I would like to enable DANE/TLSA on *.example.com for https.
To activate it on example.com I can do that (I used TYPE52 instead of TLSA because my DNS provider is not DANE-aware):
_443._tcp.example. IN TYPE52 # 35 01010102d50459538b4c549014266824948c9294da322581e51a0f0e79ce8aea0def89
Wildcard are not allowed in the middle so I can't do that (right?) :
_443._tcp.*.example. IN TYPE52 # 35 01010102d50459538b4c549014266824948c9294da322581e51a0f0e79ce8aea0def89
But activate it on *.example.com the only way I found is (the first line was already there to redirect *.example.com on the same IPs) :
* IN CNAME example.com.
example.com. IN TYPE52 # 35 01010102d50459538b4c549014266824948c9294da322581e51a0f0e79ce8aea0def89
It works but it falsely enable it for all protocols/ports (ssh, imaps, ...)
Did I miss something ?
Should I explicitly add all sub-domains instead of using a wildcard ?
I don't believe you missed anything. At least not for a nameserver that serves static data, which is probably your only option anyway as you need DNSSEC.
In general, if it's feasible you probably should add the names that are actually in use rather than use wildcards. (It's clearly better from a technical perspective, however it's usually business demands that drive people to use wildcards.)