On Fri, Feb 4, 2022 at 11:18 AM William Herrin <bill@herrin.us> wrote:
On Fri, Feb 4, 2022 at 7:55 AM Bjørn Mork <bjorn@mork.no> wrote:
So why the heck do you insist on keeping that wildcard? Nobody else use wildcard A records. There is no reason. It's a loaded footgun.
Okay... I know some of the bad things that can happen with CNAMEs. What exactly is the problem with wildcard A records and DNSSEC?
There is no problem with wildcards and DNSSEC. It was a subtle bug in a particular DNS server implementation (Route53), where wildcard NODATA responses were being returned with an incorrect type bitmap in the NSEC record. This caused some DNS resolver implementations that do aggressive negative caching (with RR type inference) to fail to lookup some subsequent record types. (That bug is now fixed). Shumon Huque