Last week, VeriSign, the people who run the .com registry (the big data file that has all the .com registration data in it), unilaterally decided to change the way the most-traveled portion of the Internet works for most people. Until then, if you typed in a .com domain name that didn't exist, you would get an error message. Unless, of course, you were an MSN or AOL subscriber, in which case you would get a custom web page they each designed, and which included some ads from folks who thought that they might profit from common misspellings.
Naturally, MSN and AOL are unhappy. But the technical community is furious. The web is not the whole Internet, and there are many other Internet tools that rely on getting the standard error message when a domain does not resolve properly. VeriSign's change threatened to break all those applications. [There are a lot of ccTLDs (national top-level domains like .ph) and one gTLD (.museum) that already do the same thing. But they are almost all very low volume, and their users were—in the main—forewarned before they registered their domains.]
The technical community responded by coding up changes to BIND, the dominant software for translating domain names into the Internet Protocol numbers that actually do the real work of identifying where the content you want is to be found, and telling the computer that has it how to find you. These changes essentially overtrump the VeriSign change. But fixes like this take time to deploy and propagate. It would be much tidier if VeriSign could be persuaded to put the cat back in the bag.
Meanwhile, the more formal part of the technical community also swung into action. The relevant Internet standards are defined by the Internet Engineering Task Force (IETF). The closest thing the IETF has to a governing body is a committee called the Internet Architecture Board (IAB). The IAB quickly issued a very careful and useful report. In effect, the IAB said that the relevant standards (called “RFCs”) are vague at the critical points, so thatwhat VeriSign did was not in technical violation of them. It's just in very, very bad taste. (Ironically, the IAB is chaired by a VeriSign employee who quite properly recused herself from the issue.)
Unlike most of the Internet, the domain name system has a global regulator. That job falls to the Internet Corporation for Assigned Names and Numbers (ICANN), the body chosen for that role by the U.S. Department of Commerce (for a long, technical description and critique of the relationship, see my Wrong Turn in Cyberspace: Using ICANN to Route Around the APA & the Constitution and Jonathan Weinberg's ICANN and the Problem of Legitimacy). Many people have thus looked to ICANN to force VeriSign to undo its change. Others bemoaned the fact that whatever ICANN was doing, its new streamlined processes meant that the public was cut out of its deliberations. An eloquent example of this is Michael Geist's lament that Regardless of the eventual outcome, Internet users will look back on the day that Internet governance mattered and remember that they didn't.
Now ICANN's Security and Stability Committee has announced that it plans a meeting in Washington on October 7 to get input. That probably takes the pressure off ICANN to act immediately.
My sense is that is just as well for two reasons. The first is ably explored by Jonathan Weinberg at ICANNWatch. It turns out that under the trilateral (ICANN-VeriSign-US government) contractual regime negotiated by the US Government, ICANN probably lacks the authority to make VeriSign retreat.
There's a second reason. ICANN isn't democratic or accountable. In fact, we're in this pickle partly because of ICANN's own mistakes. The .com domain retains its importance and dominance for many reasons, but one of them is ICANN's total failure to permit much in the way of meaningful competition for it, something that is and would have been entirely in ICANN's power. It would be ironic and unfortunate to reward ICANN for its past failings by giving it new powers.
Some people will say that ICANN's impotence in the face of a serious technical hiccup is a problem. I think the signs are that the technical community is doing a fine job of working this one out in (excuse the ICANN-speak) a spontaneous, bottom-up, consensus-based manner that is technically sound and will contribute to the stability and security of the Internet.
Or, in other words, if you never heard about this crisis, odds are you may never need to.
Even a technical solution, however, doesn't mean that the lawyers will stay away from this one. Already two lawsuits have been filed against VeriSign, one by GoDaddy and the other by Popular Enterprises . Those suits may be nothing, however, compared to a looming patent infringement claim against VeriSign, as it appears that Sitefinder may infringe U.S. Pat. No. 6,332,158.