Ignoring additional records works pretty well for me. Otherwise, the beast is out there, and we cannot do much except waiting for it to die slowly. Dima P.S. For those who wonder what is so special about these addresses - they were SprintLink's DNS servers' around Wilhelm the Conqueror's time or shortly after that. Apparently, some clueless admins have these addresses as bogus glue records in their zones and use vintage named versions that allow them to do that. Once leaked out in additional sections of DNS responses, these bogus records end up in other servers' caches, which in turn try to use these addresses to resolve queries for names for which SprintLink's servers are claimed to be authoritative. P.P.S. In two hours about 400 servers tried to use hrn-cat-2.sprintlink.net (a Catalyst something) as a name server. Paul A Vixie writes:
I have done, algorithmically, everything that can be done at that level. At this point we are going to have to wait for DNSSEC or some other wire protocol change. If you have suggestions to the contrary I would like to hear them. (And if you have money to pay for BIND improvements I would like to hear about that, too.)