i am a bit confused here. seems to be that the major differences between smb's scheme, for which you personally attacked me, and yours are o yours has centralized control, you, instead of isp control. this is known not to have good layer nine properties, see marinara del roi. o we get to pay you for that privilige, though at 'cost', mighty kind of you, but we're silly enough to also think we know how to run services. though it might be fun to talk about how to automate testing for the relevant parts of rfc 2870. i.e. they are not technically much different. as smb said, the hard problems are at layer nine. but, first focusing on the technology, let's talk about the hard part of the problem first, the gtld servers, hard because of the size of the data and the frequency of change. so a large isp lets the registries (verisign et alia) put a honkin' hidden primary server near _big_ backbone links. other large (i.e. can handle moving that kind of data) isps set up ipsec or tsig secondary cluster off of it. of course, the isps' secondary clusters use a well-known anycast address for serving queries. the isps which have secondaries might not accept announcements of the anycast prefix from eachother, or they might, point to disucss. i could elaborate further, but it might be more fun to let others have a say too. especially how this can safely support all the non-oc48++ isps. randy