wildcard CNAME not catching if there is a subdomain on lower level then wildcard
all domains where replaced by ${domain} and the ip address by 48.48.0.0, the dns querys weren't done directly against the knot-dns but for the few I tried I got the same result
the starting zone file looks like this:
;; root@ns:~# cat /var/lib/knot/${domain}.dev.zone | grep -v "NSEC\|RRSIG\|CD\|DNS"
${domain}.dev. 7200 SOA ns.${domain}.ch. hostmaster.${domain}.net. 2021010800 14400 3600 1209600 3600
${domain}.dev. 3600 TXT "v=spf1 -all"
${domain}.dev. 3600 A 48.48.0.0
${domain}.dev. 3600 NS ns.${domain}.ch.
${domain}.dev. 3600 NS ns.${domain}.cz.
${domain}.dev. 3600 NS ns.${domain}.info.
${domain}.dev. 3600 MX 0 .
${domain}.dev. 0 CAA 0 iodef "mailto:${domain}-caa@${domain}.org"
${domain}.dev. 0 CAA 0 issue "letsencrypt.org"
*.${domain}.dev. 0 CNAME ${domain}.dev.
_dmarc.${domain}.dev. 3600 TXT "v=DMARC1; p=reject; rua=mailto:${domain}-dmarc-rua@${domain}.org; ruf=mailto:${domain}-dmarc-ruf@${domain}.org;"
*._domainkey.${domain}.dev. 3600 TXT "v=DKIM1; p="
;; Written 40 records
;; Time 2021-01-08 14:18:57 CETbefore adding the sub-sub-domain the server answers correct:
; <<>> DiG 9.16.10 <<>> asd.test.${domain}.dev
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23635
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;asd.test.${domain}.dev. IN A
;; ANSWER SECTION:
asd.test.${domain}.dev. 5 IN CNAME ${domain}.dev.
${domain}.dev. 3600 IN A 48.48.0.0
;; Query time: 343 msec
;; SERVER: 10.0.0.2#53(10.0.0.2)
;; WHEN: Fri Jan 08 14:18:23 CET 2021
;; MSG SIZE rcvd: 77
; <<>> DiG 9.16.10 <<>> test.${domain}.dev
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2417
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;test.${domain}.dev. IN A
;; ANSWER SECTION:
test.${domain}.dev. 5 IN CNAME ${domain}.dev.
${domain}.dev. 3600 IN A 48.48.0.0
;; Query time: 50 msec
;; SERVER: 10.0.0.2#53(10.0.0.2)
;; WHEN: Fri Jan 08 14:18:28 CET 2021
;; MSG SIZE rcvd: 73after adding _acme-challange.test.${domain}.dev. 3600 CNAME _acme-challange.acme.${domain}.org. i get the following answers (while expecting the same answers as before):
; <<>> DiG 9.16.10 <<>> test.${domain}.dev
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58832
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;test.${domain}.dev. IN A
;; AUTHORITY SECTION:
${domain}.dev. 3600 IN SOA ns.${domain}.ch. hostmaster.${domain}.net. 2021010800 14400 3600 1209600 3600
;; Query time: 103 msec
;; SERVER: 10.0.0.2#53(10.0.0.2)
;; WHEN: Fri Jan 08 14:19:07 CET 2021
;; MSG SIZE rcvd: 110
; <<>> DiG 9.16.10 <<>> asd.test.${domain}.dev
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2626
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;asd.test.${domain}.dev. IN A
;; AUTHORITY SECTION:
${domain}.dev. 3600 IN SOA ns.${domain}.ch. hostmaster.${domain}.net. 2021010800 14400 3600 1209600 3600
;; Query time: 40 msec
;; SERVER: 10.0.0.2#53(10.0.0.2)
;; WHEN: Fri Jan 08 14:19:48 CET 2021
;; MSG SIZE rcvd: 114this still works event if the other record answer with "NXDOMAIN":
; <<>> DiG 9.16.10 <<>> *.${domain}.dev.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44824
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;*.${domain}.dev. IN A
;; ANSWER SECTION:
*.${domain}.dev. 5 IN CNAME ${domain}.dev.
${domain}.dev. 3600 IN A 48.48.0.0
;; Query time: 56 msec
;; SERVER: 10.0.0.2#53(10.0.0.2)
;; WHEN: Tue Jan 12 00:16:08 CET 2021
;; MSG SIZE rcvd: 70system info:
root@ns:# knotc --version# uname -a
knotc (Knot DNS), version 2.7.6
root@ns:
Linux ns 4.19.0-13-amd64 #1 (closed) SMP Debian 4.19.160-2 (2020-11-28) x86_64 GNU/Linux
root@ns:~# cat /etc/debian_version
10.7
workaround:
adding *.test.${domain}.dev. 3600 CNAME ${domain}.dev. makes the specific wildcard work again
expected solution:
wildcards catch all the records which aren't present in a more specific way
I hope that's all the info which is needed, but I'll gladly provide more.
Activity
Hi @Phynecs,
That is the correct and expected behavior as per the standard. When you add
_acme-challange.test.${domain}.dev. 3600 CNAME _acme-challange.acme.${domain}.org., you are creating what is called an empty non-terminal (ENT) attest. When the query istest.${domain}.dev, the matching happens label by label, and there is an empty labeltestin the tree, so you get a response withNOERRORcode. But for the queryasd.test.${domain}.devthere is no labelasdbelowtestlabel, so you get anNXDOMAIN. When you add*.test.${domain}.dev. 3600 CNAME ${domain}.dev.there is a wildcard now undertestwhich can match withasdlabel, and so it works.You can check out these for more information: RFC 1034 section 4.3.3 and RFC 4592 section 3.3.1.
@SivaKesava1 Perfect explanation :-) Thanks!
@Phynecs I think we could close this issue.
Thank you for the explanation @SivaKesava1, I wasn't aware that zones were looked at as a tree.
Usability wise this is a bit annoying (for my case), but whatever, it's an RFC : ) .
- A deleted user
closed
