BIND 9.2 and Wildcards (MYSTERIOUS!)
Edward Lewis
edlewis at arin.net
Tue Aug 31 20:28:21 UTC 2004
At 14:57 -0500 8/31/04, Peter John Hartman wrote:
>We recently upgrade to bind 9.2.3 and have encountered a really
>strange effect with wildcards.
>Our entry (which worked before):
>
>*.mennonite.net. 14400 IN A 199.8.232.35
>
>Now, this wildcard only sort of works.
>
>I can ping foo.foo.mennonite.net but I can't ping foo.in.us.mennonite.net
>or foo.us.mennonite.net, etc. unless I put in:
>
>*.us IN A 199.8.232.35
>*.in.us IN A 199.8.232.35
>
>Very strange! Canadian sites do work, it should be noted:
>foo.on.ca.mennonite.net resolves fine; in other words, it is just subdomains
>underneath us.MYDOMAIN. No errors in the log.
>I'm perplexed.
It'd be easy for me to look at the zone file and tell you what is
broken, but, you probably won't want to expose the whole zone file.
(Understandable.)
So, I'll try this example:
If I have these records in the zone
*.example.com A 1.1.1.1
ca.nz.example.com A 1.1.1.1
No record is synthesized (from the wild card) for eg.nz.example.com.
Even though there is no nz.example.com record, the ca.nz.example.com
record creates a shadow over anything under nz.example.com.
nz.example.com is called an "empty non-terminal" - these block wild
cards by their existence.
Maybe you have a record with ....us.mennonite.net. somewhere in your zone.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-703-227-9854
ARIN Research Engineer
"I can't go to Miami. I'm expecting calls from telemarketers." -
Grandpa Simpson.
More information about the bind-users
mailing list