From ICANNWiki
Jump to navigation Jump to search

Wildcarding is a type of non-existent domain substitution (NXDOMAIN substitution) or DNS redirection that can be utilized at the registry level to redirect users when a site does not exist instead of taking the user to an error page.[1] Wildcard functions are often denoted by a special character such as an asterisk.[1] ICANN and the Security and Stability Advisory Committee (SSAC) view wildcarding as a "destabilizing practice."[2][3]

Public Perception

Previously attempted wildcarding services, such as Verisign's Sitefinder, were harshly censured by both ICANN and users.[3] Public perception is not in favor of any kind of registry level wildcarding or NXdomain substitution service. However, wildcarding or redirecting on individual site levels is not viewed with such vehement opposition, although it is not encouraged.[4]


The outcome of DNS wildcarding on a registry level is confusion and a failure to return the appropriate error messages, which can cause problems for incorrectly addressed emails. At an individual site level, it is less problematic.

Historical Use

Wildcarding allows registry operators to direct traffic from pages that do not exist to other pages of their choosing[1] by introducing a wildcard DNS record into their DNS zone files.[5]

  • A notable example of wildcarding was Verisign's Sitefinder, which generated an immediate response from the Internet community and brought the issue into the public eye in 2003. Essentially, Sitefinder was the website that all non-valid, typed-in URLs in the .com and .net domains were redirected to.[6] This wildcarding service allowed Verisign to potentially profit[7] from domains that were not registered and did not return any error messages as each URL that could not be found was redirected to Sitefinder.[6] The service was quickly shut down. A report by ICANN's SSAC found that as a result of Verisign's Sitefinder: "certain e-mail systems, spam filters and other services failed resulting in direct and indirect costs to third parties."[6]

ICANN Policy

General Views

  • ICANN and SSAC have made recommendations against the practice of DNS wildcarding at the registry level.[1][8]
  • An ICANN document released in 2009 stated that "ICANN strongly discourages the use of DNS redirection, wildcards, synthesized responses and any other form of NXDOMAIN substitution in new and existing gTLDs and ccTLDs and any other level in the DNS tree for registry-class domain names."[9]
    • Additionally, if a registry operator wishes to provide a wildcarding service or a service that involves NXdomain substitution at the registry level, a comprehensive plan for the service must be submitted for "global public scrutiny" before execution.[9]

Registry Agreement

  • DNS wildcarding is prohibited in the 2013 Registry Agreements (RAs) signed by all new gTLD applicants:

"DNS Resources Records or using redirection within the DNS by the Registry is prohibited. When queried for such domain names the authoritative name servers must return a “Name Error” response (also known as NXDOMAIN)."[10]

Name Collision Mitigation Report

  • A report released by JAS Global Advisors in February 2014 regarding the new gTLD program and the risk of name collision recommended that ICANN temporarily relax its prohibition on TLD-level wildcarding.[11] Wildcarding at the registry level could in theory help registries and IT professionals identify and address name collision risks before the TLDs are launched and available to the public.[11]


There is no legislation that addresses wildcarding at this time.

Additional Resources

Related Article