dns wildcards demystified

Click here to load reader

Post on 30-May-2015

1.330 views

Category:

Technology

0 download

Embed Size (px)

DESCRIPTION

How DNS wildcards really work & how to prevent that DNS wildcard bite! Tailored for DNS administrators on Unix and Windows operating authoritative DNS Servers with one or more zone-files, as well as all those interested in the topic.

TRANSCRIPT

  • 1. !Men!&!Mice!!http://menandmice.com! !ISC!http://www.isc.org DNS!wildcards 1

2. !Men!&!Mice!!http://menandmice.com! DNS!wildcards ! ! ! Demo!time! 2 3. !Men!&!Mice!!http://menandmice.com! DNS!wildcards the!DNS!protocol!allows!the!definition!on!wildcard!DNS! records!to!synthesise!DNS!answers!from!authoritative! servers! DNS!wildcards!are!domain!names!(owner!names)!with!the! leftmost!label!being!a!single!asterisk!*! there!are!no!other!wildcard!characters!in!DNS!other!than!*! DNS!wildcards!have!their!own!rules!that!are!different! from!other!systems!with!wildcards!(regular!expressions,! Unix!shell!filename!globbing,!DOS/Windows!filename! wildcards!...) 3 4. !Men!&!Mice!!http://menandmice.com! DNS!wildcards DNS!wildcards!have!been!originally!defined!in!the! original!DNS!RFC!1034,!and!have!been!updated!in! RFC!2672!and!RFC!4592! RFC!4592!The!Role!of!Wildcards!in!the!Domain!Name! System!is!a!must!read!to!understand!all!nuances!of!DNS! wildcards 4 5. !Men!&!Mice!!http://menandmice.com! DNS!wildcards DNS!wildcard!examples!(from!different!zones): *.example.com. 3600 IN A 192.0.2.80 *.firma.example.com. 600 IN MX 10 mail.example.net. *.example. 86400 IN TXT a wildcard! not!wildcard!records!(just!normal!domain!names): *test.example.de. 400 IN A 192.0.2.11 test.*.example.com. 600 IN TXT not a wildcard **.example.com. 600 IN TXT alsonot a wildcard 5 6. !Men!&!Mice!!http://menandmice.com! DNS!wildcards Example!zone!with!wildcards!(from!RFC!4592): $ORIGIN example. example. 3600 IN SOA example. 3600 NS ns.example.com. example. 3600 NS ns.example.net. *.example. 3600 TXT "this is a wildcard" *.example. 3600 MX 10 host1.example. sub.*.example. 3600 TXT "this is not a wildcard" host1.example. 3600 A 192.0.2.1 _ssh._tcp.host1.example. 3600 SRV _ssh._tcp.host2.example. 3600 SRV subdel.example. 3600 NS ns.example.com. subdel.example. 3600 NS ns.example.net. 6 7. !Men!&!Mice!!http://menandmice.com! DNS!wildcards 7 . example. * sub host1 _tcp _ssh host2 _tcp _ssh subdel Example!zone!with!wildcards!(from!RFC!4592): $ORIGIN example. example. 3600 IN SOA example. 3600 NS ns.example.com. example. 3600 NS ns.example.net. *.example. 3600 TXT "this is a wildcard" *.example. 3600 MX 10 host1.example. sub.*.example. 3600 TXT "this is not a wildcard" host1.example. 3600 A 192.0.2.1 _ssh._tcp.host1.example. 3600 SRV _ssh._tcp.host2.example. 3600 SRV subdel.example. 3600 NS ns.example.com. subdel.example. 3600 NS ns.example.net. 8. !Men!&!Mice!!http://menandmice.com! DNS!wildcards 8 . example. * sub host1 _tcp _ssh host2 _tcp _ssh subdel Query:!host3.example. ? IN MX ? Example!zone!with!wildcards!(from!RFC!4592): $ORIGIN example. example. 3600 IN SOA example. 3600 NS ns.example.com. example. 3600 NS ns.example.net. *.example. 3600 TXT "this is a wildcard" *.example. 3600 MX 10 host1.example. sub.*.example. 3600 TXT "this is not a wildcard" host1.example. 3600 A 192.0.2.1 _ssh._tcp.host1.example. 3600 SRV _ssh._tcp.host2.example. 3600 SRV subdel.example. 3600 NS ns.example.com. subdel.example. 3600 NS ns.example.net. 9. !Men!