Home / server / Questions / 214892
In Process
John
Asked: 2010-12-22 07:55:18 +0800 CST

Is setting an empty/blank DNS A record allowed?

  • 772

I'm trying to wrap my head around the wonderful world on DNS.

I have created a zone file for example.com which contains:

@     A    1.2.3.4
*     A    1.2.3.4

However I am also setting up my local DNS, local.example.com which I have created a separate zone file for containing the following:

machine1     A    192.168.0.1
machine2     A    192.168.0.2

When I dig machine1.local.example.com it returns A record 192.168.0.1, great.

Sadly, badmachine.local.example.com returns 1.2.3.4, as does local.example.com.

I'm not sure of the best way to prevent this. If I add the following to the local.example.com empty A records are returned for the above 2 examples as is the behaviour I desire:

@     A
*     A

I want anything.example.com to use the wildcard EXCEPT anything in the local.example.com subdomain which I do not want to give a response unless specified. Essentially I need a wild card with one exclusion.

Is this allowed? Is this best practice, or am I doing things terribly wrong? I'm using PowerDNS with BIND backend.

Thanks for your thoughts!

domain-name-system bind a-record powerdns

4 Answers

  1. Firstly, your comment to Chris S above clarifies (indeed, modifies) your original question considerably, and I hope you'll forgive me editing it into your original question.

    Secondly, null records aren't permitted, as others have noted.

    Thirdly, I think the way to do what you want is to declare local.example.com to be a proper subdomain:

    local                       IN      NS      ns1.example.com
local                       IN      NS      ns2.example.com

    listing the same two nameservers as you currently run for example.com (note: I don't know PowerDNS,so my entries above are in BIND format). Then on those nameservers (which I presume is this nameserver) you declare a zonefile for local.example.com which contains only the hosts you want to resolve, and no wildcard record.

    So when people look up foo.example.com, assuming that's not listed, it'll match the existing wildcard record, and return 1.2.3.4 (or whatever). But when people look up foo.local.example.com, the nameserver records for local.example.com will be returned and a further recursion will take place, with your nameserver now looking at the zonefile for local.example.com, and saying (in the absence of a specific record for foo and a wildcard in local.example.com) "no, there is no such record".

    • 5

  2. It would be useful to know exactly what responses you are after. The first two lines quoted in your question set the default response for the domain, and unmatched record response as well. Hence example.com will be serviced by the "@" record, and anything-that-doesnt-exist.exmaple.com will be serviced by the "*" record. They aren't necessary, you can get rid of both. Setting them to blank values is an invalid configuration (on most systems).

    • 1

  3. I can't think of a way to "null" an entry. Empty A records are not permitted.

    Perhaps *.example.com A 1.2.3.4 would prevent override of the .local.example.com entries? It sounds like PowerDNS is misbehaving from spec. Having local.example.com domain defined should prevent the wildcard from stomping on anything in that domain. Can you post full zone files? That would resolve a number of small questions.

    • 1

  4. You should look at the specific behavior of the server you are running, because this feature has not been implemented consistently:

    To quote from RFC 4592, many DNS implementations diverge, in different ways, from the original definition of wildcards.

    Wildcards in practice

    What you want the wildcard entry to do is correct, as I understand the definition of the wildcard usage (better to think of it as a default value of last resort). I will try to find time to read the clarifying RFC and update here...

    • 1