[Pdns-users] DNSSEC and subdomains with wildcards

[Chris]

Hi list,

I have run into a problem with implementing DNSSEC for zones that have 
wildcards.

I am using PowerDNS 3.3-1 on Debian Wheezy with the 'gmysql-dnssec' 
backend. I am testing with the domain 'testdomain.asia'.

Starting from scratch with just the SOA and NS records in the zone, I 
then add an A record for '*.wildcard.testdomain.asia'. This resolves as 
expected:

;; QUESTION SECTION:
;test.wildcard.testdomain.asia. IN      A
;; ANSWER SECTION:
test.wildcard.testdomain.asia. 3600 IN  A       123.123.123.123

Next, I then create an A record for 
'subdomain.test.wildcard.testdomain.asia', which resolves as expected:

;; QUESTION SECTION:
;subdomain.test.wildcard.testdomain.asia. IN A
;; ANSWER SECTION:
subdomain.test.wildcard.testdomain.asia. 3600 IN A 124.124.124.124

I then sign the zone using pdnssec:

pdnssec secure-zone testdomain.asia
pdnssec set-nsec3 testdomain.asia "1 1 100 5cddd83a364649b8" narrow
pdnssec rectify-zone testdomain.asia

I then query the name server again to make sure those records still work:

;; QUESTION SECTION:
;subdomain.test.wildcard.testdomain.asia. IN A
;; ANSWER SECTION:
subdomain.test.wildcard.testdomain.asia. 3600 IN A 124.124.124.124

;; QUESTION SECTION:
;test.wildcard.testdomain.asia. IN      A
;; AUTHORITY SECTION:
testdomain.asia.        3600    IN      SOA     names1.syrahost.com. 
dns.syrahost.com. 2014052909 7200 120 1209600 3600

Now I see that 'test.wildcard.testdomain.asia' no longer resolves. 
Looking in the database there is a new entry for 
'test.wildcard.testdomain.asia' with null 'type' and 'content', so I 
assume that pdns sees that record with no content and figures there is 
nothing to do.

My question is, should this happen? Resolving other names on the 
wildcard look fine, eg. 'test1.wildcard.testdomain.asia':

;; QUESTION SECTION:
;test1.wildcard.testdomain.asia.        IN      A
;; ANSWER SECTION:
test1.wildcard.testdomain.asia. 3600 IN A       123.123.123.123

Thanks!