Can I have a *.domain.com A record
Kevin Darcy
kcd at chrysler.com
Mon Oct 26 15:25:28 UTC 2009
Stephane Bortzmeyer wrote:
> On Mon, Oct 26, 2009 at 05:47:57PM +0530,
> ram <ram at netcore.co.in> wrote
> a message of 20 lines which said:
>
>
>> If wildcard DNS is a bad idea,
>>
>
> Wildcards *address* records (A and AAAA), not all wildcards.
>
> See <http://www.icann.org/committees/security/ssac-report-09jul04.pdf>
> or <http://www.iab.org/documents/docs/2003-09-20-dns-wildcards.html>
> for a start.
>
The gist of all that, is that wildcards turn responses for non-existent
names from NXDOMAIN (no such name) to NODATA (a pseudo-RCODE meaning,
basically, "the name exists, but not with the QTYPE you asked for) or to
the wildcarded value, depending on whether the wildcarded entry/entries
cover the QTYPE or not.
In the case of NODATA, a particular app, using a QTYPE which you didn't
anticipate with a wildcard entry, may have been expecting NXDOMAIN for
the query, and may in fact have a particular code path based on that
response. NODATA may be unexpected, and may go down the wrong code path,
with perhaps undesirable consequences.
In the case of receiving the wildcarded value, this applies to *all*
protocols and ports, so while you may have, say, HTTP and SMTP covered
as hosted services on your network (as Verisign did with Site Finder on
the Internet), one day a device gets plugged into your network that
speaks a completely different protocol, and it starts connecting to the
target of the wildcard, instead of failing over as expected, or
simply/unambiguously failing. Hilarity ensues. This is an accident
waiting to happen.
We use wildcards very sparingly here, for mail routing, but fortunately
we have very few mail platforms to deal with internally, and so far
(knock on wood) all of them deal with wildcard MXes sanely. I wouldn't
recommend using wildcards in a heterogenous environment and/or for
address (A/AAAA) records. There's just way too many things looking those
up, and you can't be sure they'll all behave properly once the wildcards
change the content of the responses.
- Kevin
More information about the bind-users
mailing list