&!Mice!!http://menandmice.com! DNS!wildcards 8 . example. * sub host1 _tcp _ssh host2 _tcp _ssh subdel Query:!host3.example. ? IN MX ? Answer:!host3.example. 3600 IN MX 10 host1.example. Example!zone!with!wildcards!(from!RFC!4592): $ORIGIN example. example. 3600 IN SOA example. 3600 NS ns.example.com. example. 3600 NS ns.example.net. *.example. 3600 TXT "this is a wildcard" *.example. 3600 MX 10 host1.example. sub.*.example. 3600 TXT "this is not a wildcard" host1.example. 3600 A 192.0.2.1 _ssh._tcp.host1.example. 3600 SRV _ssh._tcp.host2.example. 3600 SRV subdel.example. 3600 NS ns.example.com. subdel.example. 3600 NS ns.example.net. 10. !Men!&!Mice!!http://menandmice.com! DNS!wildcards 9 . example. * sub host1 _tcp _ssh host2 _tcp _ssh subdel Query:!host3.example. ? IN A ? Example!zone!with!wildcards!(from!RFC!4592): $ORIGIN example. example. 3600 IN SOA example. 3600 NS ns.example.com. example. 3600 NS ns.example.net. *.example. 3600 TXT "this is a wildcard" *.example. 3600 MX 10 host1.example. sub.*.example. 3600 TXT "this is not a wildcard" host1.example. 3600 A 192.0.2.1 _ssh._tcp.host1.example. 3600 SRV _ssh._tcp.host2.example. 3600 SRV subdel.example. 3600 NS ns.example.com. subdel.example. 3600 NS ns.example.net. 11. !Men!&!Mice!!http://menandmice.com! DNS!wildcards 9 . example. * sub host1 _tcp _ssh host2 _tcp _ssh subdel Query:!host3.example. ? IN A ? Answer:!NOERROR / NODATA (Answer = 0) Example!zone!with!wildcards!(from!RFC!4592): $ORIGIN example. example. 3600 IN SOA example. 3600 NS ns.example.com. example. 3600 NS ns.example.net. *.example. 3600 TXT "this is a wildcard" *.example. 3600 MX 10 host1.example. sub.*.example. 3600 TXT "this is not a wildcard" host1.example. 3600 A 192.0.2.1 _ssh._tcp.host1.example. 3600 SRV _ssh._tcp.host2.example. 3600 SRV subdel.example. 3600 NS ns.example.com. subdel.example. 3600 NS ns.example.net. 12. !Men!&!Mice!!http://menandmice.com! DNS!wildcards 10 . example. * sub host1 _tcp _ssh host2 _tcp _ssh subdel Query:!foo.bar.example. ? IN TXT ? Example!zone!with!wildcards!(from!RFC!4592): $ORIGIN example. example. 3600 IN SOA example. 3600 NS ns.example.com. example. 3600 NS ns.example.net. *.example. 3600 TXT "this is a wildcard" *.example. 3600 MX 10 host1.example. sub.*.example. 3600 TXT "this is not a wildcard" host1.example. 3600 A 192.0.2.1 _ssh._tcp.host1.example. 3600 SRV _ssh._tcp.host2.example. 3600 SRV subdel.example. 3600 NS ns.example.com. subdel.example. 3600 NS ns.example.net. 13. !Men!&!Mice!!http://menandmice.com! DNS!wildcards 10 . example. * sub host1 _tcp _ssh host2 _tcp _ssh subdel Query:!foo.bar.example. ? IN TXT ? Answer:!foo.bar.example. 3600 IN TXT this is a wildcard Example!zone!with!wildcards!(from!RFC!4592): $ORIGIN example. example. 3600 IN SOA example. 3600 NS ns.example.com. example. 3600 NS ns.example.net. *.example. 3600 TXT "this is a wildcard" *.example. 3600 MX 10 host1.example. sub.*.example. 3600 TXT "this is not a wildcard" host1.example. 3600 A 192.0.2.1 _ssh._tcp.host1.example. 3600 SRV _ssh._tcp.host2.example. 3600 SRV subdel.example. 3600 NS ns.example.com. subdel.example. 3600 NS ns.example.net. 14. !Men!&!Mice!!http://menandmice.com! DNS!wildcards 11 . example. * sub host1 _tcp _ssh host2 _tcp _ssh subdel Query:!host1.example. ? IN MX ? Example!zone!with!wildcards!(from!RFC!4592): $ORIGIN example. example. 3600 IN SOA example. 3600 NS ns.example.com. example. 