Can I have a *.domain.com A record

Kevin Darcy kcd at chrysler.com
Mon Oct 26 15:25:28 UTC 2009


Stephane Bortzmeyer wrote:
> On Mon, Oct 26, 2009 at 05:47:57PM +0530,
>  ram <ram at netcore.co.in> wrote 
>  a message of 20 lines which said:
>
>   
>> If  wildcard DNS is a bad idea, 
>>     
>
> Wildcards *address* records (A and AAAA), not all wildcards.
>
> See <http://www.icann.org/committees/security/ssac-report-09jul04.pdf>
> or <http://www.iab.org/documents/docs/2003-09-20-dns-wildcards.html>
> for a start.
>   
The gist of all that, is that wildcards turn responses for non-existent 
names from NXDOMAIN (no such name) to NODATA (a pseudo-RCODE meaning, 
basically, "the name exists, but not with the QTYPE you asked for) or to 
the wildcarded value, depending on whether the wildcarded entry/entries 
cover the QTYPE or not.

In the case of NODATA, a particular app, using a QTYPE which you didn't 
anticipate with a wildcard entry, may have been expecting NXDOMAIN for 
the query, and may in fact have a particular code path based on that 
response. NODATA may be unexpected, and may go down the wrong code path, 
with perhaps undesirable consequences.

In the case of receiving the wildcarded value, this applies to *all* 
protocols and ports, so while you may have, say, HTTP and SMTP covered 
as hosted services on your network (as Verisign did with Site Finder on 
the Internet), one day a device gets plugged into your network that 
speaks a completely different protocol, and it starts connecting to the 
target of the wildcard, instead of failing over as expected, or 
simply/unambiguously failing. Hilarity ensues. This is an accident 
waiting to happen.

We use wildcards very sparingly here, for mail routing, but fortunately 
we have very few mail platforms to deal with internally, and so far 
(knock on wood) all of them deal with wildcard MXes sanely. I wouldn't 
recommend using wildcards in a heterogenous environment and/or for 
address (A/AAAA) records. There's just way too many things looking those 
up, and you can't be sure they'll all behave properly once the wildcards 
change the content of the responses.

- Kevin




More information about the bind-users mailing list