Home / server / Questions / 504727
Accepted
tuomassalo
Asked: 2013-05-04 02:03:20 +0800 CST

Non-dot-wildcard (*-foo.example.com) for bind?

  • 772

It seems there's no way to tell bind that *-foo.example.com should resolve to eg. 10.1.2.3, while *-bar.example.com resolves to 10.2.3.4. Is there any workaround? Can some names eg. resolve with an external program? Or should I change bind to eg. PowerDNS?

I'm trying to avoid buying another SSL wildcard cert. (With wildcard certs, such as *.example.com, it's not possible to allow dots in the * part.)

Specifying all *-foo or *-bar names in the zone file is not an option, since I need to be able to create both type of addresses on the fly.

domain-name-system

2 Answers

  1. Best Answer

    The reason why it doesn't work is because it's not defined behavior within the RFCs. It must be implemented as an extension of the software you're using. RFC4592 cements the definition of a wildcard record pretty firmly:

    2.1.1. Wildcard Domain Name and Asterisk Label

    A "wildcard domain name" is defined by having its initial (i.e.,
    leftmost or least significant) label be, in binary format:

      0000 0001 0010 1010 (binary) = 0x01 0x2a (hexadecimal)

    Note the term label here. A label is the dot separated entity. If you have anything other than the asterisk in the label, it's not a wildcard.

    You're kinda stuck here. Working within DNS, you need that dot that you're trying to avoid. Everything else is extensions to the server software and implementation specific.

    • 14

  2. RFC 6125 prevents having a generic certificate for nested subdomains. RFC 4592 and RFC 1034 prevent from having *-xxx.domain.com as a DNS entry.

    So you only have two alternatives (which is not nice when trying to automate) :

    • Create a certificate per subdomain (there are free alternatives but might be complicated depending on your platform).
    • Create a full DNS entry per sub-service (which won't be sub-subdomains).
    • 1