One of my coworkers pointed out that the DNS rebinding folks have a partial workaround: http://code.google.com/p/google-dnswall/ It's not much, in that it's specific to private address space, and doesn't even touch the name portion of RRs, but it's a start. Anyone know if DJBDNS or Microsoft DNS server has a workaround for this, yet? - Morty