Non-terminal wildcards?

Cricket Liu cricket at acmebw.com
Thu Aug 12 18:16:01 UTC 1999 

Here's a weird one.

Someone wrote Mr. DNS about the following configuration:

doubletree.com.  IN        MX 0 inbound.doubletree.com.criticalpath.net.
doubletree.com.  IN        A       209.54.53.22
mail.doubletree.com.     IN       CNAME
mail.doubletree.com.criticalpath.net. *.doubletree.com.        IN        MX
5 inbound.doubletree.com.criticalpath.net.
*.doubletree.com.        IN        A       209.54.53.22
mail.*.doubletree.com.   IN      CNAME
mail.doubletree.com.criticalpath.net.

Take a careful look at the last CNAME RR:  The wildcard in the owner name is
non-terminal.  However, this works.  Take a look:

# dig mail.*.doubletree.com. +pfmin
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62944
;; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
;; QUERY SECTION:
;;      mail.*.doubletree.com, type = A, class = IN

;; ANSWER SECTION:
mail.*.doubletree.com.  1D IN CNAME
mail.doubletree.com.criticalpath.net.
mail.doubletree.com.criticalpath.net.  51m56s IN A  209.228.252.240

# dig *.doubletree.com. +pfmin
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45678
;; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUERY SECTION:
;;      *.doubletree.com, type = A, class = IN

;; ANSWER SECTION:
*.doubletree.com.       1D IN A         209.54.53.22

Now, I had always thought wildcard had to be terminal.  Here are a couple of
(I thought) relevant snippets from 1034:

"4.3.3. Wildcards

"In the previous algorithm, special treatment was given to RRs with owner
names *starting* [my emphasis] with the label "*"...

"The wildcards in the zone have an owner name that controls the
query names they will match.  The owner name of the wildcard RRs is of
the form "*.<anydomain>", where <anydomain> is any domain name.
<anydomain> should not contain other * labels, and should be in the
authoritative data of the zone."

Is this just an unexpected "feature" in BIND?  If so, and we leave it in the
code, will it end up in all future versions of BIND, like multiple-cnames?

cricket

More information about the bind-workers mailing list