A couple things come to mind -- 1) Does this increase the RAM needed on a caching resolver? I.e. does it take more RAM to cache the 15-minute positive reply, than an NXDOMAIN negative reply? 2) In the "bestpractices.pdf" file, it states the following: "A response server should be configured to return an indication that the provided services were reached as a result of wildcard processing when the server returns a response to connection requests sent by end user applications." Can Verisign explain how the following transaction is consistent with the above guideline (where is the indication of wildcard processing): $ telnet mx.no-suchdomain-yadda-yadda.com 25 Trying 64.94.110.11... Connected to mx.no-suchdomain-yadda-yadda.com. Escape character is '^]'. 220 snubby4-wceast Snubby Mail Rejector Daemon v1.3 ready helo example.com 250 OK mail from: nobody@example.com 250 OK rcpt to: nobody@example.com 550 User domain does not exist. Oh well -- here's to looking out for the BIND patch... - Dani