wildcard reverse lookups?

Edward Lewis Ed.Lewis at neustar.biz
Wed Dec 20 13:57:20 UTC 2006 

According to RFC 1034:

RDATA           which is the type and sometimes class dependent data
                 which describes the resource:

...
                 NS              a host name.
                 PTR             a domain name.

having a name beginning with an asterisk label (wildcard) is legal in 
the RDATA of the PTR.  I left "NS" above there to show the 
distinction made between host names and domain names. (Host names are 
a subset of domain names as defined in RFC 1123.)

There's nothing wrong with the PTR pointing to a wildcard as far as 
the DNS protocol is concerned.  Perhaps the intent of the 
administrator isn't going to be met though.  (Although what that 
intent is, I can't really guess.)

IOW, if you do a lookup on the RDATA of the PTR, you will get back 
the unexpanded wildcard.  If a wildcard is in the query, it is "Just 
Another QNAME"  when the algorithm in RFC 1034, 4.3.2. is run.  The 
wildcards in the QNAME and in the zone will match exactly, there is 
no synthesis/expansion done.

Gin a wildcard RR meet a wildcard RR
Coming thro' the search algorithm,
Gin a wildcard RR kiss a wildcard RR -
Need a wildcard RR cry?

(http://classiclit.about.com/library/bl-etexts/rburns/bl-rburns-comingrye.htm)

Thinking some more, maybe the intent is to say that any host name 
under aaiprozy.ether.ch is acceptable for the IP address.  Well, 
that's not what applications would get from the returned wildcard - 
for one, applications don't have enough information to tell if the 
synthesis would be applied correctly.  In fact, it wouldn't be. 
Because if the forward host name was in the DNS, the wildcard 
wouldn't apply to that name.

In summary, it's legal but not what is intended (most likely) in this 
case.  It's like a car having a steering wheel but the road ahead is 
straight.  There are times to turn but this ain't one of them.

At 0:13 +1100 12/21/06, Karl Auer wrote:
>Hi there.
>
>Due to a programming error (IMHO) we have a PTR entry in a reverse zone
>that points to a wildcard. Try "dig -x 129.132.73.148" to see it.
>
>Now I reckon this is a Bad Thing. I reckon reverse lookups should
>resolve to single real names. With this entry, no matter what name
>someone uses, if they have the address 129.132.73.148, their address
>will not resolve back to their name. I can see no use for this entry,
>except to confuse machines that don't like asterisks in their DNS diet.
>
>Does anyone else have an opinion on this?
>
>Regards, K.
>
>PS: BIND loads the entry with a warning about a "bad name", Nominum's
>ANS accepts it without comment.
>
>--
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>Karl Auer (kauer at biplane.com.au)                   +61-2-64957160 (h)
>http://www.biplane.com.au/~kauer/                  +61-428-957160 (mob)

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Dessert - aka Service Pack 1 for lunch.

More information about the bind-users mailing list