3600 NS ns.example.net. *.example. 3600 TXT "this is a wildcard" *.example. 3600 MX 10 host1.example. sub.*.example. 3600 TXT "this is not a wildcard" host1.example. 3600 A 192.0.2.1 _ssh._tcp.host1.example. 3600 SRV _ssh._tcp.host2.example. 3600 SRV subdel.example. 3600 NS ns.example.com. subdel.example. 3600 NS ns.example.net. 15. !Men!&!Mice!!http://menandmice.com! DNS!wildcards 11 . example. * sub host1 _tcp _ssh host2 _tcp _ssh subdel Query:!host1.example. ? IN MX ? Answer:!NOERROR / NODATA (Answer = 0) Example!zone!with!wildcards!(from!RFC!4592): $ORIGIN example. example. 3600 IN SOA example. 3600 NS ns.example.com. example. 3600 NS ns.example.net. *.example. 3600 TXT "this is a wildcard" *.example. 3600 MX 10 host1.example. sub.*.example. 3600 TXT "this is not a wildcard" host1.example. 3600 A 192.0.2.1 _ssh._tcp.host1.example. 3600 SRV _ssh._tcp.host2.example. 3600 SRV subdel.example. 3600 NS ns.example.com. subdel.example. 3600 NS ns.example.net. 16. !Men!&!Mice!!http://menandmice.com! DNS!wildcards 12 . example. * sub host1 _tcp _ssh host2 _tcp _ssh subdel Query:!sub.*.example. ? IN MX ? Example!zone!with!wildcards!(from!RFC!4592): $ORIGIN example. example. 3600 IN SOA example. 3600 NS ns.example.com. example. 3600 NS ns.example.net. *.example. 3600 TXT "this is a wildcard" *.example. 3600 MX 10 host1.example. sub.*.example. 3600 TXT "this is not a wildcard" host1.example. 3600 A 192.0.2.1 _ssh._tcp.host1.example. 3600 SRV _ssh._tcp.host2.example. 3600 SRV subdel.example. 3600 NS ns.example.com. subdel.example. 3600 NS ns.example.net. 17. !Men!&!Mice!!http://menandmice.com! DNS!wildcards 12 . example. * sub host1 _tcp _ssh host2 _tcp _ssh subdel Query:!sub.*.example. ? IN MX ? Answer:!NOERROR / NODATA (Answer = 0) Example!zone!with!wildcards!(from!RFC!4592): $ORIGIN example. example. 3600 IN SOA example. 3600 NS ns.example.com. example. 3600 NS ns.example.net. *.example. 3600 TXT "this is a wildcard" *.example. 3600 MX 10 host1.example. sub.*.example. 3600 TXT "this is not a wildcard" host1.example. 3600 A 192.0.2.1 _ssh._tcp.host1.example. 3600 SRV _ssh._tcp.host2.example. 3600 SRV subdel.example. 3600 NS ns.example.com. subdel.example. 3600 NS ns.example.net. 18. !Men!&!Mice!!http://menandmice.com! DNS!wildcards 13 . example. * sub host1 _tcp _ssh host2 _tcp _ssh subdel Query:!_telnet._tcp.host1.example. ? IN SRV ? Example!zone!with!wildcards!(from!RFC!4592): $ORIGIN example. example. 3600 IN SOA example. 3600 NS ns.example.com. example. 3600 NS ns.example.net. *.example. 3600 TXT "this is a wildcard" *.example. 3600 MX 10 host1.example. sub.*.example. 3600 TXT "this is not a wildcard" host1.example. 3600 A 192.0.2.1 _ssh._tcp.host1.example. 3600 SRV _ssh._tcp.host2.example. 3600 SRV subdel.example. 3600 NS ns.example.com. subdel.example. 3600 NS ns.example.net. 19. !Men!&!Mice!!http://menandmice.com! DNS!wildcards 13 . example. * sub host1 _tcp _ssh host2 _tcp _ssh subdel Query:!_telnet._tcp.host1.example. ? IN SRV ? Answer:!NOERROR / NODATA (Answer = 0) Example!zone!with!wildcards!(from!RFC!4592): $ORIGIN example. example. 3600 IN SOA example. 3600 NS ns.example.com. example. 3600 NS ns.example.net. *.example. 3600 TXT "this is a wildcard" *.example. 3600 MX 10 host1.example. sub.*.example. 3600 TXT "this is not a wildcard" host1.example. 3600 A 192.0.2.1 _ssh._tcp.host1.example. 3600 SRV _ssh._tcp.host2.example. 3600 SRV subdel.example. 3600 NS ns.example.com. subdel.example. 