3

I have read Multiple wildcard dns entries and know the limitations/drawbacks of wildcard DNS entries, but I have a question about the order in which it is listed by my registrar:

example.com        A      192.0.2.1    (1)
test.example.com   A      192.0.2.2    (2)
*.example.com      A      192.0.2.3    (3)
test2.example.com  A      192.0.2.4    (4)

More precisely:

  • Am I correct that (3) won't impact (1) and so the only A record for example.com is (1)?

  • Is rule (2) overriden by rule (3), or will both rules apply for test.example.com (thus two A records for this subdomain)?

  • As (4) is listed after (3), does this mean test2.example.com will have only one A record (192.0.2.4) or two A records (both 192.0.2.3 and 192.0.2.4)?

Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42
Basj
  • 569
  • 3
  • 8
  • 27
  • I have read https://tools.ietf.org/html/rfc1034 but not sure to fully understand what `Wildcard RRs do not apply: - When the query is in another zone. That is, delegation cancels the wildcard defaults.` mean. It seems relevant but not sure. ("another zone"?) – Basj Apr 30 '20 at 11:30
  • Have a look at https://en.wikipedia.org/wiki/Wildcard_DNS_record it has an example and I think it does a good job to explaining it. There are basically only two things to remember: the physical order of lines do not count (DNS results are not sorted, they are sets, not lists), and a wildcard comes into play ONLY if the direct match name does not exist in the zone. PS: to obfuscate IP addresses please use `192.0.2.0/24` block that is reserved for documentation and not any other IP addresses that exists for real. – Patrick Mevzek Jun 03 '20 at 14:57

1 Answers1

4
  1. Wildcards do not apply to the root record of the domain, so (1) will be the only A record for example.com
  2. The key point about wildcards is that they only apply for otherwise non-existent subdomains, so any queries for test.example.com and test2.example.com will be answered by (2) and (4) respectively.
  3. As I stated above, wildcards do not apply to explicitly stated subdomains, so it doesn't really matter, but DNS generally does not care about the order of records in a zone (there are some exceptions, like where the SOA record should be, and round-robin records).

So to sum it all up, only if a query comes in for let's say foobar.example.com will it be matched with your wildcard record.

Stuggi
  • 3,366
  • 4
  • 17
  • 34
  • Thanks a lot! (This also confirms the tests I've done in the meantime). – Basj May 02 '20 at 21:34
  • "Wildcards do not apply to the root record of the domain" what does that mean? You can certainly have a wildcard at apex. See example at https://en.wikipedia.org/wiki/Wildcard_DNS_record there are 2 wildcards at apex of zone `example.com` – Patrick Mevzek Jun 03 '20 at 14:59
  • 1
    "but DNS generally does not care about the order of records in a zone" No, not generally. Per design and always: DNS replies are made of resource records sets (not lists). A set is not ordered. Whatever physical order exist in the zonefile (if it is a text, but data could as well be a in database, a LDAP tree, etc.) is lost at the DNS wire level. In fact, due to classical round robin, results appear in different order each time you query for them. – Patrick Mevzek Jun 03 '20 at 15:00
  • Almost 2 years later I found your comment. I meant that a lookup for example.com can't ever match the wildcard *.example.com, not that you can't have them at the apex of the zone. And you are correct, my wording is more of disclaimer, as some unknown to me DNS servers for example might care in what order some records are listed into the zonefile. – Stuggi Feb 02 '22 at 10:04