> Does anyone know of how to disable Verisign's Site Finder in named?

If you're running a sufficiently recent BIND, declare .com and .net as
delegation-only.  There is a patch to provide delegation-only support
for slightly less recent BIND; I think it's something like 9.12 you
have to be at - check the BIND docs.

> Does ICANN have an alternative list of root servers that doesn't
> allow the Verisign Site Finder hack?

It's not the root servers that are responsible; it's the
*.gtld-servers.net machines, which are - surprise surprise! - all in
Verisign netblocks, though I'm told that they aren't all actually
operated by Verisign.

Short of getting the zone files, removing the wildcard, and running
your own .com/.net server off the results, I doubt there's anything
along the "alternative servers" line you can do to fix this.

Of course, the right fix is for ICANN to take .com and .net away from
Verisign and hand them over to a custodian with some ethics.  (I don't
quite understand why this wasn't done immediately....)  Contacting
ICANN to add your voice might do some measure of good.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse@rodents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B