3600 NS ns.example.net. 20. !Men!&!Mice!!http://menandmice.com! DNS!wildcards 14 . example. * sub host1 _tcp _ssh host2 _tcp _ssh subdel Query:!host1.example. ? IN A ? Example!zone!with!wildcards!(from!RFC!4592): $ORIGIN example. example. 3600 IN SOA example. 3600 NS ns.example.com. example. 3600 NS ns.example.net. *.example. 3600 TXT "this is a wildcard" *.example. 3600 MX 10 host1.example. sub.*.example. 3600 TXT "this is not a wildcard" host1.example. 3600 A 192.0.2.1 _ssh._tcp.host1.example. 3600 SRV _ssh._tcp.host2.example. 3600 SRV subdel.example. 3600 NS ns.example.com. subdel.example. 3600 NS ns.example.net. 21. !Men!&!Mice!!http://menandmice.com! DNS!wildcards 14 . example. * sub host1 _tcp _ssh host2 _tcp _ssh subdel Query:!host1.example. ? IN A ? Answer:!host1.example. 3600 IN A 192.0.2.1 Example!zone!with!wildcards!(from!RFC!4592): $ORIGIN example. example. 3600 IN SOA example. 3600 NS ns.example.com. example. 3600 NS ns.example.net. *.example. 3600 TXT "this is a wildcard" *.example. 3600 MX 10 host1.example. sub.*.example. 3600 TXT "this is not a wildcard" host1.example. 3600 A 192.0.2.1 _ssh._tcp.host1.example. 3600 SRV _ssh._tcp.host2.example. 3600 SRV subdel.example. 3600 NS ns.example.com. subdel.example. 3600 NS ns.example.net. 22. !Men!&!Mice!!http://menandmice.com! DNS!wildcards 15 . example. * sub host1 _tcp _ssh host2 _tcp _ssh subdel Query:!host.subdel.example. ? IN A ? Example!zone!with!wildcards!(from!RFC!4592): $ORIGIN example. example. 3600 IN SOA example. 3600 NS ns.example.com. example. 3600 NS ns.example.net. *.example. 3600 TXT "this is a wildcard" *.example. 3600 MX 10 host1.example. sub.*.example. 3600 TXT "this is not a wildcard" host1.example. 3600 A 192.0.2.1 _ssh._tcp.host1.example. 3600 SRV _ssh._tcp.host2.example. 3600 SRV subdel.example. 3600 NS ns.example.com. subdel.example. 3600 NS ns.example.net. 23. !Men!&!Mice!!http://menandmice.com! DNS!wildcards 15 . example. * sub host1 _tcp _ssh host2 _tcp _ssh subdel Query:!host.subdel.example. ? IN A ? Answer:!referral to subdel.example subdel.example. 3600 NS ns.example.com. subdel.example. 3600 NS ns.example.net. Example!zone!with!wildcards!(from!RFC!4592): $ORIGIN example. example. 3600 IN SOA example. 3600 NS ns.example.com. example. 3600 NS ns.example.net. *.example. 3600 TXT "this is a wildcard" *.example. 3600 MX 10 host1.example. sub.*.example. 3600 TXT "this is not a wildcard" host1.example. 3600 A 192.0.2.1 _ssh._tcp.host1.example. 3600 SRV _ssh._tcp.host2.example. 3600 SRV subdel.example. 3600 NS ns.example.com. subdel.example. 3600 NS ns.example.net. 24. !Men!&!Mice!!http://menandmice.com! DNS!wildcards 16 . example. * sub host1 _tcp _ssh host2 _tcp _ssh subdel Query:!ghost.*.example. ? IN MX ? Example!zone!with!wildcards!(from!RFC!4592): $ORIGIN example. example. 3600 IN SOA example. 3600 NS ns.example.com. example. 3600 NS ns.example.net. *.example. 3600 TXT "this is a wildcard" *.example. 3600 MX 10 host1.example. sub.*.example. 3600 TXT "this is not a wildcard" host1.example. 3600 A 192.0.2.1 _ssh._tcp.host1.example. 3600 SRV _ssh._tcp.host2.example. 3600 SRV subdel.example. 3600 NS ns.example.com. subdel.example. 3600 NS ns.example.net. 25. !Men!&!Mice!!http://menandmice.com! DNS!wildcards 16 . example. * sub host1 _tcp _ssh host2 _tcp _ssh subdel Query:!ghost.*.example. ? IN MX ? Answer:!NOERROR / NODATA (Answer = 0) Example!zone!with!wildcards!(from!RFC!4592): $ORIGIN example. example. 