On Tue, Jun 20, 2017 at 10:08:44AM -0500, Bryan Bradsby wrote: > On Tue, 2017-06-20 at 10:51 -0400, Maria Iano wrote: > > > > The queries are being directed at an authoritative server, exactly as > > you describe above. > > > > We also pay for a secondary dns provider who pulls our zones from the > > same authoritative servers of ours which have this issue. > > The wildcard works when we send the query to one of our secondary > > provider's name servers. > > > > Here is the answer from one of the secondary provider's servers: > > > > ; <<>> DiG 9.10.2-P3 <<>> @<providers-server> <name> any > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags:; udp: 4096 > > ;; QUESTION SECTION: > > ;<name> IN ANY > > > > ;; ANSWER SECTION: > > <name> 300 IN CNAME <data-in-wilcard-record> > > BIND does not allow a CNAME at the apex of the zone, some other flavors > of DNS servers allow this.
At first I was really hopeful that we had our explanation, but then I realized you are talking about a CNAME for the zone itself, which we don't have. I think this was a misunderstanding because of my sloppy editing of the dig results. Replacing our zone name with example.com, our wildcard record looks like this: *.example.com. 300 IN CNAME name.cname.points.to. Here are the results of a dig query for a record that was deleted, and a dig query for a record that never existed, this time with the names again replaced (sorry) with something more helpful. $ dig @ns1.domain.com. deletedname.example.com. any ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-25.P1.el5_11.12 <<>> @ns1.domain.com. deletedname.example.com. any ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4107 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;deletedname.example.com. IN ANY ;; AUTHORITY SECTION: example.com. 300 IN SOA ns1.domain.com. dnsadmin.example.com. 2017062002 1200 600 604800 300 ;; Query time: 6 msec ;; SERVER: IPofns1#53(IPofns1) ;; WHEN: Tue Jun 20 11:27:17 2017 ;; MSG SIZE rcvd: 96 $ dig @ns1.domain.com. nonexistentname.example.com. any ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-25.P1.el5_11.12 <<>> @ns1.domain.com. nonexistentname.example.com. any ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8568 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 16, ADDITIONAL: 4 ;; QUESTION SECTION: ;nonexistentname.example.com. IN ANY ;; ANSWER SECTION: nonexistentname.example.com. 300 IN CNAME name.cname.points.to. ;; AUTHORITY SECTION: list of all of our NS records ;; ADDITIONAL SECTION: list of IPs of our name servers ;; Query time: 1 msec ;; SERVER: IPofns1#53(IPofns1) ;; WHEN: Tue Jun 20 11:27:26 2017 ;; MSG SIZE rcvd: 462 > > Was the wildcard changed to a CNAME in the last edit? > I just checked, and the wildcard record hasn't been changed since 2015. Thanks, Maria _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
