1. DNS/ワイルドカード

DNS/用語/wildcards

wildcardレコードとして定義されているかの、確認法:

間違いの多い機能である。

1.1. awsdns

awsでの制限: /awsdns

https://docs.aws.amazon.com/ja_jp/Route53/latest/DeveloperGuide/DomainNameFormat.html#domain-name-format-asterisk

*.example.com という名前のレコードを作成し、example.com レコードがない場合、 Route 53 は NXDOMAIN (存在しないドメイン) として example.com の DNS クエリに応答します。

NS タイプのあるレコードで「*」をワイルドカードとして使用することはできません。

1.2. RFC 4592

この使い方は禁止されてはいないが、使わない方がよい。

4.1.  SOA RRSet at a Wildcard Domain Name

      $ORIGIN *.example.
      @                 3600 IN  SOA   <SOA RDATA>
                        3600     NS    ns1.example.com.
                        3600     NS    ns1.example.net.
      www               3600     TXT   "the www txt record"

A query for www.*.example.'s TXT record would still find the "the www
   txt record" answer.  The asterisk label only becomes significant when
   section 4.3.2, step 3, part 'c' is in effect.

4.2.  NS RRSet at a Wildcard Domain Name

   With the definition of DNSSEC [RFC4033, RFC4034, RFC4035] now in
   place, the semantics of a wildcard domain name owning an NS RRSet has
   come to be poorly defined.  The dilemma relates to a conflict between
   the rules for synthesis in part 'c' and the fact that the resulting
   synthesis generates a record for which the zone is not authoritative.
   In a DNSSEC signed zone, the mechanics of signature management
   (generation and inclusion in a message) have become unclear.

   Salient points of the working group discussion on this topic are
   summarized in section 4.2.1.

   As a result of these discussions, there is no definition given for
   wildcard domain names owning an NS RRSet.  The semantics are left
   undefined until there is a clear need to have a set defined, and
   until there is a clear direction to proceed.  

Operationally, inclusion of wildcard NS RRSets in a zone is discouraged,
but not barred.

Moin2Qmail: DNS/ワイルドカード (last edited 2021-01-16 02:49:57 by ToshinoriMaeno)