3600 IN SOA example. 3600 NS ns.example.com. example. 3600 NS ns.example.net. *.example. 3600 TXT "this is a wildcard" *.example. 3600 MX 10 host1.example. sub.*.example. 3600 TXT "this is not a wildcard" host1.example. 3600 A 192.0.2.1 _ssh._tcp.host1.example. 3600 SRV _ssh._tcp.host2.example. 3600 SRV subdel.example. 3600 NS ns.example.com. subdel.example. 3600 NS ns.example.net. 26. !Men!&!Mice!!http://menandmice.com! DNS!wildcards 17 . example. * sub host1 _tcp _ssh host2 _tcp _ssh subdel Query:!*.example. ? IN TXT ? Example!zone!with!wildcards!(from!RFC!4592): $ORIGIN example. example. 3600 IN SOA example. 3600 NS ns.example.com. example. 3600 NS ns.example.net. *.example. 3600 TXT "this is a wildcard" *.example. 3600 MX 10 host1.example. sub.*.example. 3600 TXT "this is not a wildcard" host1.example. 3600 A 192.0.2.1 _ssh._tcp.host1.example. 3600 SRV _ssh._tcp.host2.example. 3600 SRV subdel.example. 3600 NS ns.example.com. subdel.example. 3600 NS ns.example.net. 27. !Men!&!Mice!!http://menandmice.com! DNS!wildcards 17 . example. * sub host1 _tcp _ssh host2 _tcp _ssh subdel Query:!*.example. ? IN TXT ? Answer:!*.example. 3600 TXT "this is a wildcard" Example!zone!with!wildcards!(from!RFC!4592): $ORIGIN example. example. 3600 IN SOA example. 3600 NS ns.example.com. example. 3600 NS ns.example.net. *.example. 3600 TXT "this is a wildcard" *.example. 3600 MX 10 host1.example. sub.*.example. 3600 TXT "this is not a wildcard" host1.example. 3600 A 192.0.2.1 _ssh._tcp.host1.example. 3600 SRV _ssh._tcp.host2.example. 3600 SRV subdel.example. 3600 NS ns.example.com. subdel.example. 3600 NS ns.example.net. 28. !Men!&!Mice!!http://menandmice.com! Empty!non!terminal empty non-terminal: $ORIGIN example. example. 3600 IN SOA example. 3600 NS ns.example.com. example. 3600 NS ns.example.net. *.example. 3600 TXT "this is a wildcard" *.example. 3600 MX 10 host1.example. sub.*.example. 3600 TXT "this is not a wildcard" host1.example. 3600 A 192.0.2.1 _ssh._tcp.host1.example. 3600 SRV _ssh._tcp.host2.example. 3600 SRV subdel.example. 3600 NS ns.example.com. subdel.example. 3600 NS ns.example.net. 18 29. !Men!&!Mice!!http://menandmice.com! Empty!non!terminal empty non-terminal: $ORIGIN example. example. 3600 IN SOA example. 3600 NS ns.example.com. example. 3600 NS ns.example.net. *.example. 3600 TXT "this is a wildcard" *.example. 3600 MX 10 host1.example. sub.*.example. 3600 TXT "this is not a wildcard" host1.example. 3600 A 192.0.2.1 _ssh._tcp.host1.example. 3600 SRV _ssh._tcp.host2.example. 3600 SRV subdel.example. 3600 NS ns.example.com. subdel.example. 3600 NS ns.example.net. 18 30. !Men!&!Mice!!http://menandmice.com! Empty!non!terminal empty non-terminal: $ORIGIN example. example. 3600 IN SOA example. 3600 NS ns.example.com. example. 3600 NS ns.example.net. *.example. 3600 TXT "this is a wildcard" *.example. 3600 MX 10 host1.example. sub.*.example. 3600 TXT "this is not a wildcard" host1.example. 3600 A 192.0.2.1 _ssh._tcp.host1.example. 3600 SRV _ssh._tcp.host2.example. 3600 SRV subdel.example. 3600 NS ns.example.com. subdel.example. 3600 NS ns.example.net. 18 31. !Men!&!Mice!!http://menandmice.com! Empty!non!terminal empty non-terminal: $ORIGIN example. example. 3600 IN SOA example. 3600 NS ns.example.com. example. 3600 NS ns.example.net. *.example. 3600 TXT "this is a wildcard" *.example. 3600 MX 10 host1.example. sub.*.example. 3600 TXT "this is not a wildcard" host1.example. 