Wildcard DNS (pros and cons)
Kevin Darcy
kcd at daimlerchrysler.com
Fri Dec 10 18:54:07 UTC 2004
JimH at Nucleus.com wrote:
>What is the purpoase of allowing *.example.com within a DNS Zone? Is there
>any pros or cons in allowing this sort of thing?
>
>I have never been a fan of wildcarding, and now people are asking for this,
>and before getting in out my head I want to investigate this "feature"
>
>
>I can think of one con.. if your charging for DNS changes then they would
>never have to contact you, but they could also just run there own DNS and
>manage themselves.
>
There's nothing _technically_ wrong with using wildcards. It's just that
wildcards in DNS don't operate like simple, intuitive pattern matches --
they are "blocked" by delegations or even "empty non-terminals", for
instance -- so folks have difficulty conceptualizing them, and this
frequently leads to nasty surprises. When used *properly* they can be
very powerful and convenient. We use wildcard MX records in our internal
root zone to route outbound Internet mail, for instance, which allows us
to run "dumb" mail configurations on our servers and control the mail
routing centrally. But if some day, for example, I were to define a
foobar.microsoft.com name in our internal DNS (e.g. to redirect a
worm-generated DoS to the bit bucket), then if I didn't remember to also
define an explicit *.microsoft.com MX record, then the "empty
non-terminal" would put the kibosh on all mail to @microsoft.com
addresses (mostly hate mail, probably :-). So wildcards are powerful but
dangerous if not used properly.
- Kevin
- Kevin
More information about the bind-users
mailing list