Quoting Giampaolo Tomassoni <[EMAIL PROTECTED]>:
Please note that one generally can't issue a DNS request to a specific server from SA, since its resolver engine only uses the globally-defined DNS server(s). Thereby, in the common case I should get the NSes published by root servers, which should be exactly the ones published in whois. But they not always are! This is not because of a "change" in progress, but because of the normal follow-up of the authoritative chain in domain names resolution: if a root server says that NSa and NSb are authoritative for domain D, but NSa says that instead NSc and NSd are, the resolver (which of course must apply "recursion", since you're not using a non-recursive DNS server for your standard queries, right?) yields two NS RR with NSc and NSd names in them, not with the ones defined by the root server.
Yes, delegation is the other, more usual, way that the nameserver in the whois and TLD root server may differ. Some spammers do make use of a lot of delegation, more than usual and sometimes in long chains of delegation, but delegation beyond the typical glue records is not necessarily the sign of a spam domain. In short, this may result in false positives.
Jeff C.
