1. DNS/ワイルドカード
Contents
wildcardレコードとして定義されているかの、確認法:
間違いの多い機能である。
1.1. awsdns
awsでの制限: /awsdns
*.example.com という名前のレコードを作成し、example.com レコードがない場合、 Route 53 は NXDOMAIN (存在しないドメイン) として example.com の DNS クエリに応答します。
NS タイプのあるレコードで「*」をワイルドカードとして使用することはできません。
- You can't use the * as a wildcard for records that have a type of NS.
1.2. RFC 4592
この使い方は禁止されてはいないが、使わない方がよい。
4.1. SOA RRSet at a Wildcard Domain Name
$ORIGIN *.example.
@ 3600 IN SOA <SOA RDATA>
3600 NS ns1.example.com.
3600 NS ns1.example.net.
www 3600 TXT "the www txt record"
A query for www.*.example.'s TXT record would still find the "the www
txt record" answer. The asterisk label only becomes significant when
section 4.3.2, step 3, part 'c' is in effect.4.2. NS RRSet at a Wildcard Domain Name With the definition of DNSSEC [RFC4033, RFC4034, RFC4035] now in place, the semantics of a wildcard domain name owning an NS RRSet has come to be poorly defined. The dilemma relates to a conflict between the rules for synthesis in part 'c' and the fact that the resulting synthesis generates a record for which the zone is not authoritative. In a DNSSEC signed zone, the mechanics of signature management (generation and inclusion in a message) have become unclear. Salient points of the working group discussion on this topic are summarized in section 4.2.1.
As a result of these discussions, there is no definition given for wildcard domain names owning an NS RRSet. The semantics are left undefined until there is a clear need to have a set defined, and until there is a clear direction to proceed. Operationally, inclusion of wildcard NS RRSets in a zone is discouraged, but not barred.