[At-Large] DNSSEC and end users

Eric Brunner-Williams ebw at abenaki.wabanaki.net
Wed Feb 9 15:08:26 UTC 2011

Dear <hat="SSAC Liaison"> Patrick,

First, TimeWarner, and quite a few other ISPs, do not return NXDOMAIN 
to stub resolvers (end users of the resolution system), which a 
browser may render as a blank page. What is returned is a Yahoo 
synthesized search page.

If recursive resolver operator behavior for NXDOMAIN / synthesized 
results is indicative of recursive resolver operator behavior for 
"domain name[2] failing DNSSEC resolution", then a third-party 
synthesized search page is the likely result returned to the stub 
resolver and application, for applications which use HTTP.

While ICANN goes to great pains to make the point that any behavior by 
infrastructure operators other than contracted parties, from 
withdrawing all prefixes announcements for a region to substitution of 
all resolution requests made to a recursive resolver, is outside its 
scope, this is a situation which could be, to coin the obvious pun, 

So, in the first instance, the end-user DNSSEC experience is likely to 
be a planned increase in presentation of PPC or other monitized 
synthesized resources, with total control of the end-user DNSSEC 
experience held by the recursive (eyeball network) resolver operator.

Stepping back, the .com string space ICANN created contains "hot 
spots", the post-UDRP form of original, name-for-sale speculation 
generally called "cyber-squatting". Modulo Sitefinder, the one attempt 
by VGRS to capture the value of strings not resolvable, via wildcard 
matching in the authoritative resolver, the locus of monitized benefit 
for false matches, e.g., typos, similar strings, etc., lies in the 
"domainer" sector of the market.

Restated, the benefit of interposition upon the .com name space 
end-user resolution attempt is currently broadly held, mostly by 
parties other than resolver, authoritative or recursive, operators.

The benefit of interposition upon signed .com name space end-user 
resolution attempt will initially be overwhelmingly narrowly held, 
mostly by resolver operators. Over time, as the targets of "domainer" 
interposition and the "domainer" sector sign their respective 
portfolios, the benefit of interposition upon signed .com name space 
end-user resolution attempt will relax from this unimodal distribution 
to the existing semi-uniform distribution.

I suggest that a likely outcome will be revenue contraction for the 
domainer industry, moving millions of low-value domains into 
non-renewal status and eventual expiry as domainers fail to adapt to 
revenue loss, with the monitized value, of those domains going to the 
eyeball network operators, followed by a gradual re-appearance of the 
now-signed domainer-held portfolios,

I think your question can be restated "How will end-users interpret 
the transformation of the .com interposition industry?"

Before trying to suggest answers, it is worth pointing out that there 
is little interposition industry, other than that operated by eyeball 
network operators, for the name spaces other than 
com/net/org/biz/info. Where ad network operators are not paying or 
paying significantly less for matches, domainers are relatively absent 
and PPC domain portfolios are significantly smaller.

Given the string space that ICANN's created, primarily in the .com 
name space, but also in the rest of the CNOBI market, the policy 
question is what changes, if any, will it attempt to make through its 
contract with Verisign, that will affect the distribution of revenues 
acquired through the continued capture of end-user attempts to resolve 
a resource through interposition.

You may want to compare and contrast the benefit of making cache 
poisoning for a specific, recursive resolver held unit of resolution 
data obsolete, and enabling synthetic return for any signed request 
for an unsigned resource, or unsigned request for a signed resource, 
or simply any initial request, and possibly several subsequent 
requests, whether signed or unsigned.

The scenario offered: "some say that ISP support desks will get lots 
of calls from customers complaining about "the Internet is not 
working" if users are annoyed by pop-up messages, for what appears to 
be legitimate domain names" should be restated as a cost-benefit issue 
for eyeball network operators maximizing ad inventory impressions and 
minimizing support costs.

You may also want to reflect on the utility of ICANN's current program 
of getting 40 ccTLDs signed, particularly if the following are not 
signed: .de (14), .uk (9), .cn (7), .tk (5), .nl (4) .ru (3) .ar (2), 
.bz (2), .it (2), .pl (2), .au (2), .us (2), .ca (1). The (numbers in 
parenthesis) are the number of registrations in millions.

Absent a means to obtain an outcome less undesirable than the 
end-users interpretation of DNSSEC as simply the transformation of the 
.com interposition industry from one exploitation business model to 
another exploitation business model, the likely outcome will be the 
rational reflection that the network trust model benefits parties 
other than end-users.

FYI, the "DNSSEC Workshop" at the Bruxelles meeting was a complete 
waste of time. Rather than hand over a valuable hall to a bunch of 
vendors doing dog-and-pony as a phony "worksho", a 
sign-a-zone-and-re-sign-a-zone exercise could have been conducted, 
with real work by the participants. Fake DNSSEC Workshops are 
something that should not be left unfixed.

You may want to register for the OARC event, held contemporaneous with 
ICANN-40. I have. The link to the OARC 2011 San Francisco Workshop is 
here: https://www.dns-oarc.net/oarc/workshop/registration.

There is a lot of DNSSEC evangelism. You may want to reflect on the 
value signing the .cat zone had (I wrote the funnel request), or on 
the value of signing the .museum zone had, not for the techno-gleeful 
operators or for competitive marketing vis a vis other operators, but 
for the end-users of resources mapped by the respective chains of 


P.S. I agree with the sentiments expressed by Antony. I don't know if 
he has a clue how to solve this problem. I know that I do.

> Good morning to all,
> This is your SSAC liaison speaking. I am
> requesting your thoughts on what expected impact DNSSEC will have on end
> users. My goal is to contribute ideas to the the agenda of the DNSSEC
> sessions at the San Francisco meeting.
> Currently, with DNSSEC enabled
> on the DNS resolver you use (typically, the one assigned to you by your
> ISP), a domain name failing DNSSEC resolution returns a code to your
> browser saying the domain does not exist. You would get a blank page
> displayed in your browser saying the domain is unreachable, similar to
> what you get when you type an invalid domain name in the browser bar.
> Some suggest that browsers should return a warning instead, similar to
> the one you get with an invalid SSL certificate. The counter-argument to
> this is that most users tend to ignore these warnings anyway and just
> click OK to go ahead. Further, some say that ISP support desks will get
> lots of calls from customers complaining about "the Internet is not
> working" if users are annoyed by pop-up messages, for what appears to be
> legitimate domain names.
> Obviously, I do not claim that the Internet
> is just the web. But is is right now the most visible part and the one
> which requires direct interaction from the user.
> I am interested in
> your thoughts about this.

More information about the At-Large mailing list