Wildcard DNS (pros and cons)

Kevin Darcy kcd at daimlerchrysler.com
Fri Dec 10 18:54:07 UTC 2004


JimH at Nucleus.com wrote:

>What is the purpoase of allowing *.example.com within a DNS Zone?  Is there 
>any pros or cons in allowing this sort of thing?
>
>I have never been a fan of wildcarding, and now people are asking for this, 
>and before getting in out my head I want to investigate this "feature"
>
>
>I can think of one con.. if your charging for DNS changes then they would 
>never have to contact you, but they could also just run there own DNS and 
>manage themselves.
>
There's nothing _technically_ wrong with using wildcards. It's just that 
wildcards in DNS don't operate like simple, intuitive pattern matches -- 
they are "blocked" by delegations or even "empty non-terminals", for 
instance -- so folks have difficulty conceptualizing them, and this 
frequently leads to nasty surprises. When used *properly* they can be 
very powerful and convenient. We use wildcard MX records in our internal 
root zone to route outbound Internet mail, for instance, which allows us 
to run "dumb" mail configurations on our servers and control the mail 
routing centrally. But if some day, for example, I were to define a 
foobar.microsoft.com name in our internal DNS (e.g. to redirect a 
worm-generated DoS to the bit bucket), then if I didn't remember to also 
define an explicit *.microsoft.com MX record, then the "empty 
non-terminal" would put the kibosh on all mail to @microsoft.com 
addresses (mostly hate mail, probably :-). So wildcards are powerful but 
dangerous if not used properly.

                                                                         
                                          - Kevin


                                                                         
               - Kevin



More information about the bind-users mailing list