TLD wildcard doesn't always work

Mark Andrews Mark_Andrews at isc.org
Thu Jul 20 00:31:05 UTC 2006 

> I did some further investigation.
> 
> First I need to say that my zone file list in the previous message is
> not complete.  I have about 13 A records and 11 PTR records in addition
> to the wildcard I had listed before. If I remove all the additional A
> records and PTR records the wildcard works fine.
> 
> With the wildcard and the additional records it won't resolve (via the
> wildcard) any .edu name that I can find.  So I added another wildcard like:
> 
> *.edu        IN      A      1.2.3.4
> 
> 
> Now it will resolve all .edu names but it won't resolve just 'edu'.
> 
> I really don't understand what is going on here.
> 
> Here is the query of edu after adding the *.edu wildcard  Notice that it
> is not a NXDOMAIN response.
> 
> dig @localhost edu 
> 
> ; <<>> DiG 9.2.4 <<>> @localhost edu
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55847
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;edu.                           IN      A
> 
> ;; AUTHORITY SECTION:
> .                       30      IN      SOA     garnet.ucc.nau.edu.
> cvm.jan.ucc.nau.edu. 1000001 1800 900 30 30
> 
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(localhost)
> ;; WHEN: Wed Jul 19 16:27:16 2006
> ;; MSG SIZE  rcvd: 79
> 
> 
> Chris Michels wrote:
> > I have been running a DNS server with a top level domain wildcard for
> > many years now.  It worked fine until I tried to upgrade from BIND 9.2.1
> > to BIND 9.3.1 or 9.3.2.   Under the 9.3.x versions named returns
> > NXDOMAIN for some domains.  It looks to me NXDOMAIN is returned for
> > anything in the edu domain.  Everything else works fine.  Any ideas what
> > is going on here?
> >
> > My zone file looks like this:
> >
> > $TTL 30
> > ;
> > ; zone .
> > ; Bogus root zone for redirecting web requests on some 10.x.0.0 networks
> > ;
> > @       IN      SOA     garnet.ucc.nau.edu. bogus.nau.edu. 1000001 1800
> > 900 30 30
> >         IN      NS      garnet.ucc.nau.edu
> > $ORIGIN .
> > ;
> > ; Default location to send people
> > *        IN      A      1.2.3.4
> >
> >
> >
> > And my named.conf lookes like:
> >
> > #
> > # named.conf used for redirecting 10.1, 10.2 and possibly other addresses t
> o
> > # a default web server.
> > #
> > # use all default options
> > options {
> >        directory "/usr/local/opt/named";
> >        datasize 25M ;
> > };
> >
> > # No hint file since we a pretending to be the root nameserver
> >
> > #zone "." in {
> > #        type hint;
> > #        file "/nau/local/etc/named/named.cache";
> > #};
> >
> > # Everything will be defined in the root zone.
> >
> > zone "." in {
> >         type master;
> >         file "/usr/local/opt/named/root.zone";
> > };
> >
> >
> >
> > Here are some sample dig commands:
> >
> > dig @localhost www.asu.edu
> >
> > ; <<>> DiG 9.2.4 <<>> @localhost www.asu.edu
> > ;; global options:  printcmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7770
> > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> >
> > ;; QUESTION SECTION:
> > ;www.asu.edu.                   IN      A
> >
> > ;; AUTHORITY SECTION:
> > .                       30      IN      SOA     garnet.ucc.nau.edu.
> > cvm.jan.ucc.nau.edu. 1000001 1800 900 30 30
> >
> > ;; Query time: 0 msec
> > ;; SERVER: 127.0.0.1#53(localhost)
> > ;; WHEN: Wed Jul 19 12:13:10 2006
> > ;; MSG SIZE  rcvd: 87
> >
> >
> >
> > dig @localhost www.asu.com
> >
> > ; <<>> DiG 9.2.4 <<>> @localhost www.asu.com
> > ;; global options:  printcmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64866
> > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
> >
> > ;; QUESTION SECTION:
> > ;www.asu.com.                   IN      A
> >
> > ;; ANSWER SECTION:
> > www.asu.com.            30      IN      A       134.114.96.127
> >
> > ;; AUTHORITY SECTION:
> > .                       30      IN      NS      garnet.ucc.nau.edu.
> >
> > ;; ADDITIONAL SECTION:
> > garnet.ucc.nau.edu.     30      IN      A       134.114.254.14
> >
> > ;; Query time: 0 msec
> > ;; SERVER: 127.0.0.1#53(localhost)
> > ;; WHEN: Wed Jul 19 12:14:04 2006
> > ;; MSG SIZE  rcvd: 92
> >
> >
> >   
> 
> 
> -- 
> 
> Chris Michels -- Systems Programmer/Team Lead -- +1 928 523-6495
> Northern Arizona University -- Flagstaff, AZ
> PGP key: http://jan.ucc.nau.edu/~cvm <http://jan.ucc.nau.edu/%7Ecvm>
> Team Info: http://www4.nau.edu/its/sia
> 
> "The significant problems we face cannot be solved at the same level of
> thinking we were at when we created them" -- Albert Einstein

	The reason for the change in behaviour is a bug was fixed.

	Names under edu didn't match because you have a name in the
	zone (garnet.ucc.nau.edu) which has edu as the final label.

	You match a wildcard if as you work down from the root matching
	labels in the zone there is a "*" label immediately under the
	last label to match.

	For "example.edu" this would be "*.edu" as the "edu" label exists
	without any attached records.

	For "host.ucc.nau.edu" this would be "*.ucc.nau.edu" as "ucc",
	"nau" and "edu" all exist.

	Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list