I had a * record on one of our zones and I changed it. But when I queried certain, random names on that zone from public DNS servers, I still received the old IP address.
This makes no sense to me. The server I queried could not know the correct IP address for the name, unless they know there was a wildcard record. Otherwise, they would have to ask our name servers.
When I query our own name servers for the same name, they would return the new IP address.
So, what's going on?
I had a quick look to see if all the authoritative nameservers have synced.
It appears that
217.70.177.40is serving an older version of the zone, which probably explains the variations in results.If you are not using DNSSEC there is no definitive way for the client to see if a reply was produced by a
*record in the zone or by an exact match.The client could use heuristic by comparing the answers produced by looking up the desired name to the answers produced by looking up a random string of characters. If the answers are identical it is likely a
*record and if the answers are different it is likely not a*record.If the zone is signed offline with DNSSEC it is however possible for a client to see if a
*record was used. This is because the name used in the signature will actually contain a literal*character, which will prove that the answer was produced using a*record. Additionally NSEC3 can provide a signature showing that the requested name could not be answered without using the*record.