On Monday, Verisign, the company that manages the contents of the .com and .net zone files, hijacked all non-existant domains to point to an intermittently functional search service. This does not affect any top level domain other than .com and .net.
Apparently, Verisign has decided that any DNS query for an A (IP address) record for any second level domain in the .com or .net top level domains will now resolve to an IP address controlled by Verisign which then attempts to guess what the user is trying to do. While this sounds like a great idea on the surface, and is, in fact, markedly similar to what many web browsers and online providers do, this is a horribly bad idea. When my web browser offers to search for the domain I misspelled, it affects me and me alone. When an online provider does this, it affects only the customers of that provider. In both cases, there is the possiblity of using a different browser or service. However, the the case of Verisign doing it using the DNS system, it makes it impossible for anyone trying to access a .com or .net domain to opt out of it, regardless of provider or web browser or any other consideration.
In addition, the DNS system is designed to respond with a negative answer when a request is made for a name that does not exist. This allows web browsers, email servers, and so on, to do something useful in this circumstance, like tell the user the domain does not exist. However, by adding an A record for non-existing domains, it is now impossible for a mail server to know that the domain really doesn’t exist. And while the use can likely figure out that the web site they requested does not exist based on the response from the server Verisign is point it to, automated systems that rely this negative response behaviour have no way of deducing this. And relying on this negative response is by no means broken since that is the only way the system can indicate that a domain does not exist.
To make matters worse, Verisign provided no notice to relevant internet community groups, such as NANOG, that such a change to the standard operating procedure was going to be done. In fact, the first notice many network operators had was that nonexistant domains were suddenly resolving. Many other learned this via discussion threads on NANOG which can be read in the NANOG archive at the above link. Many others in the internet community would have learned of this from the Slashdot article and related discussion on the issue.
The uproar on this issue shows no signs of dying down any time soon either as messages fly around the internet an amazing rate.
I hereby call upon Verisign to do the right thing and cease and desist this reprehensible attempt to hijack the .com and .net domains as their own personal playground. It is high time that Verisign started acting in a manner befitting an orgranization on whom a public trust has been bestowed!
Update at 1645: It looks like the authors of the BIND name server software are creating a patch that will allow users of BIND to bypass the Verisign brain damage. See a news report here. BIND is available from the ISC.
Update at 1435, Sept 17: Debate continues to rage about this issue. Some folks have taken actions which may or may not help. The ISC has released a patch to BIND which allows people to work around the problem. In addition, one person has publicly sent a formal complaint to ICANN (the body supposedly in charge of .com and .net overall) which is worth a read for those interested.