A number of people havce responded that they don't want to be forced to pay for a change that will benefit Verisign. That's a policy issue I'm trying to avoid here. I'm looking for pure technical answers -- how much lead time do you need to make such changes safely?
You can't separate them. How long something takes to do depends upon who is paying for it and how much they are paying. With a blank check, I can do almost anything in a week. On the other hand, if it's an unexpected expense without an accompanying unexpected source of funds, the same task can take years. If the beneficiary is not paying, things take very much longer. In any event, this question is currently impossible to answer from a purely technical perspective because we don't know what Verisign intends to change. For example, what will be the new correct way to determine whether or not a domain exists in the DNS, say for purposes of spam filtering? Will the wildcard A record be guaranteed to always point to the same, single address or not? We don't know what the target is, so we don't know what's involved in hitting it. When Verisign releases a specification, then we can talk about what's needed to meet it. DS