[Pdns-users] Inconsistent wildcard behaviour with and without DNSSEC
Peter Thomassen
peter at desec.io
Fri Sep 9 18:52:18 UTC 2016
Hi Pieter,
On 09/09/2016 07:20 AM, Pieter Lexis wrote:
>> *.example.com. IN A 1.2.3.4
>> a.example.com. IN A 2.3.4.5
>>
>> Then, without DNSSEC enabled, asking for the A record of b.a.example.com
>> gives 1.2.3.4. However, with DNSSEC enable, the result is NXDOMAIN.
>>
>> So, there is a difference in how a wildcard record impacts higher-level
>> subdomains of a domain which is configured explicitly on the same level
>> as the wildcard record.
>>
>> Is this behavior intended?
>
> Yes, this is proper behaviour.
There was a typo in the test zone I had secured with DNSSEC. I am sorry
about the noise. I will verify test cases more thoroughly in the future.
> But you're not telling us the whole story, here is an empty non-terminal in your zone.
Is there? The example.com SOA record makes sure that example.com is not
empty, and rectify-zone did not generate an extra record. But you're
right, I should have posted it.
Best,
Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20160909/97a87b44/attachment.sig>
More information about the Pdns-users
mailing list