ISC has made root-delegation-only the default behaviour in the new bind,
actually, though, we havn't, and wouldn't (ever). the feature is present but must be explicitly enabled by a knowledgeable operator to have effect.
how about drafting up an RFC making it an absolute default requirement for all DNS?
this is what the icann secsac recommendation... http://www.icann.org/correspondence/secsac-to-board-22sep03.htm ...says that ietf/iab should look into: We call on the IAB, the IETF, and the operational community to examine the specifications for the domain name system and consider whether additional specifications could improve the stability of the overall system. Most urgently, we ask for definitive recommendations regarding the use and operation of wildcard DNS names in TLDs and the root domain, so that actions and expectations can become universal. With respect to the broader architectural issues, we call on the technical community to clarify the role of error responses and on the separation of architectural layers, particularly and their interaction with security and stability. and it does seem rather urgent that if a wildcard in the root domain or in a top level domain is dangerous and bad, that the ietf say so out loud so that icann has a respected external reference to include in their contracts. -- Paul Vixie