So, Verisign just returns a NS pointer to another name server Verisign
controls which then answers the queries with Verisign's "helpful" web
site.
Half-life of the patch: 1 day?
i don't think so. verisign is on public record as saying that the reason
they implemented the wildcard was to enhance the services offered to the
internet's eyeball population, who has apparently been clamouring for this.
in this story, for example...
...it was thus spake:
VeriSign spokesman Brian O'Shaughnessy said Tuesday that individual
service providers were free to configure their systems so customers
would bypass Site Finder. But he questioned whether releasing a patch
to do so would violate Internet standards.
Vixie acknowledged that it could -- standards call for operators like
VeriSign to have complete control over their directories -- but he
said not releasing a patch would create greater chaos.
therefore i believe that while they may have to change the A RR from time to
time according to their transit contracts, verisign won't insert an NS RR
into the sitefinder redirection. if they do, and if bind's user community
still wants to avoid sitefinder, they can declare the second server "bogus",
with no new code changes from isc. but that all seems terribly unlikely.
Verisign is on public record as saying many things over the years.
Following Internet Standards and to improve performance for all Internet
users, what if Verisign decided to start including other A records
directly in the .COM/.NET zones?
For example, the A records for the servers for the .COM/.NET zones? Or
"interesting" sites that Verisign has a relationship with?
What would it do to website's Keynote performance to eliminate another
name lookup by having their www.something.com records served directly
from Verisign's gtld-servers?
Of course, ISC's non-standard BIND change will break Verisign's
attempt to "improve" the Internet's performance by including A records
in the .COM/.NET zones.
Verisign's lobbyists are 3,000 miles closer to Washington DC than
ISC's lobbyists. And history has demonstrated what Verisign lacks
in Internet clue, they make up for in Washington clue.
I wouldn't be surprised if tomorrow, Verisign is the playing the victim
and calling ISC the out-of-control hooligans.
Paul an out of control hooligan, say it isn't so ! 
Actually I'd trust ISC/Vixie/ to always do the real
right thing when it comes to root-ops and global DNS.
and I'd trust the Verisign people that run A and J to
do reasonable things with those boxes. They are good
people, when they wear those hats.
I'd almost never trust Verisign to do whats right for
the public / internet when it comes to dealing with
.COM, .NET and such. Thats their cash cow and they
will milk it for all its worth, and then some.
speaking as a shareholder of Verisign, I'm NOT HAPPY
with the way they handled this wildcard deal, nor
am I happy about them doing it all. As a *shareholder*
I'd cast my vote that they *remove* it.
You have no control over operations of the company. However, you may vote
Verisign officers out of the office... if you can get other shareholders
to see the benefits of giving business ethics preference over short-term
profits.
--vadim
I for one expect a small arms race over this - I'm not implementing the
end-all solution quite yet as I expect some further moves by VRSN.
Now, that would be a real problem, considdering the person who owns
something.com is a good friend of mine, and hosts it on my servers.
If they start touching actual registered and in-use domains I believe they
will loose their contract.
(Which also means PLEASE don't use something.com to test !)
-Chris
My question is, if this was to serve some need of internet users, why does
port 25 work and not port 80?
So, I'm curious as to your opinion about the bigger issue. Maybe it has
been stated somewhere else, and if it has, please direct me to it. I've
read all of your posts about this on nanog, and you do an excellent job of
staying neutral. You point out that what Verisign is doing is technically
valid and therefore shouldn't be addressed with a technical "solution",
but you also release a patch for Bind to accomodate obvious demand (and to
save users the hassle of implementing half-assed patches with hardcoded A
records). However, you do so without actually stating whether or not you
think the wildcards are a (policy) problem or not.
You point out that there is high-level ambiguity about the relationship
between DOC, ICANN, and Verisign, and about whether or not Verisign should
have the public's interest in mind. Do you think they should have the
public's interest in mind? And do you think the wildcards are in the
public's interest?
I can certainly empathize with wanting to stay neutral, but I think we
need somebody who carries substantial influence in the name resolution
community to have strong opinions about such a poor policy decision.
Andy