In addition to blocking the IP address (64.94.110.11), why not block the entire versign.com domain as well?
i.e. add versign.com to your DNS zone with no records other than SOA.
Seems like a perfectly appropriate response to me.
It would also seem perfectly appropriate to provide a non-authoritative response for that record as well. New standards are being set, no reason why we all shouldn't follow suit.
Not that I'm advocating anything specific or anything, but it does logically follow that if the gTLD zone is serving non-authoritative data for say, "opensrssss.net" then there's nothing other than convention standing in the way of other DNS operators to further monkey with authoritative responses.
--
-rwr
