[dns-operations] Akamai now works with ENT (Empty Non-Terminals)?

Dave Lawrence tale at dd.org
Wed Apr 17 18:28:43 UTC 2019

Shumon Huque writes:
>         ;*.h4ha.net.            IN A
>         *.h4ha.net.             RRSIG   A 13 2 [...]
>         *.h4ha.net.             A
> Interesting problem. So the wildcard can be queried directly and validates
> properly.

There's a subtle bit of terminology massaging that is probably
required here.  It's not quite the case that the wildcard is being
queried directly, but rather that the * label in the query is hitting
the wildcard expansion and is then replaced by a * label and thus
returning something that looks like the wildcard name but isn't
really.  At least that's what's going on in the sense of the DNS
standards; I've got no idea how that server might be handling things
in its code.

It's not really different than querying :.h4ha.net.  Oddly it is
different from querying ,.h4ha.net, which I tried first but returned
ServFail -- but then I just tried ,.h4ha.net again and got NoError so
something odd is going on.  Digs were done just against my default
DNSSEC-validating and caching resolver so maybe the first validation
failed but subsequent ones somehow found what the validator needed.  I
didn't look closely.

More information about the dns-operations mailing list