Dear <hat="SSAC Liaison"> Patrick, First, TimeWarner, and quite a few other ISPs, do not return NXDOMAIN to stub resolvers (end users of the resolution system), which a browser may render as a blank page. What is returned is a Yahoo synthesized search page. If recursive resolver operator behavior for NXDOMAIN / synthesized results is indicative of recursive resolver operator behavior for "domain name[2] failing DNSSEC resolution", then a third-party synthesized search page is the likely result returned to the stub resolver and application, for applications which use HTTP. While ICANN goes to great pains to make the point that any behavior by infrastructure operators other than contracted parties, from withdrawing all prefixes announcements for a region to substitution of all resolution requests made to a recursive resolver, is outside its scope, this is a situation which could be, to coin the obvious pun, resolved. So, in the first instance, the end-user DNSSEC experience is likely to be a planned increase in presentation of PPC or other monitized synthesized resources, with total control of the end-user DNSSEC experience held by the recursive (eyeball network) resolver operator. Stepping back, the .com string space ICANN created contains "hot spots", the post-UDRP form of original, name-for-sale speculation generally called "cyber-squatting". Modulo Sitefinder, the one attempt by VGRS to capture the value of strings not resolvable, via wildcard matching in the authoritative resolver, the locus of monitized benefit for false matches, e.g., typos, similar strings, etc., lies in the "domainer" sector of the market. Restated, the benefit of interposition upon the .com name space end-user resolution attempt is currently broadly held, mostly by parties other than resolver, authoritative or recursive, operators. The benefit of interposition upon signed .com name space end-user resolution attempt will initially be overwhelmingly narrowly held, mostly by resolver operators. Over time, as the targets of "domainer" interposition and the "domainer" sector sign their respective portfolios, the benefit of interposition upon signed .com name space end-user resolution attempt will relax from this unimodal distribution to the existing semi-uniform distribution. I suggest that a likely outcome will be revenue contraction for the domainer industry, moving millions of low-value domains into non-renewal status and eventual expiry as domainers fail to adapt to revenue loss, with the monitized value, of those domains going to the eyeball network operators, followed by a gradual re-appearance of the now-signed domainer-held portfolios, I think your question can be restated "How will end-users interpret the transformation of the .com interposition industry?" Before trying to suggest answers, it is worth pointing out that there is little interposition industry, other than that operated by eyeball network operators, for the name spaces other than com/net/org/biz/info. Where ad network operators are not paying or paying significantly less for matches, domainers are relatively absent and PPC domain portfolios are significantly smaller. Given the string space that ICANN's created, primarily in the .com name space, but also in the rest of the CNOBI market, the policy question is what changes, if any, will it attempt to make through its contract with Verisign, that will affect the distribution of revenues acquired through the continued capture of end-user attempts to resolve a resource through interposition. You may want to compare and contrast the benefit of making cache poisoning for a specific, recursive resolver held unit of resolution data obsolete, and enabling synthetic return for any signed request for an unsigned resource, or unsigned request for a signed resource, or simply any initial request, and possibly several subsequent requests, whether signed or unsigned. The scenario offered: "some say that ISP support desks will get lots of calls from customers complaining about "the Internet is not working" if users are annoyed by pop-up messages, for what appears to be legitimate domain names" should be restated as a cost-benefit issue for eyeball network operators maximizing ad inventory impressions and minimizing support costs. You may also want to reflect on the utility of ICANN's current program of getting 40 ccTLDs signed, particularly if the following are not signed: .de (14), .uk (9), .cn (7), .tk (5), .nl (4) .ru (3) .ar (2), .bz (2), .it (2), .pl (2), .au (2), .us (2), .ca (1). The (numbers in parenthesis) are the number of registrations in millions. Absent a means to obtain an outcome less undesirable than the end-users interpretation of DNSSEC as simply the transformation of the .com interposition industry from one exploitation business model to another exploitation business model, the likely outcome will be the rational reflection that the network trust model benefits parties other than end-users. FYI, the "DNSSEC Workshop" at the Bruxelles meeting was a complete waste of time. Rather than hand over a valuable hall to a bunch of vendors doing dog-and-pony as a phony "worksho", a sign-a-zone-and-re-sign-a-zone exercise could have been conducted, with real work by the participants. Fake DNSSEC Workshops are something that should not be left unfixed. You may want to register for the OARC event, held contemporaneous with ICANN-40. I have. The link to the OARC 2011 San Francisco Workshop is here: https://www.dns-oarc.net/oarc/workshop/registration. There is a lot of DNSSEC evangelism. You may want to reflect on the value signing the .cat zone had (I wrote the funnel request), or on the value of signing the .museum zone had, not for the techno-gleeful operators or for competitive marketing vis a vis other operators, but for the end-users of resources mapped by the respective chains of resolution. Cheers, Eric P.S. I agree with the sentiments expressed by Antony. I don't know if he has a clue how to solve this problem. I know that I do.
Good morning to all,
This is your SSAC liaison speaking. I am requesting your thoughts on what expected impact DNSSEC will have on end users. My goal is to contribute ideas to the the agenda of the DNSSEC sessions at the San Francisco meeting.
Currently, with DNSSEC enabled on the DNS resolver you use (typically, the one assigned to you by your ISP), a domain name failing DNSSEC resolution returns a code to your browser saying the domain does not exist. You would get a blank page displayed in your browser saying the domain is unreachable, similar to what you get when you type an invalid domain name in the browser bar.
Some suggest that browsers should return a warning instead, similar to the one you get with an invalid SSL certificate. The counter-argument to this is that most users tend to ignore these warnings anyway and just click OK to go ahead. Further, some say that ISP support desks will get lots of calls from customers complaining about "the Internet is not working" if users are annoyed by pop-up messages, for what appears to be legitimate domain names.
Obviously, I do not claim that the Internet is just the web. But is is right now the most visible part and the one which requires direct interaction from the user.
I am interested in your thoughts about this.