automatic reverse and forwarding zones
Havard Eidnes
he at uninett.no
Fri Oct 28 20:45:54 UTC 2022
> Do wildcard records work with multiple labels? I was thinking that they
> didn't, but it's that wildcards in PKIX do not work with multple labels,
> alas.
As far as I understand, yes, wildcard "works with multiple labels", at
least in the meaning that a wildcard can expand more than one label in
the hierarchy. Example:
If you have
*.0.0.0.0.e.d.0.c.d.a.b.0.1.0.0.2.ip6.arpa. IN PTR whatevername.your-domain.
in your DNSSEC-signed zone file and get a query for
1.2.3.4.5.6.7.8.9.a.b.c.d.e.f.0.0.0.0.e.d.0.c.d.a.b.0.1.0.0.2.ip6.arpa.
you will get a signed reply with a PTR with the name
1.2.3.4.5.6.7.8.9.a.b.c.d.e.f.0.0.0.0.e.d.0.c.d.a.b.0.1.0.0.2.ip6.arpa.
and the value of the PTR record as given above in the zone file.
However, in the RRSIG record supplied with the answer, the "labels"
field will indicate 16+2 = 18 for the 16 nibble labels + ip6.arpa in
the original PTR record in the zone, not the 32 + 2 labels in the
query and the response, so that a validator can see that it's only
that part of the name which is signed. ("number-of-labels field in
RRSIG is smaller than number-of-labels in answer, so must be the
result of a wildcard expansion.")
This is pretty clearly spelled out in the approximate half-page
"The Labels field" section on
https://www.rfc-editor.org/rfc/rfc4034.html#page-8
Regards,
- Håvard
More information about the bind-users
mailing list