3600 A 192.0.2.1 _ssh._tcp.host1.example. 3600 SRV _ssh._tcp.host2.example. 3600 SRV subdel.example. 3600 NS ns.example.com. subdel.example. 3600 NS ns.example.net. 18 32. !Men!&!Mice!!http://menandmice.com! Empty!non!terminal 19 . example. * sub host1 _tcp _ssh host2 _tcp _ssh subdel Example!zone!with!wildcards!(from!RFC!4592): $ORIGIN example. example. 3600 IN SOA example. 3600 NS ns.example.com. example. 3600 NS ns.example.net. *.example. 3600 TXT "this is a wildcard" *.example. 3600 MX 10 host1.example. sub.*.example. 3600 TXT "this is not a wildcard" host1.example. 3600 A 192.0.2.1 _ssh._tcp.host1.example. 3600 SRV _ssh._tcp.host2.example. 3600 SRV subdel.example. 3600 NS ns.example.com. subdel.example. 3600 NS ns.example.net. empty!non!terminalempty!non!terminalempty!non!terminal! nodes 33. !Men!&!Mice!!http://menandmice.com! The!closest!encloser!is!the!node!in!the!zone's!tree!of! existing!domain!names!that!has!the!most!labels! matching!the!query!name!(consecutively,!counting!from! the!root!label!downward).!!Each!match!is!a!"label!match"! and!the!order!of!the!labels!is!the!same.! The!closest!encloser!is,!by!definition,!an!existing!name!in! the!zone.!The!closest!encloser!might!be!an!empty!non- terminal!or!even!be!a!wildcard!domain!name!itself.!!In! no!circumstances!is!the!closest!encloser!to!be!used!to! synthesise!records!for!the!current!query. 20 Closest!Encloser!and!the!Source!of! Synthesis!(1/2) 34. !Men!&!Mice!!http://menandmice.com! Closest!Encloser!and!the!Source!of! Synthesis!(2/2) The!source!of!synthesis!is!defined!in!the!context!of!a!query! process!as!that!wildcard!domain!name!immediately! descending!from!the!closest!encloser,!provided!that!this! wildcard!domain!name!exists.!"Immediately!descending"! means!that!the!source!of!synthesis!has!a!name!of!the!form: *..! A!source!of!synthesis!does!not!guarantee!having!a!RRSet!to! use!for!synthesis.!!The!source!of!synthesis!could!be!an! empty!non-terminal. 21 35. !Men!&!Mice!!http://menandmice.com!22 Domain Name in Query closest encloser source of synthesis host3.example. example. *.example. _telnet._tcp.host1.example. _tcp.host1.example. no source _dns._udp._host2.example. host2.example. no source _telnet._tcp.host3.example. example. *.example. _chat._udp.host3.example. example. *.example. foobar.*.example. *.example. no source Closest!Encloser!and!the!Source!of! Synthesis 36. !Men!&!Mice!!http://menandmice.com! other!wildcard!rules!(1) DNSSEC!does!not!allow!wildcard!NS!records ; this is not legal DNS data inside a DNSSEC ; signed zone *.example.com. 3600 IN NS ns1.example.org. *.example.com. 3600 IN NS ns2.example.org. 23 37. !Men!&!Mice!!http://menandmice.com! other!wildcard!rules!(2) in!SRV!record,!the!full!name!is!the!owner-name.! There!cannot!be!a!wildcard!on!the!domain!part!of!an! SRV!record!(same!for!TLSA,!DKIM!...) ; this is not a wildcard for the SRV record _ldap._tcp.*.example.com. IN SRV 10 20 389 ldap-srv.example.com. 24 38. !Men!&!Mice!!http://menandmice.com! other!wildcard!rules!(3) Wildcard!DS!(DNSSEC!delegation!signer)!records! are!ignored! Wildcard!DNAME!records!are!not!allowed! (represents!a!threat!to!the!coherency!of!the!DNS)! If!a!source!of!synthesis!is!an!empty!non-terminal,! the!answer!will!be!NOERROR!/!NODATA!(Answer!=! 0) 25 39. !Men!&!Mice!!http://menandmice.com! TL;DR 26 Be!careful!with!DNS!wildcard!records! 40. !Men!&!Mice!!http://menandmice.com! Thank!you! ! Questions?!!Comments? 27