. I have. The link to the OARC 2011 San Francisco Workshop is
There is a lot of DNSSEC evangelism. You may want to reflect on the
value signing the .cat zone had (I wrote the funnel request), or on
the value of signing the .museum zone had, not for the techno-gleeful
operators or for competitive marketing vis a vis other operators, but
for the end-users of resources mapped by the respective chains of
P.S. I agree with the sentiments expressed by Antony. I don't know if
he has a clue how to solve this problem. I know that I do.
> Good morning to all,
> This is your SSAC liaison speaking. I am
> requesting your thoughts on what expected impact DNSSEC will have on end
> users. My goal is to contribute ideas to the the agenda of the DNSSEC
> sessions at the San Francisco meeting.
> Currently, with DNSSEC enabled
> on the DNS resolver you use (typically, the one assigned to you by your
> ISP), a domain name failing DNSSEC resolution returns a code to your
> browser saying the domain does not exist. You would get a blank page
> displayed in your browser saying the domain is unreachable, similar to
> what you get when you type an invalid domain name in the browser bar.
> Some suggest that browsers should return a warning instead, similar to
> the one you get with an invalid SSL certificate. The counter-argument to
> this is that most users tend to ignore these warnings anyway and just
> click OK to go ahead. Further, some say that ISP support desks will get
> lots of calls from customers complaining about "the Internet is not
> working" if users are annoyed by pop-up messages, for what appears to be
> legitimate domain names.
> Obviously, I do not claim that the Internet
> is just the web. But is is right now the most visible part and the one
> which requires direct interaction from the user.
> I am interested in
> your thoughts about this.
More information about the At-Large