[dns-operations] Wildcard label as CNAME target seen in the wild

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Mar 7 22:33:43 UTC 2019 

On Thu, Mar 07, 2019 at 04:55:07PM -0500, Dave Lawrence wrote:

> ; <<>> DiG 9.12.4 <<>> vault-at-sso.edge.chnonprod.net
> ;;;...
> ;; ANSWER SECTION:
> vault-at-sso.edge.chnonprod.net. 300 IN CNAME \
>                              *.internal-default.edge.chnonprod.net.
> *.internal-default.edge.chnonprod.net. 900 IN CNAME \
>                              internal-default.edge.chnonprod.net.
> internal-default.edge.chnonprod.net. 60 IN CNAME \
>                              internal-default-us-east-1.edge.chnonprod.net.
> internal-default-us-east-1.edge.chnonprod.net. 60 IN A 172.25.97.122
> internal-default-us-east-1.edge.chnonprod.net. 60 IN A 172.25.66.57
> internal-default-us-east-1.edge.chnonprod.net. 60 IN A 172.25.81.150
> 
> This fails on systems which are enforcing LDH hostname rules.
> Observed, not just theoretical.

Would you care to list which applications you observed to refuse
to accept this edge-case?  I know that Postfix won't accept these,
because Postfix follows CNAME chains one-link at a time, revalidating
the input at each step.  While this should not be necessary with
modern RFC-compliant resolvers, Postfix makes more pessimistic
assumptions about resolver behaviour.

    $ posttls-finger vault-at-sso.edge.chnonprod.net
    posttls-finger: warning: valid_hostname: invalid character 42(decimal): *.internal-default.edge.chnonprod.net
    posttls-finger: warning: malformed domain name in resource data of CNAME record for vault-at-sso.edge.chnonprod.net: *.internal-default.edge.chnonprod.net
    posttls-finger: Destination address lookup failed: Name service error for name=vault-at-sso.edge.chnonprod.net type=MX: Malformed or unexpected name server reply

Somewhat similar cases are observed with MX lookups for 9 domains
hosted by hosting2go.nl:

    sveikenderveld.nl. IN MX 10 sveikenderveld.nl. ; NoError AD=1
    sveikenderveld.nl. IN MX 20 *.sveikenderveld.nl. ; NoError AD=1

    driveinenergy.nl. IN MX 10 driveinenergy.nl. ; NoError AD=1
    driveinenergy.nl. IN MX 10 *.driveinenergy.nl. ; NoError AD=1

    delaatste-eer.nl. IN MX 30 *.delaatste-eer.nl. ; NoError AD=1

    openemmen.nl. IN MX 10 localhost.openemmen.nl. ; NoError AD=1
    openemmen.nl. IN MX 10 *.openemmen.nl. ; NoError AD=1
    openemmen.nl. IN MX 30 openemmen.nl. ; NoError AD=1

    nielsennicole.nl. IN MX 30 *.nielsennicole.nl. ; NoError AD=1

    ferengi.nl. IN MX 10 *.ferengi.nl. ; NoError AD=1
    ferengi.nl. IN MX 30 ferengi.nl. ; NoError AD=1

    robwalg.nl. IN MX 30 *.robwalg.nl. ; NoError AD=1

    luukeerens.nl. IN MX 30 *.luukeerens.nl. ; NoError AD=1

    teinstituut.nl. IN MX 30 *.teinstituut.nl. ; NoError AD=1

-- 
	Viktor.

More information about the dns-operations mailing list