Hi,
On Thu, 8 Sep 2016 23:00:56 -0300
Peter Thomassen <peter at desec.io> wrote:
> I noticed the following inconsistency in the authoritative server, and I
> would like to know if it is intended. (I was not unable to figure this
> out by looking up the RFCs.)
>
> Let's say we have
>
> *.example.com. IN A 1.2.3.4
> a.example.com. IN A 2.3.4.5
>
> Then, without DNSSEC enabled, asking for the A record of b.a.example.com
> gives 1.2.3.4. However, with DNSSEC enable, the result is NXDOMAIN.
>
> So, there is a difference in how a wildcard record impacts higher-level
> subdomains of a domain which is configured explicitly on the same level
> as the wildcard record.
>
> Is this behavior intended?
Yes, this is proper behaviour. But you're not telling us the whole story, here is an empty non-terminal in your zone.
```
$ORIGIN example.net.
$TTL 3600
@ IN SOA ns1.example.net. pieter\.lexis.powerdns.com. (
2015120811 ; serial
1H ; refresh
15 ; retry
1W ; expire
2H ; minimum
)
*.example.net. IN A 1.2.3.4
a.example.net. IN A 2.3.4.5
```
I get an NXDOMAIN for b.a.example.net with DNSSEC and without DNSSEC. Please provide the full zone and details if you want us to investigate, see our support policy [1].
Best regards,
Pieter
1 - https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/
--
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com