From DNSSeal Wiki
Jump to: navigation, search
Recommendation: Caution
Summary: Form of DNS redirection or NXDOMAIN substitution
Outcome: Confusion, no error message, email messaging failure
Addressed by ICANN Policy: Y
Addressed by Legislation: N
Related to: Registry Agreement

Wildcarding is a type of non-existent domain substitution (NXDOMAIN substitution) or DNS redirection that can be utilized at the registry level to redirect users when a site does not exist instead of taking the user to an error page.[1] Wildcard functions are often denoted by a special character such as an asterisk.[1] ICANN and the Security and Stability Advisory Committee (SSAC) view wildcarding as a "destabilizing practice."[2][3]

Public Perception

Previously attempted wildcarding services, such as Verisign's Sitefinder, were harshly censured by both ICANN and users.[3] Public perception is not in favor of any kind of registry level wildcarding or NXdomain substitution service. However, wildcarding or redirecting on individual site levels is not viewed with such vehement opposition, although it is not encouraged.[4]


The outcome of DNS wildcarding on a registry level is confusion and a failure to return the appropriate error messages, which can cause problems for incorrectly addressed emails. At an individual site level, it is less problematic.

Historical Use

Wildcarding allows registry operators to direct traffic from pages that do not exist to other pages of their choosing[1] by introducing a wildcard DNS record into their DNS zone files.[5]

  • A notable example of wildcarding was Verisign's Sitefinder, which generated an immediate response from the Internet community and brought the issue into the public eye in 2003. Essentially, Sitefinder was the website that all non-valid, typed-in URLs in the .com and .net domains were redirected to.[6] This wildcarding service allowed Verisign to potentially profit[7] from domains that were not registered and did not return any error messages as each URL that could not be found was redirected to Sitefinder.[6] The service was quickly shut down. A report by ICANN's SSAC found that as a result of Verisign's Sitefinder: "certain e-mail systems, spam filters and other services failed resulting in direct and indirect costs to third parties."[6]

ICANN Policy

General Views

  • ICANN and SSAC have made recommendations against the practice of DNS wildcarding at the registry level.[1][8]
  • An ICANN document released in 2009 stated that "ICANN strongly discourages the use of DNS redirection, wildcards, synthesized responses and any other form of NXDOMAIN substitution in new and existing gTLDs and ccTLDs and any other level in the DNS tree for registry-class domain names."[9]
    • Additionally, if a registry operator wishes to provide a wildcarding service or a service that involves NXdomain substitution at the registry level, a comprehensive plan for the service must be submitted for "global public scrutiny" before execution.[9]

Registry Agreement

  • DNS wildcarding is prohibited in the 2013 Registry Agreements (RAs) signed by all new gTLD applicants:
"DNS Resources Records or using redirection within the DNS by the Registry is prohibited. When queried for such domain names the authoritative name servers must return a “Name Error” response (also known as NXDOMAIN)."[10]

Name Collision Mitigation Report

  • A report released by JAS Global Advisors in February 2014 regarding the new gTLD program and the risk of name collision recommended that ICANN temporarily relax its prohibition on TLD-level wildcarding.[11] Wildcarding at the registry level could in theory help registries and IT professionals identify and address name collision risks before the TLDs are launched and available to the public.[11]


There is no legislation that addresses wildcarding at this time.

DNS Award

Awardees do not redirect and confuse users with unnecessary or deceptive wildcarding. Other uses of wildcarding may be compatible the best practices set up by the award, especially any ICANN mandated use of wildcarding such as what has been suggested within the new gTLD program.

Additional Resources

Related Article


  1. 1.0 1.1 1.2 1.3 SAC 015 | Why Top Level Domains Should Not Use Wildcard Resource Records, Internet Corporation for Assigned Names and Numbers (ICANN)
  2. Will ICANN Ban Top Level DNS Wildcarding? by M. Edwards, Windows IT Pro
  3. 3.0 3.1 ICANN Slams DNS Redirection: Calls such efforts a 'destabilizing practice' by Karl Bode (November 25, 2009), DSLreports.com
  4. Wildcard DNS, What is it and How Do I Use it?, HostGator
  5. http://www.domainsarefree.com/glossary/Wildcard_DNS_record.html
  6. 6.0 6.1 6.2 SSAC Report: Redirections in the Com and Net Domains (PDF), ICANN
  7. ICANN condemns registry DNS redirection by Dan Goodin (November 25, 2009), The Register
  8. Icann security group calls for end to 'wildcarding' by Phil Muncaster (June 23, 2009), v3.co.uk
  9. 9.0 9.1 ICANN's New gTLD Program Explanatory Memorandum: Harms Caused by NXDOMAIN Substitution in Top-level and Other Registry-class Domain Names (PDF), ICANN
  10. New gTLD Applicant Guidebook, ICANN
  11. 11.0 11.1 Mitigating the Risk of DNS Namespace Collisions (PDF), ICANN
  12. Delays still dog many new gTLD applicants by Kevin Murphy (March 3, 2014), Domain Incite