Wildcards: ICANN and IAB posted their commentaries

You can find them here:


I've just checked that VeriSign has not voluntarily suspend the service


Ing.Roque Gagliano

Hash: SHA1



In regards to the statement above, the Security and Stability Advisory
Committee is sincerely interested in your feedback regarding this issue.
We are currently working on a report that details the impacts of
wildcards at the TLD level, and elsewhere as appropriate.

I would like to request that you restrict your comments to actual
operational issues. That will help ensure that they get due
consideration. We're most interested in issues related to things
that worked before, but don't now; and particularly interested in
non-obvious cases. Of course, if you have other points of interest on
this topic, we're all ears.

The e-mail address for your feedback is secsac-comment@icann.org.


if you installed the first isc wildcard patch you probably want the second.
see www.isc.org/products/BIND/delegation-only.html for details. the first
patch didn't handle NS lookups (which don't occur in nature but it's sort of
unnerving when they don't work in "dig").

in addition to the "type delegation-only" zones, the latest release candidate
has an additional "root-delegation-only" option. this looks like:

    options {
        root-delegation-only exclude { "de"; "museum"; };

thus the delegation-only behaviour becomes the default for the root domain,
and all tld's except those listed. DE has no wildcards but they do put
customer A RRs into the DE zone itself. MUSEUM has a wildcard but this was
part of their application and it was approved and has not been a problem.

f.6to4-servers.net is now running this if you want to try before you, um, buy.

thanks very much to the membership of the bind forum who make this possible.

Hello Paul , Am I correct in the understanding that the below
  tells me that 9.2.2p2 does NOT contain the ablility to do
  root-delegation-only ? Tia , JimL