automatic reverse and forwarding zones
Bjørn Mork
bjorn at mork.no
Sat Oct 29 08:26:02 UTC 2022
I recommend anyone who wants to deploy wildards to go read
https://slack.engineering/what-happened-during-slacks-dnssec-rollout/
There are lots of learning points there. You can skip to the "Solving
the mystery" section if you are familiar with the cover of the
Hitchhiker's guide to the Galaxy.
Yes, wildcards exist and can be signed. But there are some non-obvious
failure modes you might miss. Using wildcards is not trivial. Yet
often (always?) sold in as a simple workaround for something. There is
nothing simple about wildcards. It's one of the most complex things
people have put into the DNS. There's a reason they got their own
section in RFC1912. Which predates DNSSEC and is only a couple of months
younger than the AAAA type, but still explains the mystery if you read
it carefully with that in mind.
I understand that a wildcard PTR record might look like a simple way to
replace a large number of records with a single one. But anyone
actually *using* a PTR record will want to validate that PTR by doing a
forward lookup. Now, what does that mean? Right...
Having
*.e.d.0.c.d.a.b.0.8.b.d.0.1.0.0.2.ip6.arpa. IN PTR whatevername.example.com.
you'll also need
whatevername.example.com. AAAA 2001:db8:bad:c0de::
AAAA 2001:db8:bad:c0de::1
AAAA 2001:db8:bad:c0de::2
; ...
AAAA 2001:db8:bad:c0de:ffff:ffff:ffff:fffe
AAAA 2001:db8:bad:c0de:ffff:ffff:ffff:ffff
Totalling 2^64 AAAA records. Which you don't "just" have to somehow
host on your DNS server. You'll also have to reply with all of those
AAAA records to anyone asking for whatevername.example.com.
Good luck with that.
In case there is any doubt: A one-way PTR entry is worse than no PTR
entry. It's actual proof that you are attempting to use a name you
don't control.
Bjørn
More information about the bind-users
mailing list