> verisign is masking the difference between a valid domain and > NXDOMAIN for all protocols, all users, and all software. > > If you read the Verisign documentation (which is quite excellent by the > way) on what they did and what they recommend you will see that they > thought about this. their mistake is in assuming that they can respond appropriately for all ports - particularly when the association of applications with known ports is only advisory, and many ports are open for arbitrary use. in fact, a 550 response in SMTP is a different condition from NXDOMAIN, and sometimes the difference is important - as the spam filter folks have discovered. > Although taking note of the returned IP address and reacting accordingly > is roughly equivalent to DNS NXDOMAIN. It just requires an extra step > and more importantly a patched application. Would have been nice to get > some advance notice even if there are other TLDs that have been doing > this for some time. "nice" is not a word that seems to apply to forcing the entire net to have to patch its applications and libraries just because verisign decided to make inappropriate assertions about unregistered domains. that's like calling a mugger "nice" because he talks to you politely while he takes your wallet at gunpoint. > It is worth noting that if we are to "pass judgement against" Verisign > there are at least half-dozen other TLDs that blazed the trail. We just > overlooked them because of their size as compared to .NET and .COM. not only their size, but their scope also.