[dns-operations] *.cn A wildcard

Chris Thompson cet1 at cam.ac.uk
Mon Oct 26 17:42:27 UTC 2009

On Oct 26 2009, Florian Weimer wrote:

>Does a *.cn A wildcard exist or not?

That's a question for a philosopher, I think ...

>                                     From our point of view, there's
>one on ns.cernet.net (, but not on the other IPv4
>Does anybody know the reason behind this configuration?  It seems to
>be a mismatch of the name server software or
>configuration. [a-e].dns.cn serve the *.cn/IN/A entry, but do not
>expand it.

I confirm your observations (except that I can't get any response
out of c.dns.cn at all).

[abde].dns.cn respond to (CH,TXT,"version.bind") queries with an
obfusticated "BIND" or "BIND-9". I don't know how to configure
BIND to not expand wildcard RRs like that! ns.cernet.net refuses
(CH,TXT,"version.bind") queries.

One can get some interesting results from "host -C cn.". Everything
looks in step if you use the IPv4 addresses, but the IPv6 addresses
for [ad].dns.cn give much smaller serials, which rarely change (while
those at the IPv4 addresses increase every few seconds). So they
clearly aren't talking to the same servers - maybe anycast is
involved here.

One is tempted to describe the situation as ... inscrutable.

Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.

More information about the dns-operations mailing list