Quoting Ian Smith on Tuesday October 07, 2003:
| A little dry humour describing software solutions to thievery by Paul
| Vixie and crew: http://www.isc.org/products/BIND/delegation-only.html

Unfortunately this approach makes an assumption that "registry-class"
zones are delegation-only. As you can see not all registries follow
this path, as evidenced by the need to add exclusions in. Germany, the
world's largest ccTLD, allows A records etc. Even Australia allowed
MX records instead of NS up until last year. So, it is a pretty big
assumption. Ultimately this replaces one form of hardcoding TLD
behaviour (by having IP blacklists) with another.

A slightly more universal way to turn off wildcards in software without
hardcoding legacy rules into places would be simply to test if the
RRset answers to any query matches the RRset returned to a query for
an asterisk domain at the same level. i.e. If a lookup for "foo.com"
gives the exact same answer as "*.com", then it is wildcard synthesis
(or identical to).

Unfortunately doing this makes for 2 lookups instead of 1, although
resolvers could cache the asterisk response and recycle it for
comparison purposes.

I guess there is no "clean" way to do this hackery. In much the same way
there is no "clean" way to use the DNS as the web's version of the
Microsoft Office Paperclip.

kim