Use of wildcard DNAMEs for synthesis?
Hello Team,
Humor me with one more DNAME combination with wildcards after this one - #873 (closed)
As usual, consider the following zone file:
test. | 500 SOA | ns1.campus.edu. root.campus.edu. 3 86400 7200 604800 300 |
test. | 500 NS | ns1.outside.edu. |
*.test. | 500 DNAME | a.a.test. |
For the query <a.*.test., DNAME>
the response from Bind, NSD and PowerDNS is:
"rcode NOERROR",
"flags QR AA",
";QUESTION",
"a.*.test. IN DNAME",
";ANSWER",
"*.test. 500 IN DNAME a.a.test.",
"a.*.test. 500 IN CNAME a.a.a.test.",
"a.a.a.test. 500 IN DNAME a.a.test.",
";AUTHORITY",
"test. 500 IN NS ns1.outside.edu."
the response from Knot is:
"rcode NOERROR",
"flags QR AA",
";QUESTION",
"a.*.test. IN DNAME",
";ANSWER",
"*.test. 500 IN DNAME a.a.test.",
"a.*.test. 500 IN CNAME a.a.a.test.",
";AUTHORITY",
";ADDITIONAL"
It took me a few seconds to full grasp what the difference and how it is generated.
The DNAME power of the record is used when the query is ending with *.test
which is true in this case. This is true for all the four implementations, which corresponds to the first two records in the answer section.
The interesting part is that for a.a.a.test.
the wildcard nature of the DNAME record is used by others to synthesize a new record from the wildcard record, given that the query is for DNAME record specifically and returned that record. This is quite a subtle difference and interplay between the wildcard nature and DNAME nature of the record.
I'm filing it as an issue to document as there is some behavior difference between Knot and others, but as wildcard DNAMEs are not proper records, this can be probably signaled as error by kzonecheck.
Thanks, Siva