> Makes me wonder why Verisign didn't use a (less harmful?) CNAME wildcard ...
The CNAME algorythm in RFC1034 looks for CNAMEs before it looks for wildcards, meaning that the target of a CNAME could end up matching a wildcard, but the CNAME owner itself won't be found using the wildcarding rules. see [4.3.2]. What this means is, there is no such thing as a wildcard CNAME. -- Paul Vixie
